The journey to cybersecurity compliance isn’t easy. You might start at the basics of Cyber Essentials certification and progress to take on the challenge of ISO 27001 compliance. It takes effort to get certified but if you put in the work, you’ll reap the benefits. You could enjoy:
Greater trust from customers and vendors
The chance to bid for government contracts
Protection from cyberattacks
GDPR compliance
Two of the biggest challenges facing businesses are knowing where to get started and how to build knowledge, but you don’t have to navigate cybersecurity alone. We’ve put together this new, updated guide as your one-stop shop for the three most common UK cybersecurity certifications.
What’s covered?
In this guide, we outline how to choose the right certification for your business, how to get certified, and where to go for support.
Cyber Essentials
With information on recent updates
Cyber Essentials Plus
ISO 27001
How to make compliance easy
Advice on getting started
Where to find support
So, if you’re unsure about whether your business needs a cybersecurity certification or which one is right for you, start by downloading our guide. It’s free and includes everything you need to know to make a decision.
Small business, smaller risk of a cyberattack? Not quite.
Small businesses are still susceptible to cybersecurity threats. Whether your business consists of a single person or a number of employees, you must be protected.
One in five small firms say they’ve experienced a cyberattack at one point. And many don’t think they have the finances or time to set up security precautions – or in some cases – don’t realise the need to. But it doesn’t have to be this way.
There are a few simple steps you can take to remain protected. And they could make you eligible for all-important cyber insurance cover.
Why do you need cyber insurance?
Many sophisticated cyber threats exist today. Phishing, malware, ransomware, hacking; the list could go on. Having cyber insurance in your business will help you recover faster if an incident occurs. If your business deals with sensitive customer data, does a lot of business over the internet or doesn’t have coverage from any external cybersecurity providers, cyber insurance is worth investigating.
Cyber insurance includes coverage for damage or loss of information from IT systems and networks. This includes both first-party and third-party risks, depending on your insurance plan.
First-party risks: This includes anything that could impact your business assets. For example, a cyber-attack on your software or theft of digital assets.
Third-party risks: This covers the assets of others, like your customers. For example, security and privacy breaches of customer data.
For a small business, cybersecurity insurance is pivotal for protecting you in worst-case scenarios. So, how can a small business obtain cybersecurity insurance?
How to overcome cyber insurance challenges as a small business
Just like any other type of insurance, you need to meet your providers’ criteria.
Every cybersecurity insurance provider will have its own process, but the typical route to qualify will range from a simple questionnaire to a detailed analysis of your cybersecurity environment by your insurer.
Meeting basic cybersecurity standards will make your small business significantly more likely to qualify.
Here’s what you can do:
1. Keep software up-to-date and protected
Keeping your software equipped with antivirus protection is a surefire way of avoiding basic cybersecurity threats. And ensuring that all your programs are regularly patched keeps your systems in line with your manufacturer’s latest cybersecurity updates.
By taking these basic measures, insurers will see your business as more trustworthy.
2. Protect your network with a firewall
A firewall is a network security system that monitors and controls your network traffic. Its parameters are based on predetermined security rules across incoming and outgoing traffic. It creates an effective barrier between your network, and anything considered an ‘untrusted’ network – an opportune place for cybersecurity threats to creep in.
By implementing one, insurers can recognise that you’ve reduced the chance of a cybersecurity threat occurring.
3. Implement regular security checks
Not every small business owner is expected to understand the ins and outs of cybersecurity. Instead, smart cybersecurity software can help you manage regular security checks and provide monitoring, 24/7.
The best software can also act as an educational tool – providing greater awareness about cybersecurity training opportunities, policies you can implement, and giving your people more control of their own cybersecurity. This shows insurers that you’re taking a proactive approach to cybersecurity.
4. Regularly back up your data
Insurers want you to minimise the risk of data loss as it’s costly and impacts your reputation.
Make sure your data is backed up using external media or a secure cloud service. Consider that you need to manage and store first-party and third-party data in different ways.
5. Manage user access rights and permissions
User access rights are an important part of staying secure. You want to make sure only the right people have access to sensitive data, without impacting anyone’s ability to do their actual job.
In a business, enforcing a ‘least privilege access’ policy is a common way of managing access rights. This is a policy that only allows users to have the minimum level of access or permissions needed to perform their jobs, and nothing more. It restricts access rights to only users, accounts, and processes that require certain types of data.
This creates a safer environment for your data and it helps to protect employees from causing accidental or harmful actions, thus reducing risks for insurers.
Improve your cyber hygiene to get cyber insurance
‘Cyber hygiene’ is the steps your business can take to protect itself from cyberattacks, like the list above.
It’s like the practice of washing your hands – but for cybersecurity. Cyber insurance providers look for businesses with good cyber hygiene practices in place, as you’re less likely to be impacted by cyber threats.
Alongside the list above, a cybersecurity certification is also a great method of overcoming cyber insurance challenges and improving your cyber hygiene. It can provide all the protection you need, and more, and is created by the UK government – making it ideal for small businesses looking for industry-standard protection.
The 7 biggest challenges of ISO 27001 certification
It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.
What is ISO 27001?
ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.
The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.
ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:
The benefits of ISO 27001 certification
Protect your business and customers from cybersecurity threats
Reassure customers
Enhance your reputation
Avoid the financial penalties associated with data breaches
ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”
2. Building a security framework
Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.
Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.
3. Identifying security gaps
What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.
This is problematic for two reasons:
It’s difficult to see where you should focus your efforts
You might waste time on unnecessary tasks
You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.
4. Establishing responsibilities and ownership
You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.
ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance.
The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.
5. Getting stakeholder buy-in
ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”
You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.
6. Having no project plan
Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.
ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:
Split the project into smaller, more manageable steps
Provide clear timelines for delivery
Ensure everyone’s on the same page
7. Implementing the project
One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.
The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.
Is ISO 27001 right for my business?
It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.
For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.
We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.
Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.
How to achieve Cyber Essentials certification when your business works remotely
If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.
What are the steps to achieve Cyber Essentials certification remotely?
Make sure your employee networks meet Cyber Essentials requirements
List the equipment that each remote employee is using
Check software and licenses are up to date
What is a network?
Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication.
For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.
What does a network look like in practice?
Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices.
It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge.
We’ve just gone through what a network is. However, with remote working, networks might look a little different.
Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks.
All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router.
2. List your remote employee equipment
Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.
All you need to do is list the equipment each employee is using, as if you were in the office.
What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:
2 x Sky broadband with Sky router
6 x BT broadband with BT hub router
1 x TalkTalk broadband with TalkTalk router
1 x Virgin Media broadband with Virgin Media router
3. Check software and licenses are up to date
Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too.
Make sure that software and licenses are:
Up to date, licensed, and supported
Removed from devices when they become unsupported
Set to update automatically where possible
But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from.
Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team.
And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.
7 key takeaways from the DCMS Cybersecurity Breaches Survey 2022
Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy. The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour. So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.
1. The number of cyberattacks stays stable
It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year. However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.
On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.
2. Phishing remains the most common type of attack
One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.
What does this tell us? Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.
3. Few businesses are taking the supply-chain threat seriously
We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process.
4. Getting hacked costs a lot
This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.
It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.
5. Most small businesses don’t have a cybersecurity strategy
To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.
And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan.
This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys.
6. Ransomware confusion reigns
One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers? Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.
7. Cyber Essentials uptake is still low
Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity. But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.
When you sign in to an online account, you’re asked to prove your identity (a process we call authentication in the cyber world). Usually, you’ll do so via a username and password. The trouble is, it’s not a very safe way to do it. Usernames can be guessed and many of us use the same, simple passwords for everything.
So it’s been clear for some time we need something better. Enter Multi-factor authentication (MFA). But what is it? And why should you use it?
What is multi-factor authentication?
MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user.
You’ve probably already experienced this if you used online or signed into a Google account recently. In fact, it’s well on the way to being commonplace for most applications. The idea behind MFA is very simple. The more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and maybe some cameras for good measure to keep the bad guys out.
Why does your business need it?
Again, the why is delightfully simple. Using MFA can dramatically reduce the chances of a successful cyberattack on your business.
Passwords and user credentials are important, but they’re vulnerable to brute-force attacks and can be stolen by hackers. In contrast, an MFA method like a thumbprint or one-time PIN is very difficult for even the most dedicated cybercriminal to crack.
On top of the obvious security benefits, you’ll also need some form of MFA to complete Cyber Essentials certification. Under the new requirements, MFA should always be used for accounts that connect to cloud services.
What types of multi-factor authentication are there?
Broadly speaking, there are three neat categories of MFA:
Information you know, such as a password, security question, or PIN
Objects you possess, such as a smartphone – this is where one-time PINs come in
Things you are, think biometrics like thumbprints or voice recognition
2FA or MFA?
At this point, you could be forgiven for wondering whether using MFA is overkill. After all, you probably already use two-factor authentication (2FA) for things like your business banking or office suite (Microsoft 365 or Google Workspace). Do you need the extra authentication factors?
Remember the old maxim, beloved by school teachers and parents, ‘it’s better to be safe than sorry’? Well, it really does apply when it comes to cybersecurity. 2FA is hard for cybercriminals to crack and it’s far safer than using just a password. However, it’s a no-brainer to make the risk even smaller by adding extra layers of authentication. The harder it is for cybercriminals to breach your business, the less likely they are to succeed.
Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.
Everything you need to know about the Cyber Essentials price change
The change, which goes through on Monday 24th January 2022, includes several additions to the Cyber Essentials question set.
Why is the price of Cyber Essentials increasing?
The world has changed dramatically since Cyber Essentials was launched seven years ago. Cloud services are now widely used, digital transformation has really taken hold and, of course, many of us are now doing some form of remote or hybrid working. So, to help businesses better tackle these challenges, IASME and the NCSC have updated the requirements of Cyber Essentials certification. The update includes new requirements for:
Cloud services
Multi-factor authentication
Password management
Security updates
Working from home
We’ve outlined all of the most important changes below.
These changes add an extra layer of complexity to certification, particularly for larger organisations. And the new pricing reflects the rigour involved in assessing bigger businesses.
What does this mean for you?
First, it’s important to state that Cyber Essentials remains one of the best-value things a business can do to improve its cybersecurity. In fact, with the inclusion of the new requirements, Cyber Essentials offers better protection to SMEs than ever before.
In other words, the new look Cyber Essentials gives you more for your money while still remaining affordable for any business.
How is CyberSmart approaching the changes?
Up until 7th March 2022, we will continue to offer Cyber Essentials to all our customers and partners for the same price as before.
In other news, after listening to feedback from our customers, we’re also launching our new CyberSmart bundles, containing the CyberSmart Dashboard, CyberSmart Active Protect and Cyber Essentials certification in one neat package.
These bundles contain everything your business needs to improve its cybersecurity and stay secure long after certification. To find out more, please get in touch at hello@cybersmart.co.uk or click here.
We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware.
However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains. These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself?
What is social engineering?
The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.
Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under.
1. Phishing
You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.
Most phishing attacks seek to do three things:
Steal personal information such as names, addresses and banking details
Redirect victims to malicious websites that contain phishing landing pages or malware
Use threats, fear or a sense of urgency to manipulate the victim into acting quickly
A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed. For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password.
So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam.
2. Piggybacking
Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area.
Here’s an example of how it might work:
The attacker waits outside the company’s office, posing as a delivery driver or plumber.
An employee enters using their keycard or other security accreditation.
The attacker asks the employee to hold the door.
They do, and suddenly the attacker has access to the building.
Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems. This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.
3. Pretexting
Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims.
A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack.
To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.
Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff.
The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else.
4. Quid pro quo
Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service.
For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data.
The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services.
As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.
Create clear cybersecurity policies
If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive.
For more on why cybersecurity policies are so important and how CyberSmart can help, read this.
Foster a positive cybersecurity culture
If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes.
All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them.
Check your cybersecurity measures
Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies. By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
How Cyber Essentials certification can help you win new business
Cyber Essentials certification has numerous benefits. You probably know all about the headline ones, such as protection from 98.5% of cyber threats and peace of mind that your staff are working safely.
However, there’s another advantage to certification that’s discussed less frequently. Cyber Essentials certification can also help your company win new business. How? We’ve enlisted a few of our clients to explain in their own words.
Government tenders
Cyber Essentials (or Cyber Essentials Plus) certification is a mandatory requirement for funding in some parts of the NHS and education system (ESFA funding, for example).
But Cyber Essentials also has another role to play. Certification is fast becoming a requirement to bid for many UK government tenders. And, getting certified can not only unlock new opportunities for your business but also make the whole process easier, as Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile, explains:
“Certification has made the process of submitting tenders and business documentation much easier. The certification itself answers many of the questions we’re asked in potential business agreements.”
Building trust
In an online economy teeming with potential risks, trust is often a prerequisite for doing business. After all, how can you know whether a new partner or supplier is following the cybersecurity best practices they claim to be?
You need proof. And this is where Cyber Essentials comes in. Cyber Essentials is a simple, cost-effective way to demonstrate your security credentials to potential customers and partners:
“Our customers, partners and prospects have really appreciated the additional assurance that certification provides. What’s more, their trust in how we manage our business and the services we provide has also increased.
We find once we’ve submitted our Cyber Essentials Plus certificate to other businesses, they’re generally satisfied and don’t require any further proof of our commitment to security. The certificate provides all the proof they need.” –Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile
“FNA works with some of the most important financial institutions in the world and handles highly sensitive data. As such, it is critical to them that they take every precaution to meet a high standard of cybersecurity.
Sometimes, you actually need to see that you can trust someone to trust them. With the help of CyberSmart’s app, FNA’s leadership team were provided with an efficient means of verifying that all their employees have met the basic security checks. Rather than having to manually assess every individual device, the CyberSmart software helps FNA run automatic audits in the background and sends alerts when individuals drop below certain standards. In a way, removing any ambiguity surrounding what employees may or may not have done and offering peace of mind.”– Kimmo Soramaki, Founder and CEO of Financial Network Analytics
New business
Lastly, Cyber Essentials certification can mark you out as a trustworthy business that takes security and data protection seriously. In a world where proof of cybersecurity credentials is increasingly important, this makes you an attractive proposition to prospective customers and partners.
Ben Pook, Director of Play Verto, explains how getting certified has helped his business:
“The impact of not having the right security measures in place is massive. Our customers and partners rely on us to keep their data secure. CyberSmart offers an additional service that is critical in giving both ourselves, as well as our customers, peace of mind.
When we take on a new client, they want to understand how we collect data, how we store it, where it is stored, which servers we are using etc. With CyberSmart, all of that information is in one place and easily accessible. What’s more, the certificates themselves are a demonstration that we take security seriously in the eyes of our customers.”
So there you have it. Not only can Cyber Essentials dramatically improve your business’s cybersecurity, but it’s also a great way to gain an edge over competitors and open up new avenues of opportunity. And, at CyberSmart, we can get you certified in as little as 24 hours. Click here to find out more.
Awards season is just around the corner. So we’re delighted to kick proceedings off with a bang, bagging three nominations at the 2021 Network Computing Awards.
What is the Network Computing Awards?
Network Computing Magazine is one of the UK’s most prominent online tech publications. It began life in the 1990s as a monthly print publication covering the tech world, before moving to online-only in the late noughties.
As part of its focus on IT and tech, Network Computing also hosts an annual awards ceremony celebrating the best the industry has to offer. Past winners read like a veritable who’s who of tech royalty, including everyone from SolarWinds to Dell and Cisco.
What awards is CyberSmart up for?
We’re honoured to have been nominated for three awards:
Remote Working Product of the Year (Cybersmart Active Protect)
The One to Watch Company (CyberSmart)
The Innovation Award (Cybersmart Active Protect)
We’re particularly proud to see CyberSmart Active Protect up for two awards. We’ve spent most of the year so far refining our approach to cybersecurity for SMEs. And these nominations are a great early sign that we’re on the right track.
But we’re just getting started. The rest of 2021 will see more exciting developments and the launch of several new products.
In the meantime, we’d like to wish all the other nominees the best of luck. We’ll certainly be crossing everything in the run-up to the ceremony on the 21st of October!
Are you a small business looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
