Cyber Essentials certification is becoming ever-more important to the healthcare industry, particularly for those firms looking to work with the NHS. 

So we sat down with Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile to discuss how CyberSmart has helped the business complete Cyber Essentials Plus certification.

Vula is a medical referral app and online platform that makes it easy for primary healthcare workers to get advice from and refer patients to specialists.

CyberSmart: What security challenges have you faced as a business? 

Kim: Like many businesses – even those with good physical, technical and administrative security measures in place –  it’s often a challenge to reassure customers and partners that their data is protected and our organisation is secure. 

The Cyber Essentials Plus certification has allowed us to demonstrate to customers and partners that we take security seriously. And, that we’re continually improving and verifying that our security processes are effective and well managed. 

CyberSmart: What prompted you to get Cyber Essentials Plus certification?

Kim: Initially, we were required to get Cyber Essentials Plus to apply for a business tender. However, since then, Cyber Essentials Plus has helped us obtain and move forward with other contracts. Being able to demonstrate our security measures to current and potential customers has proved invaluable. 

The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments.

CyberSmart: How easy was the process from initial enquiry to certification?

Kim: The process was exceptionally quick and seamless, from our initial contact with James (Direct Sales Manager at CyberSmart) to our audit with Glen (CyberSmart’s Head of Cyber Audit) and obtaining our certification. 

The team at CyberSmart were always on hand with information and advice, making the whole process much less stressful. It was also wonderful that they were able to do everything remotely as we are based in South Africa. 

CyberSmart: How long did the process take? 

Kim: The initial questionnaire for Cyber Essentials took around a week to complete. We had our first response back requesting more information on three questions within a day of completing it. I provided the information the same day and we were granted certification later that afternoon. 

We then started Cyber Essentials Plus certification two weeks later, preparing ourselves for the online audit. The audit took around three hours; Glen was exceptional in helping us prepare and very thorough in his assessment. We received our Cyber Essentials certification the same day as the audit which was a very efficient turnaround. 

CyberSmart: How has Cyber Essentials Plus helped your business?

Kim: It’s proved an invaluable way of proving to customers, partners and prospects that our security is effective and follows best practices. Certification has also made the process of submitting tenders and business documentation much easier. The certification itself answers many of the questions we’re asked in potential business agreements. 

Our customers, partners and prospects have really appreciated the additional assurance that certification provides.

CyberSmart: Have you noticed any change in your relationship with customers, suppliers, or prospects since getting certified?

Kim: Our customers, partners and prospects have really appreciated the additional assurance that certification provides. What’s more, their trust in how we manage our business and the services we provide has also increased. 

We find once we’ve submitted our Cyber Essentials Plus certificate to other businesses, they’re generally satisfied and don’t require any further proof of our commitment to security. The certificate provides all the proof they need. 

CyberSmart: Would you recommend Cyber Essentials Plus to other businesses like yours?

Kim: Most definitely. The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments. And, it’s a great way to assure customers and business partners that your organisation is secure.

Finally, it’s also a very methodical approach to ensuring your security measures are well-thought-out, executed properly, and mitigate cybersecurity risks. 

Considering Cyber Essentials Plus for your business? Click here to find out why CyberSmart is the UK’s leading provider of Cyber Essentials certification.

Just about every business uses a server, but most of us only have a fuzzy idea of what they actually do. And it’s easy to assume that it’s too technical or complex for us non-techy types to understand. 

In reality, servers are pretty simple, and, they’re a key part of your IT infrastructure as well as having a role to play in Cyber Essentials certification. 

Here’s everything you need to know. 

What is a server? 

When most of us think of servers, we think of huge, thousand-acre data centres like this. However, most businesses have a server and they’re often of a much more modest scale. 

Any computer using the right software can be a server. Essentially, all a server does is collect and distribute information across a network. The network could be local, say within your office, or a wider network across many locations, like the internet.

For more on the different types of networks and how they work, check out our recent blog on the subject. 

How does a server work? 

Whether it’s searching Google or pulling up a file at work, you probably access servers thousands of times each day.

Taking the internet as an example, the process works something like this: 

1. You enter a URL into your web browser
2. The browser requests the data for the site you’ve asked it to display
3. This information is sent to the server
4. The web server finds all the data needed to display the site and sends it back
5. The site you’ve requested appears on your browser

And that’s it. The whole process shouldn’t take more than a few seconds, depending on your internet speed. 

What is a virtual server? 

Servers are simple enough. But, things get a little more complicated when it comes to virtual servers. So, here’s the simplest explanation we could come up with.

A virtual server is a server that shares its resources amongst multiple users, each of whom has some control over it. It’s usually located offsite from the organisation using it, typically in a data centre. 

Think of it as a way of splitting a single, physical server into several smaller virtual servers, each of which can run its own operating system. The key advantage of this approach is cost saving. 

A virtual server is usually much more energy-efficient to run than a dedicated physical server and doesn’t require any upkeep by the businesses using it. And, you only pay for the server capacity your business actually uses – far more cost-effective than running an entire server and only using a fraction of its capability.

Servers and Cyber Essentials 

The Cyber Essentials certification questionnaire has several sections relating to servers, but what is it you need to do?

First, all servers whether virtual or physical need to be supported by the manufacturer. For example, Windows Server 2008 isn’t Cyber Essentials compliant because Microsoft stopped supporting it some time ago. This means its defences won’t have been updated to deal with new threats, making it vulnerable to attack. For more detail on the importance of updates, have a read of this.

For Cyber Essentials Plus, your servers only need to be tested by an auditor if they ‘touch’ the internet and a non-admin user can use it to browse. If you’re unsure of the difference between admin and non-admin users, never fear, we’ve put together a handy blog to help.

For both Cyber Essentials and Cyber Essentials Plus, you’ll also need to answer questions on who has access to your servers, the protections you have in place, and the software installed on your servers.

And that’s all there is to know about servers; a complex technology with a very simple job. Hopefully this blog has armed you with all the knowledge you need, but if you have any questions please get in touch, our team are always happy to help.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

There’s no disputing that cybercrime is on the rise. According to data from RiskIQ, $2,900,000 is lost to criminals every minute and companies pay out an average of $25 dollars every 60 seconds due to breaches. So it’s hardly surprising cybercrime is set to cost the world $10.5 trillion annually by 2025.

But what is it about the internet that encourages cybercrime? In the second part of our series on cyberpsychology, we delve into how the internet nurtures cybercrime and why we often fall for scams we wouldn’t in the physical world.

Let’s start with the bad guys.

How does the internet enable cybercriminals? 

We’re not always aware of it, but all of us can be guilty of losing our inhibitions online. The internet can encourage us to be more confident and open. However, it can also have toxic side effects.

Some of us are more likely to be manipulative and deceptive online as we are less concerned about our peer’s judgement. When interacting with each other using technology, communication has limited physical features. Often we can’t see or hear the person we’re talking to, offering perfect conditions for misleading messages and false identities.

$2,900,000 is lost to cybercriminals every minute

Online interactions can seem less tangible than our offline lives. And, because the online world feels less ‘real’, harmful behaviour can also feel more acceptable. Without the victim’s physical presence, attackers feel distant and detached from their target and are less afraid of being caught. This makes lying and misleading behaviour much easier. Criminals also feel safer due to the anonymity offered by the internet and the lack of regulation of online behaviour.  

Criminology theory suggests that the three key ingredients for more crime are a motivated attacker, a suitable target and a lack of ways to protect them. Let’s apply this framework to cyberspace. The motivation for cybercriminals is the belief they’re unlikely to be punished for cybercrime. The target can be just about anyone, such is the range of available victims. And, the lack of protection is provided by the way we conduct ourselves online. 

How do cybercriminals use the internet against us?  

There is a wide variety of methods cybercriminals use to ensnare victims. For example, phishing attacks create a sense of urgency and exploit it. It could be by creating a bogus ’emergency’ in which the cybercriminals poses as a friend in need of help. Or, it could be something less altruistic, like the chance to win prizes.

Criminals can also mislead us by presenting themselves as an authority or trustworthy institution –  sometimes even using familiar names and logos. This could trigger us to be less critical when facing a request and respond out of habit, familiarity, or respect for authority.  To give an example, during the COVID-19 pandemic we’ve seen a huge increase in bogus vaccination emails. The threat has become so widespread that the NCSC has launched an awareness campaign, encouraging anyone who’s been targeted to use its scam reporting services.

Online communication can often appear hyperpersonal. And this is especially true if we don’t know the person we’re communicating with. Online interactions can make us idealise the person behind the avatar or email address. Without a physical appearance, body language or other non-verbal cues, we struggle to determine someone’s intentions. The result is we often default to our better nature and develop a sense of having a close relationship very quickly. 

This can lead to us disclosing personal details without actually knowing the person we’re communicating with. Cybercriminals know this and are quick to exploit it. 

The situation is made worse by the ready availability of personal information on the internet. Take social media, for example. Through a person’s profile, you can often see friends or connections lists, recent locations, their interests, and any events they’ve been part of. This information is a great resource for attackers in making communication more targeted and personal. 

What can cyberpsychology do to help us improve our cybersecurity? 

Although it might sound like a slightly dusty academic concept, cyberpsychology has plenty of practical uses. For one, it can help us better understand our vulnerabilities online. And knowing that we’re prone to hyperpersonal communication and letting our guard down is the first step towards correcting that behaviour. 

It also helps us understand the methods cybercriminals use to trick us and the behaviours that make us an easy target. This understanding can make us think more critically the next time we’re faced with a potential scam. What’s more, it gives us the tools to avoid falling for scams in the first place and better strategies for protecting ourselves. After all, to defeat your enemies you must first understand them. 

Knowledge of how and why cybercriminals target us is important. However, knowledge alone isn’t enough to protect your business.  You also need an understanding of the fundamentals of good cybersecurity. Fortunately, this isn’t nearly as difficult as it sounds. A great place to start is by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of good cyber hygiene. It doesn’t require any cyber expertise and can help protect your business against 98.5% of the most common cyber threats.

User permissions aren’t normally something we associate with cybersecurity. In part because it isn’t quite as sexy as talking about the latest ransomware attack, but also because of simple confusion.

So, to help you understand how it can affect your cybersecurity, we’re delving into the world of user permissions. What are standard and admin users? What are the differences between them? And how are they relevant to Cyber Essentials certification? 

What is a user?

A user account is an identity created for a person in a computer or computing system. When you sign up for an online groceries account, that’s creating a user. Likewise, when you first purchased the device your reading this from you likely set yourself up as a user. 

But user accounts don’t have to be created for real, living breathing humans. It’s also possible to create accounts for machines. For example, service accounts for running programs, system accounts for storing system files and processes, and admin accounts for system administration.

What is an admin user?

Administrator accounts are created to carry out tasks that require special permissions. You wouldn’t want just anyone in your organisation to be able to install software or access certain confidential files, so setting up admin users allows you to control who can do what. 

These administrator accounts should be regularly audited, including password changes and regular confirmation of the right people’s access.

What’s the difference between admin accounts and standard accounts?

Simply put, admin accounts are the most powerful type of user. They have the power to do just about anything on a device. For context, think about the guy or girl in IT who you need to ask to perform tasks like setting up new software.  Every device or system will have at least one admin user somewhere.

Standard user accounts are much more limited. Just how limited often depends on the type of operating system you use. But, as a rule of thumb, standard accounts can’t typically install new software or access system-critical files. Usually, they can access the files they need for day-to-day work but are prohibited from making serious or permanent changes to their device. 

It’s also important to note that standard accounts are much easier to control than admin users. With user controls, administrators can place much more severe restrictions on accounts – everything from blocking access to certain applications and websites to setting a daily time limit. 

Although using a standard user account can appear limiting, it does provide security benefits that can protect you in the event of a breach. 

Why are standard accounts more secure than admin accounts?

At first glance, the choice between a user and an admin account might seem like a simple one. After all, who doesn’t want the power to change anything they see fit?

However, admin accounts do come with an added security risk. Due to the permissions granted to admin users, if malware is installed on your system an attacker has the power to do virtually anything they want to. In essence, the more permissions your account has, the more damage a cybercriminal can do should they gain access. 

On the other hand, standard accounts offer much less flexibility but greater security. Malware installed under a standard user account is less likely to do serious damage. The hacker won’t be able to make system-level changes or access files other than the user’s own. So when it comes to cybersecurity, having a ‘lower level’ account can work in your favour. 

Why is it important for administrators to have a standard account? 

While it’s inevitable there will always be a need for admin accounts in your business, it matters what those accounts are used for. Using an admin account for day-to-day activities like checking your email or browsing the internet dramatically increases the risk of being breached. 

When penetration testers are attempting to compromise a system, they are looking to “gain admin.” And the same principle applies to cybercriminals who also look to gain admin rights to a system or, better still, a network. 

Allowing a systems administrator – especially one with domain administrator privileges – to access the internet via their admin account presents an easy target for hackers using phishing or impersonation attacks. To counter, consider giving your admin users safer standard accounts for their day-to-day duties. 

How do user permissions relate to Cyber Essentials? 

User accounts are covered in the Cyber Essentials questionnaire and there are two sections you’ll need to answer. 

User accounts 

The questions in this section deal with how user accounts are created, who approves the creation, and the processes you have in place for when people leave the organisation or switch roles. They apply to any servers, laptops, tablets or mobile phones used in your business.

Cyber Essentials describes best practice for user accounts as: 

It is important to only give users access to all the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with email whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.

Admin accounts 

The questions in this part of the assessment tackle your processes for choosing and setting up admin users and how regularly access to privileged accounts is audited. Once again, this applies to all servers and devices used in your organisation.

How should you set up user permissions in your business? 

Although every business has different requirements, there are some best practices we recommend you follow.

1. For SMEs, we recommend that no more than two people in your business have access to domain admin accounts for whatever software package you use – for example, Microsoft Office 365 or Google Suite.

2. You should regularly audit who has access to these accounts. In the hustle and bustle of daily business, it’s very easy for user permissions to slip and admin accounts to be used by unauthorised staff. 

3. Put in place policies and, if necessary, training to ensure that administrators don’t access the internet or their emails using admin accounts. 

4. Use two-factor authentication (2FA) or multi-factor authentication (MFA) on both admin and standard user accounts. This adds an extra layer of security for cybercriminals to breach in an attempted attack.

What about staff working remotely? 

Things do become slightly trickier in our current working environment, with many businesses working remotely. In many cases, staff working from home will need a local admin account for their device.  It’s often more practical for employees to be able to install software or make changes to their machine, rather than asking your IT team to do it remotely. 

Nevertheless, most of the recommendations above still apply. Your people still need to be educated on the importance of using standard accounts for daily work and using MFA. 

That’s all there is to user permissions. Setting up user and admin accounts safely is a simple change, but one that can instantly improve your cybersecurity. Hopefully, this article has helped you better understand how they work and some best practices for keeping your business safe. But, if you have any questions, please get in touch, our team is always on hand to help. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Firewalls can appear complicated at first glance. However, in reality, they’re easy to set up and offer an important defence against cyber threats. So, to help you better understand firewalls and how to protect your business, here’s everything you need to know. 

What is a firewall? 

A ‘firewall’ is a tool that protects your home or office systems from malicious traffic on the internet. 

Think of it as a well-armed bouncer, checking anything that enters your network for threats. It creates a barrier between a ‘trusted network’ (such as your office) and an ‘untrusted network’, like the internet. 

Firewalls keep your devices operating reliably. But they also protect you from a variety of threats, such as DoS (Denial of Service) and malicious packet attacks.

Most modern devices contain a firewall of some kind. You’ll find one built into your laptop and internet router, although, crucially not on most smartphones. Many businesses also set up a separate hardware firewall in addition to the one built into devices for an extra layer of security. 

Where does the term ‘firewall’ come from? 

The term ‘firewall’ has an interesting history (no, really). The term originally refers to a wall built to contain a fire between adjacent buildings. Later, it was used to describe the metal sheet that separates the engine compartment from passengers on an aeroplane. 

It wasn’t until the 1980s that ‘firewall’ first became synonymous with the internet. The term appeared in the 1983 computer-hacking movie WarGames to describe the act of filtering data coming through routers and possibly inspired its later use.

How does a firewall work?

Firewalls analyse all incoming traffic based on a set of pre-set rules. The rules are then used to filter out anything malicious or suspicious and prevent attacks. 

The slightly more technical explanation is that firewalls filter traffic at a computer’s entry points or ‘ports’. These ports are where information is exchanged with external devices. For example, a rule might look something like this:

“Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22.”

A great analogy for understanding this is to think of an IP address (the unique number that identifies your device) as a house and port numbers as rooms within the house. Only trusted people (IP addresses) are allowed to enter the house at all. Then, once in the house, trusted people are only allowed to access certain rooms (destination ports). 

It’s much like hosting a party at your house, in that you’d probably keep some rooms off-limits. Perhaps there are some rooms that could pose a threat to children or maybe you just like your privacy, either way, the same basic principle applies to firewalls. Trusted devices are only allowed access to certain places. 

Why are firewalls important? 

Simply put firewalls are a vital first line of defence. To return to our bouncer analogy from earlier, without a doorman anyone can enter the building. Without a firewall, anyone can get into your business. 

It’s not difficult for even a relatively unsophisticated cybercriminal to probe your organisation’s devices in an attempt to break into your systems. Without a properly configured firewall, they’re much more likely to succeed. 

What’s more, the consequences can be disastrous. Not only will hackers gain access to your data and potentially leak it or use it maliciously, but the financial hit can also be severe. According to insurer Hiscox, the average cost of a breach for an SME is £11,000, and that’s before we even consider reputational damage or fines from regulators. 

A properly configured, maintained and monitored firewall will go a long way towards protecting your business. 

But what do we mean by ‘properly’ configured? Well, for your firewall to work optimally, you need to ensure it has the power to manage normal and encrypted internet traffic without slowing down your devices or compromising security. A good IT support partner can help you do this or, alternatively, automated tools like CyberSmart can guide you through the process yourself. 

Firewalls and Cyber Essentials 

You might be reading this article because you’ve come across the firewalls section of the Cyber Essentials questionnaire. Or perhaps you’re considering completing Cyber Essentials certification for your business. 

Either way, the section of Cyber Essentials dealing with firewalls can appear confusing. But, in reality, it’s very simple. You’ll be asked about which firewalls you have in place, whether they are password protected and ‘accessible’ services.

The first two elements are self-explanatory. All you need do is list the firewalls you use and set up password protection for them if you don’t already have it (the questionnaire or one of our team will provide guidance on how to do this). However, ‘accessible services’ is a little more complicated. 

What does ‘accessible services’ mean? 

‘Accessible services’ is the traffic that is approved to pass through the firewall. In an office environment, your firewalls will usually be configured so that IT support can access anything they need to. However, most of us aren’t working in an office at the moment and home routers are often set up to block all services as default. 

Sadly, working from home doesn’t mean the end of all IT troubles, so your remote workers may wish to allow external access to their personal router. If this is the case, then it’s best practice to allow a single, static IP address through the firewall. That way, you can be sure your IT support team, and only the IT support team, has access. 

And that’s all there is to firewalls. Hopefully, this has answered most of your questions but, if there’s anything else you’d like to know, please get in touch with one of our team.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins? 

Why is cyber insurance important? 

To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong. 

You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business.

It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen. 

The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds. 

Up to 88% of UK companies have suffered breaches in the last 12 months.

All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption,  so how are UK businesses doing? 

What does the cyber insurance market look like in the UK?

Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK. 

There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you?

The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.

41% of UK businesses claim insurance costs are too high.

However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment. What’s more, a further  41% were prompted to buy a standalone insurance product by attacks on other industries. 

Why is the US ahead?

There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it’s true.  

Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business. 

So why is the US market more advanced than what we’re currently seeing in the UK?

It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business. 

The average cost of a data breach in the US is $8.64 million.

However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.

What can the UK learn from the US?

Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn’t have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry.  For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach. 

But for the time being, at least, the US remains ahead of the UK market. So what can we learn? 

Close the expectation gap

First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re ‘vulnerable rather than valuable’. 

Update the industry model 

One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive. 

The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.

Make it easier to address cybersecurity concerns 

Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.

Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start. 

What does the future hold? 

Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid. 

So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.

.

What do you think of when you imagine a typical cyberattack?

If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.

In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.

What do we mean by supply chains? 

As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.

Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, and flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.

Worried about the threat posed by supply chain attacks? Check out our guide to protecting your business.

Why do supply chains pose a cybersecurity risk? 

When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough. 

According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult.

However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises. 

A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco. 

How to protect your business 

So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time. 

Fortunately, there are a few things you can do to reduce the risks. 

Get your cybersecurity in order

Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch.

A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:

• Is your internet connection secure?
• Are the most secure settings switched on for every company device?
• Do you have full control over who is accessing your data and services?
• Do you have adequate protection against viruses and malware?
• Are devices and software updated with the latest versions? 

By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain. 

But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it. 

Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key. 

Talk to your supplier and partners 

The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice.

This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.

Aim to work with businesses that are Cyber Essentials certified 

Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with. 

Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, while others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do. 

According to research from popular exercise app Strava, the second Friday of January is “quitters’ day”– the day when people are most likely to give up on New Year’s resolutions. 

It’s the day when all those promises made in good faith back in December go up in smoke. Running shoes across the land are hurled to the back of the nearest cupboard, never to see the light of day again. Gym memberships are forgotten about. And new hobbies fall by the wayside.

The biggest problem with most New Year’s resolutions is their difficulty. Sure, the long-term gains might be amazing, but what about the months of pain and effort to get there?

But not all resolutions have to be difficult or doomed to failure. Take, for example, our list of easy cybersecurity New Year’s resolutions. 

Unlike attempting a couch to 5k or taking up a new hobby, they don’t require hours of your time to see results. Nor do you need to go out and buy expensive new tools or overhaul existing processes. All it takes is a few tweaks here and there to get your business’s cybersecurity fighting fit for the year ahead.

And the best part? Once you’re in the habit, you’re unlikely to break them. 

1. Start patching and updating software regularly 

We bang the patching drum a lot at CyberSmart. Regular readers of our blog will have noticed we mention it at every possible opportunity. But, as repetitive as it might be, there’s a very good reason behind our love affair with patching.

Regularly updating your software and operating systems is the easiest, most time-efficient way to improve your cybersecurity. Even, the best software becomes outdated or develops gaps and, when it does, cybercriminals suddenly have an easy route into your business. 

Fortunately, avoiding the worst is incredibly easy and it shouldn’t take you more than a couple of minutes each month. All it requires is that you check every now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

To learn more about patching, check out our recent blog on the subject. 

2. Create a password policy

Of all the resolutions on this list, creating a secure password policy is by far the simplest. Most of us know the importance of strong passwords, but that doesn’t stop us using the same easily-guessable phrase we’ve been using since 2001 for everything. We’re only human after all. 

The problem is this poses a huge security risk. It only takes a cybercriminal to crack one insecure password in your business for disaster to strike. But the good news is fixing it is simple.

Set up a password policy and ensure everyone in the business follows it. Often, it doesn’t take much more than a well-worded email and a few friendly nudges to get everyone on board.

What should go in the policy? Well, a strong password policy should have four key points:

• Use complex passwords that are a combination of letters, numbers and symbols. In-built browser tools like Google Chrome’s password generator are great for this
• Change passwords regularly
• Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
• Use two-factor authentication (2FA) wherever possible 

3. Use encryption 

Encryption is one of those technologies that everyone has a vague notion they should be using. However, many of us get put off by misconception that it’s difficult to set up or hard to understand if you’re not a techy type.

In reality, this couldn’t be further from the truth. You probably already use encryption a lot in your daily life, you just don’t know it. Ever sent a message using WhatsApp? That’s encryption. Bought something from a web store? Encryption.

We won’t go into exactly how it works (if you’d like to know more we have a whole blog on the subject) but, essentially, encryption randomises data so that only an authorised recipient with a key can see it. 

Due to the complexity of the randomisation process, encryption is near impossible to break so it offers a level of security passwords alone can’t match. Better still, once you’ve set it up and are used to using it, it’s unlikely you’ll ever have to think about it again.

4. Make cybersecurity part this year’s budget

Attacks on SMEs now account for 58% of all cybercrime. What’s more, small businesses’ ability to absorb an attack is limited. Research from insurance and risk consultancy firm, Gallagher, found that over 50,000 UK SMEs would collapse if hit by a cyberattack.

Given the risks, you would expect cybersecurity to be top of most businesses’ budgeting lists. However, that’s often not the case. It’s not hard to see why; if you’re an SME performing financial wizardry each year just to keep things ticking over, cybersecurity can feel like a ‘nice to have’ rather than a priority. It’s this that leads to many smaller businesses making do with anti-virus and little else.

Unfortunately, firms who do this are playing Russian roulette without being conscious of it. Sooner or later, an enterprising cybercriminal will take advantage of weak defences, no matter how small your business. It’s a simple thing, but make 2021 the year cybersecurity features in your annual budget.

5. Get Cyber Essentials certified 

If you’ve heard of Cyber Essentials, you’re likely questioning this suggestion. Isn’t Cyber Essentials certification a long, drawn-out process that takes weeks to complete? It’s hardly fitting for a list of ‘easy’ resolutions.

Well, the truth is that getting Cyber Essentials certified can be like that. However, it doesn’t have to be. At CyberSmart we offer a Cyber Essentials certification process that can take as little as 24 hours, with no need for constant back and forth. We’ll tell you whether you’re going to pass before you submit and help you address any problems, so you only need to do it once.

Getting Cyber Essentials certified is a requirement for many government tenders and can protect your business from 98.5% of cybersecurity threats. But the benefits don’t end there. It’s also a great indicator of your business’s commitment to security, marking you out as trustworthy and safe to potential partners and customers.

So concludes our 2021 cybersecurity New Year’s resolutions. Although we’d recommend doing everything we’ve suggested, even adopting just one will noticeably improve your business’s cybersecurity. So why not kick the year off with a resolution you’ll keep? 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Technology has shaped our lives in ways never have imagined before. And it’s become especially visible now many of us made the shift to working remotely. Technological developments have provided us with many opportunities, from new forms of communication to the ability to access and share resources from anywhere on the planet. 

Sadly, that’s not the whole story.

Technology also provides cybercriminals with endless new methods for exploitation. It’s no longer enough to manage the struggles of our offline lives. There’s also the added pressure of maintaining our digital selves and online behaviour. 

But why do so many of us behave differently online and take risks that we wouldn’t in our everyday lives? It’s exactly these questions that cyberpsychology seeks to answer. 

What is cyberpsychology?

Cyberpsychology is a relatively young branch of psychology. It got its start back in the 1990s, but it really began to gain relevance during the 2000s with the rise of social media. The explosion in online communication made it suddenly very important to understand online behaviours.

Cyberpsychology looks at how we behave in cyberspace, how we interact with and through different devices, as well as how our offline behaviours have been affected by the use of technology and the internet. 

Experts have been warning about the perils of social media for some time. But, for most of us, the recent  Netflix documentary, “The Social Dilemma” has been a wake-up call in understanding how specific sites, apps and design functionality in cyberspace can be used to target our weaknesses. 

Beyond the obvious problems with manipulative design, technology and the internet are also affecting us in a subtler way. With the advent of the internet of things (IoT), our daily lives are carried with us wherever we go. This mobility comes with advantages; constant connectivity and near-endless information at our fingertips. However, it can also lead to us feeling overwhelmed, saturated with information and obligated to constantly ‘keep up’ with whatever is happening in the news cycle or on social media. 

For many of us, cyberspace is not as tangible as physical space. In the ‘real’ world we can clearly identify hazards and avoid them. Online, this becomes trickier. This can lead us to have an imaginary sense of security, despite the countless risks we are exposed to online daily. But, being aware of the psychology behind our actions can help us better manage our digital existence and approach it more mindfully. 

What are the psychological features of technology?

Recordability

One of the key features to watch out for in cyberspace is ‘recordability’. Everything we do online, from the content we share publicly or not so publicly to private conversations and our location, is documented and recorded. Our digital experiences can be analysed, revisited and even re-experienced. This can have many positive effects, but can also backfire and be used against us if it’s accessed by someone with malicious intent. So it’s important to always consider not only what we are sharing, but who might have the access to our digital traces. 

Flexible identity

Another feature of online life is the ability to manage our impressions and identity. The lack of physical characteristics in communication, such as appearance, body language and emotional expressions can be a limitation to understanding each other. But they can also give us the flexibility to tailor our digital selves to different audiences. 

However, it can also be used for behaviours of misleading, malicious and even criminal natures. For example,
identity fraud or phishing scams. In combination with records of your digital activities, the offender could use available personal information to build a closer and, seemingly, more trustworthy relationship with you. 

The Disinhibition effect

The last key cyberpsychology theory for analysing our behaviour is the disinhibition effect. It explains how the ways we act change in digital environments. In short, we’re less inhibited and composed and more open and confident. So much so, that researchers often compare this effect to being drunk. 

This might sound like a good thing; a society-wide ‘coming out of our shells’. However, it has a darker side. Many of us have
have poorer judgement online and are more prone to making bad decisions.

For example, we are more open to sharing our whereabouts or discussing intimate and private details. This can be influenced by the idea of us as being invisible, anonymous and a belief that offline interactions are ‘real’ and online as ‘not or less real’. And this can often lead to us behaving more irresponsible online and failing to consider the consequences of our actions. 

Why is cyberpsychology important?

It’s clear that the internet and technology have given us greater freedom, convenience, and connectivity. But, at the same time, it’s important to be cautious of its possible negative effects. By better understanding our psychological weaknesses as humans interacting with technology we can become more aware, responsible and secure online. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them.