How to reduce the cost of cybersecurity responsibly

Cost of cybersecurity

With the economy taking a turn for the worse, you may be looking for ways to cut your business spending. However, when it comes to cybersecurity, you can’t afford to be complacent – cutting back on this could cost you more in the long run if you lay yourself open to cyberattacks. So, here we look at how you can reduce the cost of cybersecurity responsibly and stay safe online.

Risks are rising

When you consider the potential impact a cyberattack could have on your business, you want to be sure you’re protected as securely as possible. According to a study by TrendMicro, 60% of small businesses close within six months of a cyberattack. And, even if your organisation survives an attack, the cost of cybercrime can be crushing, as a study by Cisco found that 40% of small businesses hit by a severe cyberattack experienced at least eight hours of downtime.

You can’t afford to think that it won’t happen to you. Cybercrime incidents are now commonplace. According to the UK government’s Cyber Security Cyber Breaches Survey 2022, 39% of UK businesses had identified a cyberattack in the past 12 months. And those companies that reported a material outcome, such as loss of money or data, experienced an estimated average cost of £4,200. But, where only medium and large businesses were considered, this figure rose to £19,400.

Unfortunately, experts are also predicting that with the cost-of-living crisis, cyberattacks will rise even further as cybercriminals step up their efforts. And the indications are that this is already happening. According to the 2022 State of Phishing report from SlashNext, phishing attacks increased by 61% in 2022. The Anti-phishing Working Group (APWG) also reported that there were three million phishing attacks in the third quarter of the year. This was the worst quarter it had ever seen. In addition, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022, according to Kaspersky Lab.

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

The cost of cybersecurity

As rates of cybercrime have gone up, so has the cost of cybersecurity that can protect your business from so many risks. Organisations therefore often find that their spending on cybersecurity is substantial. For example, the Pursuing Cybersecurity Maturity at Financial Institutions report by Deloitte and the Financial Services Information Sharing and Analysis Center revealed that banks, insurance companies, investment managers, and other financial services companies spend between 6% and 14% of their IT budget on cybersecurity. This is approximately 0.2% to 0.9% of company revenue.

In light of these risks, how do you cut the cost of cybersecurity for your business responsibly without suffering severe consequences? It’s vital when considering cost-cutting in this area, that you strike a sensible balance between saving money and safeguarding your business. Well, thankfully, there are various measures you can take which will protect your business while keeping the cost of cybersecurity down.

Assess, prioritise and manage risks

The key to cutting the cost of cybersecurity responsibly is to assess, prioritise and manage risks. If your business has been operating for a while, the first step is to take stock of what tools are already in place. There may be some duplication, which you can remove to start making savings. You could also consolidate tools and use more automation, to improve efficiency without impacting your level of cybersecurity protection. 

It’s impossible to guarantee 100% protection from every threat, but you can focus on limiting the most likely ones. One risk it pays to address is the threat of phishing attacks. Data shows that 91% of all cyberattacks start with a phishing email, so prioritise your defences against this. Phishing is a type of social engineering attack, whereby a cybercriminal sends a message intended to trick the recipient into revealing sensitive data or downloading malware. So, ensuring that your employees receive good cybersecurity awareness training will reduce the chance of them succeeding. This can be a relatively low-cost cybersecurity measure and sets your staff up as a human firewall to safeguard your business.

While it’s vital to protect your business network, rather than having an in-house IT team to manage your cybersecurity, which can be expensive, you could also explore the alternatives, such as deploying a comprehensive cybersecurity solution. For example, with CyberSmart Active Protect, you can protect every device in your business, around the clock, with no need for an in-house team, expensive tools, or specialist expertise. This also provides the invaluable cybersecurity staff training, you need to strengthen your defences.

Step up your cyber hygiene

Another important step you can take to keep your business secure and the cost of cybersecurity down is to boost your cyber hygiene. This involves adopting rigorous, proactive procedures to protect against cyber threats, such as:

Backing up all data

Ensure all data is backed up to a secondary source, such as cloud storage, to help prevent your information from being lost in a security breach. This may sound obvious, but it’s often overlooked.

Using good password management

Use unique, complex, and regularly updated passwords. You could also consider using a password manager app to generate new ones each time and store them safely.

Updating your software

Regularly review and update all your software to ensure you’ve got the latest protection against security threats.

Limiting access

Only give login details to employees for the systems they really need access to, and limit admin-level access to those who must have it. This can help prevent any employee-related security issues.

Providing company devices

Avoid letting employees use their own devices, if possible. It gives you more control over where your data is and keeps you safe if an employee leaves your business.

Free online guidance

If you run a small business and want to improve your cybersecurity without breaking the bank, check out the National Cyber Security Centre’s Small Business Guide: Cyber Security. This offers practical, affordable advice. 

It explains simple measures you can take to protect your organisation from malware, such as ensuring that your firewall is switched on. It’s important that you have secure internet connectivity, and this creates a ‘buffer zone’ between your network and external networks. This is a straightforward step to take, as most popular operating systems now include a firewall.

Further free and invaluable advice, more appropriate for medium and large businesses, on how to build strong cybersecurity is also available via the National Cyber Security Centre’s 10 Steps to Cyber Security.

Cyber Essentials certification

Finally, if you want to keep the cost of cybersecurity down as responsibly as possible, you should gain Cyber Essentials certification. This is a cost-effective, UK government-backed scheme which covers everything your business needs to do to protect itself from cyberattacks. Simply by being certified, you can reduce your cyber risks by up to 98.5%.

This could also bring welcome new business your way, as it’s a great way to demonstrate to new customers that you take cybersecurity seriously. It also gives you the ability to bid for government tenders that require Cyber Essentials certification. What’s more, if you gain your certification with us, you get £25k free enhanced cyber insurance, for added peace of mind.

Cautious cost-cutting

Reducing the amount you spend on cybersecurity responsibly is possible, but should be carried out with caution. However, with the right know-how, you can keep expenditure down and ensure your business has the strong cybersecurity protection it needs.

Want to know more? Discover how to protect your business on a budget in our cost of living crisis guide.

Cost of living CTA 2

What is a cybersecurity policy and why do you need one?

Cybersecurity policy

You’ve likely heard the term ‘cybersecurity policy’ before. But what is it? And why does your company need one? 

What do we mean by ‘policy’? 

A ‘policy’, in cybersecurity terms, is a set of principles that guide decisions within an organisation. These principles can inform the decisions senior management make or guide employees in their day-to-day activities. A great example of the latter is a password policy.

What is the purpose of a policy?

A well-crafted policy can help your organisation achieve its goals, say reducing the risk of phishing attacks or compliance with Cyber Essentials. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. 

Why are policies so important? 

According to research,  90% of security breaches occur through human error. However, improving your cybersecurity isn’t about blaming employees for their all-too-human mistakes. It’s about giving your people the tools and knowledge to better protect themselves.

According to research,  90% of security breaches occur through human error

This is where policies come in. Policies and procedures provide a roadmap for day-to-day operations. They ensure compliance with laws and regulations, offer guidance,  and even help employees make better decisions. After all, if your people don’t know which behaviours are harmful, they can’t correct them.

But clear, readily available policies have benefits beyond merely reducing the likelihood of a successful security breach. Here are just a few.

Improved efficiency 

Sometimes clear policies are all that stand between a business and organised chaos. Sure, everyone’s working, but are they all pulling in the same direction? Or adhering to company values?

When everyone is following policies and procedures, a business will generally run smoothly. Management structures and teams operate as they’re meant to while mistakes and hiccups in processes can be quickly identified and addressed. 

What’s more, when everyone understands what’s expected of them and goals are clearly defined, time and resources are managed more efficiently. And this will ultimately help you meet targets and grow. 

Better customer service 

There’s nothing more frustrating than receiving wildly different service from two separate interactions with the same organisation. It could be your utility provider, GP surgery or bank, but we’ve all experienced the irritation it causes. 

Having clear, easy-to-follow policies in place is a sure-fire way to stop your business from providing erratic customer service. When policies are followed, tasks are performed correctly and every customer receives the same high level of service – enhancing your business’s reputation to boot. 

A safer workplace 

Workplace accidents and incidents are far less likely to happen if everyone’s working to the same standards and principles. This not only reduces liability risk for your business but also cuts downtime and disruption. And, even if the worst does happen, you’ll weather it much better with a clear procedure on how to deal with it. 

How can CyberSmart help? 

We’ve discussed why policies are important but now comes the tricky bit. How do you ensure that everyone in your business has access to the policies they need to work safely? And, more important still, how do you make sure they read them?

CyberSmart Policy Manager allows you to digitally upload and share policies straight to staff’s devices through our platform, CyberSmart Active Protect. Policies can easily be uploaded through the CyberSmart Dashboard and made available to your users instantly. 

What’s more, you can be sure your employees read them. Our Dashboard provides you with a digital audit trail of when policies have been read and agreed upon. 

But what if you’re unsure of where to start when creating a new policy? Well, we’ve got you covered there too. We’ve put together a handy set of templates to help you get started. These are free to download from your CyberSmart Dashboard and easily modified to suit your business. Our policy templates include: 

  •  Data Classification policy 
  •  Cyber Essentials policy 
  •  Data Protection policy 
  •  IT Access policy 
  •  Security Awareness and Training Guidelines policy 
  •  Work From Home Covid-19 policy

We also offer a GDPR policy pack as part of our IASME and GDPR certification.

And that’s all there is to know about policies. They’re a simple tool, but one that provides an important first line of defence for your business against cyber threats. Hopefully, this blog has armed you with all the knowledge you need, but if you have any questions please get in touch, our team are always happy to help.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Case study: Helping a healthcare business build trust


Cyber Essentials certification is becoming ever-more important to the healthcare industry, particularly for those firms looking to work with the NHS. 

So we sat down with Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile to discuss how CyberSmart has helped the business complete Cyber Essentials Plus certification.

Vula is a medical referral app and online platform that makes it easy for primary healthcare workers to get advice from and refer patients to specialists.

CyberSmart: What security challenges have you faced as a business? 

Kim: Like many businesses – even those with good physical, technical and administrative security measures in place –  it’s often a challenge to reassure customers and partners that their data is protected and our organisation is secure. 

The Cyber Essentials Plus certification has allowed us to demonstrate to customers and partners that we take security seriously. And, that we’re continually improving and verifying that our security processes are effective and well managed. 

CyberSmart: What prompted you to get Cyber Essentials Plus certification?

Kim: Initially, we were required to get Cyber Essentials Plus to apply for a business tender. However, since then, Cyber Essentials Plus has helped us obtain and move forward with other contracts. Being able to demonstrate our security measures to current and potential customers has proved invaluable. 

The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments.

CyberSmart: How easy was the process from initial enquiry to certification?

Kim: The process was exceptionally quick and seamless, from our initial contact with James (Direct Sales Manager at CyberSmart) to our audit with Glen (CyberSmart’s Head of Cyber Audit) and obtaining our certification. 

The team at CyberSmart were always on hand with information and advice, making the whole process much less stressful. It was also wonderful that they were able to do everything remotely as we are based in South Africa. 

CyberSmart: How long did the process take? 

Kim: The initial questionnaire for Cyber Essentials took around a week to complete. We had our first response back requesting more information on three questions within a day of completing it. I provided the information the same day and we were granted certification later that afternoon. 

We then started Cyber Essentials Plus certification two weeks later, preparing ourselves for the online audit. The audit took around three hours; Glen was exceptional in helping us prepare and very thorough in his assessment. We received our Cyber Essentials certification the same day as the audit which was a very efficient turnaround. 

CyberSmart: How has Cyber Essentials Plus helped your business?

Kim: It’s proved an invaluable way of proving to customers, partners and prospects that our security is effective and follows best practices. Certification has also made the process of submitting tenders and business documentation much easier. The certification itself answers many of the questions we’re asked in potential business agreements. 

Our customers, partners and prospects have really appreciated the additional assurance that certification provides.

CyberSmart: Have you noticed any change in your relationship with customers, suppliers, or prospects since getting certified?

Kim: Our customers, partners and prospects have really appreciated the additional assurance that certification provides. What’s more, their trust in how we manage our business and the services we provide has also increased. 

We find once we’ve submitted our Cyber Essentials Plus certificate to other businesses, they’re generally satisfied and don’t require any further proof of our commitment to security. The certificate provides all the proof they need. 

CyberSmart: Would you recommend Cyber Essentials Plus to other businesses like yours?

Kim: Most definitely. The Cyber Essentials Plus certification offered through CyberSmart is an absolute necessity for any business that wants to validate its security commitments. And, it’s a great way to assure customers and business partners that your organisation is secure.

Finally, it’s also a very methodical approach to ensuring your security measures are well-thought-out, executed properly, and mitigate cybersecurity risks. 

Considering Cyber Essentials Plus for your business? Click here to find out why CyberSmart is the UK’s leading provider of Cyber Essentials certification.

CTA button

What can the UK learn from the US cyber insurance market?

Cyber insurance

Why is the US streets ahead of the UK when it comes to businesses adopting cyber insurance? And what can we learn from our American cousins? 

Why is cyber insurance important? 

To illustrate why cyber insurance is important, let’s compare it to a business insurance policy. It’s widely accepted that any organisation operating without business insurance is at best foolhardy and at worst crazy. There are so many potential things that could go wrong. 

You could be the victim of fraud, a workplace accident could lead to legal action against you, or an electrical fire could turn your hardware into a husk of melted plastic. The possibilities are endless and any one of them could seriously damage or even end your business.

It’s vital for your business’s health (and a good night’s sleep) to know you’re covered should the worst happen. 

The same is true of cyber insurance. We’re unused to thinking of it in the same way as business cover, but cyber insurance is becoming increasingly necessary. Up to 88% of UK companies have suffered breaches in the last 12 months, according to Carbon Black. Meanwhile, Hiscox reports that a UK SME is successfully hacked every 19 seconds. 

Up to 88% of UK companies have suffered breaches in the last 12 months.

All this means that UK SMEs are experiencing double the number of cyber risks that they did in 2018 with the average cost of a breach also quadrupling. There’s a clear case for widespread cyber insurance adoption,  so how are UK businesses doing? 

What does the cyber insurance market look like in the UK?

Given the risks we’ve just outlined, you might think that British businesses are clamouring for cyber cover. But, unfortunately, cyber insurance adoption is relatively low in the UK. 

There are a couple of reasons for this. The first is a simple case of awareness. As we mentioned earlier, getting business insurance is considered common sense by most organisations. However, awareness of the need for cyber insurance lags some way behind. We simply aren’t used to considering it as an everyday business cost. After all, if you’re lucky enough to have never been successfully attacked, why would you?

The second reason is the cost. A Deloitte survey, looking at 504 middle-market commercial insurance buyers, found that 41% of businesses claimed insurance costs were too high. And 33% of organisations reported ‘dissatisfaction with the service.

41% of UK businesses claim insurance costs are too high.

However, it’s not all bad news. 41% of businesses still purchased cyber insurance after conducting a risk assessment. What’s more, a further  41% were prompted to buy a standalone insurance product by attacks on other industries. 

Why is the US ahead?

There’s an old adage that ‘everything’s bigger in America’. It’s usually said sarcastically by embittered Europeans, but when it comes to cyber insurance it’s true.  

Despite net premiums being low for an insurance market ($1.94b in 2018), the US market is growing fast. 40% of US businesses purchased cyber coverage in 2018, with a further 40% buying for the first time in 2019. During the same period, the average US cyber claim size shot up to around $181k for an SME and over $5.5m for a large business. 

So why is the US market more advanced than what we’re currently seeing in the UK?

It’s partly because the US is at the forefront of the fight against cybercrime. The US currently leads the world in data breaches with an average breach cost of $8.64 million and is the second most attacked country on earth after Germany. So for companies based in the US, cyber threats are seen as part and parcel of business. 

The average cost of a data breach in the US is $8.64 million.

However, it’s also down to public perceptions of cybercrime. Many of the most high-profile cyberattacks have been on large American companies such as Twitter, Microsoft and Marriott, meaning cybercrime is given loud and regular media coverage. This makes the threat appear much more immediate than elsewhere.

What can the UK learn from the US?

Before we delve into what the UK can learn, it’s important to note that the US market has its limitations. As recently as 2017, 75% of SMEs in the US didn’t have cyber insurance, meaning adoption hasn’t always been as widespread as figures suggest. And there’s still some mistrust of the industry.  For evidence, look no further than US Pharma Giant, Merck which found itself at the centre of a media storm after being denied a payout following a breach. 

But for the time being, at least, the US remains ahead of the UK market. So what can we learn? 

Close the expectation gap

First, UK insurers need to close the expectation gap between service and consumer within the industry. Many small businesses view themselves as not ‘valuable enough’ to be attacked. And insurers need to do more to convince SMEs that they’re being threatened because they’re ‘vulnerable rather than valuable’. 

Update the industry model 

One of the biggest barriers to greater adoption of cyber insurance is the perception among SMEs that it’s expensive. 

The current cyber insurance model was created in the early 2000s, aimed at multinationals and large tech firms on the west coast of America. The world has changed a lot since then. In an age where even the smallest businesses are online, a new approach is needed. Insurance professionals need a better understanding of the financial limitations of their market and a pricing structure to suit.

Make it easier to address cybersecurity concerns 

Perhaps the greatest difference between the US and the UK market is how proactive US insurers are. In the UK, we tend to focus on educating businesses on the importance of cybersecurity rather than helping them to get cyber secure.

Cybersecurity can be confusing and for a small business owner, the prospect of going it alone can be daunting. So more needs to be done to guide businesses along the path to better cyber hygiene. For example, recommending all clients get Cyber Essentials certified is a great start. 

What does the future hold? 

Although the UK is currently behind the US, things are unlikely to stay that way for long. The US market is slowing. Meanwhile, many insurance brokers in the City of London are targeting cyber insurance as a key area for growth post-covid. 

So are we about to enter a future where cyber insurance becomes as commonplace as business or contents insurance? That depends on insurers adapting the current, dated model in favour of an approach that supports SMEs. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cyber hygiene.

CTA button.

Why supply chains pose the greatest cybersecurity risk to your business

supply chains

What do you think of when you imagine a typical cyberattack?

If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.

In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.

What do we mean by supply chains? 

As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.

Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, and flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.

Worried about the threat posed by supply chain attacks? Check out our guide to protecting your business.

Why do supply chains pose a cybersecurity risk? 

When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough. 

According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult.

However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises. 

A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco. 

How to protect your business 

So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time. 

Fortunately, there are a few things you can do to reduce the risks. 

Get your cybersecurity in order

Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch.

A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:

  • Is your internet connection secure?
  • Are the most secure settings switched on for every company device?
  • Do you have full control over who is accessing your data and services?
  • Do you have adequate protection against viruses and malware?
  • Are devices and software updated with the latest versions? 

By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain. 

But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it. 

Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key. 

Talk to your supplier and partners 

The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice.

This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.

Aim to work with businesses that are Cyber Essentials certified 

Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with. 

Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, while others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do. 

Supply chain CTA

How to keep your business (and people) safe this Black Friday

Black Friday

Black Friday is nearly upon us. Cue endless headlines about e-commerce retailers recording their ‘best day ever’ (since last year) and photographs of monstrous queues outside department stores.

In amongst the frenzy of articles titled things like ‘10 of the best deals on electricals this Black Friday,’ you’re also bound to find a few on safety- how to stay physically safe during the hustle and bustle or how-to’s for shopping securely online. 

However, what you won’t find is much guidance for small businesses. Black Friday brings with it a heightened risk of cyberattack, particularly in an environment when many SMEs are working remotely. So, to help you get your business through this year unscathed, we’ve put together a brief overview of the risks and some suggestions on how to avoid them. 

What cybersecurity risks does Black Friday present? 

Black Friday is a veritable all-you-can-eat buffet for cybercriminals. Millions of online shoppers, in a rush to grab that must-have deal, often means widespread carelessness on a scale that simply doesn’t happen any other day of the year – with the exception of China’s Single’s Day

Hackers look to exploit consumers temporarily taking leave of their better instincts in a number of ways. Let’s take a look at some of them.

Phishing scams 

Phishing scams are a year-round problem. We’ve all had a fake email from a major retailer that’s almost a carbon copy of the real thing but for the slightly misaligned logo, weird syntax or font that just doesn’t look quite right. 

However, during a major retail event like Black Friday, the chances of a successful scam go up. If you’re desperately trying to get a killer deal for a new TV and an email comes through telling you that you’re billing information needs updating, you’re much less likely to spot a fake. 

You’re probably in a bit of a rush, never the best frame of mind for considered judgements. What’s more, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Old apps 

Again, this is a problem 365 days of the year. But a major retail event provides the perfect cover for cybercriminals to test out the vulnerabilities of popular software and applications for two reasons. One, technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. And, two, because many consumers will suddenly be using apps they haven’t used or updated in months – giving cybercriminals an easy route in. 

Is your business considering switching to remote working permanently? Don’t make a decision before reading our new guide, Cyber Safety in a New Era of Work.

Fake websites 

Much like phishing scams, Black Friday usually comes hand-in-hand with a glut of fake websites claiming to sell this years’ must-haves at bargain-basement rates. Most of these sites are simply fronts for hackers to acquire data or launch attacks on unsuspecting consumers. 

Public networks

This is unlikely to be a problem at your workplace. But you’d be surprised how often people pop to the local coffee shop for lunch and log into an unsecured public WiFi network on a company device. And this is all the more likely on Black Friday as people check out the latest offers during their lunch hour. 

The problem is this gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

We’re often banging the drum about the importance of strong passwords. And although it’s vital all the time, it’s particularly so during an event like Black Friday. With so much traffic on popular sites, it’s the perfect time for cybercriminals to try out large-scale brute-force attacks. 

How does this affect SMEs? 

You could be forgiven for wondering what the risks we’ve outlined have to do with your business? After all, aren’t they all related to consumers?

Unfortunately, that’s just the problem. We’re all consumers. And your business is made up of them. Whether it’s on their lunch break or in a spare 15 mins before meetings, it’s highly probable that at least some of your people are going to spend time buying or browsing this Black Friday. This could open up your business to some of the risks we’ve run through so far. 

If, like most companies, your staff are working from home the risks are even higher. As research from ZDNET reveals, 52% of employees believe they can get away with riskier behaviour when working from home. This includes activities like browsing suspect websites and using public networks.

How can you protect your business? 

So what can you do about it? With Black Friday just a few days away, here are a few quick tips for keeping your business safe.

Educate your people

Most risky cyber behaviour stems more often from ignorance or carelessness than malicious intent. So educate your people about the risks we’ve covered in this piece. It doesn’t have to be more than a quick all-company email later this week.

Ensure everyone has the right security

Check that all corporate-owned or managed devices have the latest security capabilities correctly set up. With many people working from home, ensure the same practices you’d insist on in the office are being used everywhere. 

Practice good password hygiene

All your employees should be using complex passwords and two-factor authentication, as well as changing passwords regularly. So, set up a password policy with these requirements and ensure everyone follows it. 

Run the latest versions of all software

Ensure everyone is regularly installing updates and patches for the software on their devices. You can read more about the importance of patching and updates here

Encourage staff to shop on personal devices

It might not sound like much, but limiting the number of sites your people visit using company devices can minimise the risk of attack. So by all means let your employees shop ‘til they drop, but keep it to personal devices. 

Secure your network gateways

It’s easy to forget about WiFi itself when thinking about cybersecurity, but it’s a crucial part of good cyber hygiene. Changing the default settings and passwords on home routers can help reduce the likelihood of staff being attacked and, in turn, reduce the risk of a breach for your business. 

‘Black Friday’ always sounds a bit like an economic disaster or tragedy. And, in cybersecurity terms, it certainly has the potential to cause problems. However, by following the guidance we’ve provided, you should have everything you need to ensure this year passes without a hitch. 

Want to know more about how to reduce the risks involved with remote working? Then download our new guide, Cyber Safety in a New Era of Work.

Remote working CTA

What is cyber hygiene?

Cyber hygiene

If you’ve been considering improving your cybersecurity lately, chances are you’ve come across the phrase ‘cyber hygiene’. And you’re probably also wondering what it means. Cyber hygiene is one of those slippery phrases that seems to change meaning depending on who’s using it.

So, in the interests of clearing up some confusion, here’s our guide to cyber hygiene. What it is. Why it’s important. And, what it looks like in practice. 

A definition of cyber hygiene 

Simply put, cyber hygiene is the steps and practices every organisation should take to ensure good digital health and protect themselves against cyber threats. The idea behind cyber hygiene is that these practices should become part of our day-to-day routine. Think of it as a bit like your physical hygiene, say brushing your teeth twice a day, washing your hands regularly, or wearing a face mask. 

Why is it important?

In the same way that if you don’t look after your teeth you’ll eventually end up with a hefty dentist’s bill, your cybersecurity needs constant maintenance to avoid a breach. 

But cyber hygiene’s importance goes beyond simple maintenance. There’s a widespread perception among SMEs that cyber-attacks are something that happens to bigger, higher-profile companies. It’s not hard to see why- after all, the news cycle is filled with tales of the latest Fortune 500 behemoth to suffer an embarrassing breach.

Unfortunately, this couldn’t be further from the truth. According to research from the Federation of Small Businesses, in the last two years alone, SMEs were subject to 10,000 cyberattacks daily. And 1 in 5 reported suffering a breach during the same period. 

In the last two years alone, SMEs were subject to 10,000 cyberattacks daily

What’s more, the risks are only growing with many businesses switching to remote working. A recent report from VMWare reveals that 91% of businesses globally have seen an increase in cyber attacks since countries began implementing lockdown measures. On top of this, home office networks are 3.5 times more likely to be hacked than corporate ones. 

Maintaining a good standard of cyber hygiene is the most effective way to guard against all of these threats. 

What does good cyber hygiene look like in practice? 

We’ve tackled why cyber hygiene is important but what does achieving it actually involve? 

Good cyber hygiene is probably best divided into three broad categories: occasional check-ups, daily routines and good behaviours. Let’s take each in turn.

Occasional check-ups 

People are often surprised by how many cyber threats can be averted simply by giving your corporate devices and networks a regular health check. When software is out of date, firewalls and anti-malware aren’t switched on, or security settings aren’t configured properly, you provide cybercriminals with an easy route into your business. 

Start by checking every device in the company is running the latest version of any software you use and it’s security settings are configured to the highest level of protection. Also ensure that your network is secure and that all anti-malware and firewall tools are switched on, up-to-date and configured properly. 

Daily routines 

Cyber hygiene is as much about what you do and how you do it as it is about maintenance. A great place to start is by putting in place universal practices across your organisation.

This includes steps like setting up a strong password policy, using two-factor authentication for anything coming in or out of your business and keeping work devices for work purposes.

Good behaviours

Few of us set out to put our workplace at risk with our actions online. But we’re all human. And whether it’s through misunderstanding the risks or just being a little careless, many of us do exactly that on a daily basis.

Getting everybody on your business on the same page about your cybersecurity standards is just as important as keeping your tech fighting fit. The best way to do this is to ensure your business has clear, understandable policies in place so everyone understands what they need to do (or not do). And it’s no use hiding them away on some long-forgotten corner of your server. Make sure they’re easy to find and everyone has access to them. 

Three simple ways to get your cyber hygiene up to scratch 

The steps we’ve outlined so far might feel a little overwhelming. Where do you start? Surely running through all that will take forever? And what do you do if cybersecurity isn’t really your forte?

Fortunately, there are three very simple routes to improving your cyber hygiene – regardless of your budget or level of expertise. 

1. Get a Cyber Health Check

Before you start improving your organisation’s cyber hygiene, you need to know your current level. In other words, it’s time for a check-up.

Our soon-to-be-released Cyber Health Check is a simple way to assess your current level of cybersecurity. We’ll run some tests to check how you’re doing. Then, once we’re done, we’ll send you a free downloadable report to tell you what you need to improve and some recommendations for how to do it.

2. Get Cyber Essentials Certified 

Another option is to complete the UK government’s Cyber Essentials certification. The scheme covers the essential actions every business should take to ensure its digital security and protect against cyberattacks. Cyber Essentials assesses five criteria on the way to certification: 

  • Is your internet connection secure?
  • Are the most secure settings switched on for every company device?
  • Do you have full control over who is accessing your data and services?
  • Do you have adequate protection against viruses and malware?
  • Are devices and software updated with the latest versions? 

Not only does the Cyber Essentials scheme cover all of the maintenance steps we discussed earlier, research also shows it could help protect your business against 98.5% of cyber threats. And that’s not all. Many government bodies require Cyber Essentials certification from any supplier or service provider they work with. So getting certified could open up new avenues for your business.

Even if you’re not likely to work with the public sector, Cyber Essentials certification is a great way to demonstrate to customers and potential partners that you’re serious about protecting their data.

3. Use an active protection tool 

As we’ve said throughout this piece, maintenance is key to good cyber hygiene. But that doesn’t mean you have to set aside a day each month to check your defences are in order. There’s a far simpler, less time-consuming way to achieve the same thing.

The CyberSmart Active Protect scans your company devices 24/7, checking for updates, firewalls and security measures. If anything’s configured incorrectly or out-of-date Active Protect lets you know, allowing you to fix issues in a couple of clicks. And, to make sure your people stay safe, Active Protect lets you check on the individual status of their devices, and distribute company security policies across them.

Practising good cyber hygiene is a necessary part of modern business. But, as we’ve hopefully demonstrated, it doesn’t need to be time-consuming, complex or costly. So why not get started today? After all, where’s the harm in a check-up?

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

New webinar: Staying cyber secure as the UK reopens

We’ve all read the headlines about ‘unprecedented times’ and how ‘things will never be the same again’ post-COVID-19. Some of the commentary on our post-pandemic world might seem a little overblown. However, for cybersecurity at least, a lot of it rings true.

As the UK begins to reopen and offices welcome staff back, businesses have emerged from the crisis into a hybrid world. The mix of remote and office working adopted by many organisations brings with it opportunity. But it also brings new security risks too
(more on that here).

A recent report from VMWare reveals that 91% of organisations have seen an increase in cyber attacks as a result home working. In this environment, online protection has become more important than ever before. But how can businesses, particularly SMEs without large security budgets, become more cyber secure?

Join CyberSmart CEO and cybersecurity supremo, Jamie Akhtar and Guy Waller, Partnerships Manager at Starling Bank as they tackle the following questions in a short webinar.

  • What are the new and existing cyber-threats for businesses?
  • As businesses reopen, and staff are working both from home and the office, what new challenges does this pose?
  • What are the best ways businesses can protect themselves and stay one step ahead?

To learn more, watch the full webinar, for free, here or below.

If changes in working practices have got you thinking about improving your cybersecurity, a great place to start is with Cyber Essentials certification. It’s a simple, 24-hour certification process that could improve your protection from cyber-attacks by 99%. Get started today here.

Get started

New whitepaper: Cyber Essentials for Education

If you work in education and are applying for funding, you’ve probably heard the phrase ‘Cyber Essentials’ mentioned. Cyber Essentials are a set of security guidelines laid out by the UK government to help organisations address the basics of cyber hygiene.

It’s important to education providers because Cyber Essentials certification is now part of the security requirements for Education and Skills Funding Agreements (ESFA).

For the 2020-21 funding year, all recipients must meet the requirements for the UK’s Cyber Essentials scheme. And next year, achieving Cyber Essentials Plus certification will also be mandatory. 

However, cybersecurity and funding requirements can be confusing. So, we’ve put together a guide to help you get certified and meet the EFSA funding deadline. The guide covers everything you need to know, including: 

  • What the Cyber Essentials scheme is
  • The difference between Cyber Essentials Standard and Plus certifications
  • Why cybersecurity is important to the education sector 
  • How to get certified immediately and meet the EFSA deadline
  • How to move beyond certification and keep your organisation protected

To find out more and get prepared for the EFSA deadline, download your free copy here or follow the link below.


When cyber security saves lives: examining the healthcare industry

Three years ago today, the UK’s National Health Service descended into chaos.

In one fell swoop, a fairly unsophisticated worldwide ransomware attack called WannaCry infected computers in hospitals across the country, hijacking thousands of pieces of connected medical equipment and holding patient and hospital data for ransom.

Becker’s Hospital Review estimates that in the United States data breaches cost the healthcare industry approximately $5.6 billion every year. The WannaCry attack cost the UK healthcare system nearly £92m. But while it was the largest breach the NHS had ever experienced, it wouldn’t be the last.

In terms of basic cyber security, the healthcare industry lags woefully behind other sectors like finance and manufacturing who often build their infrastructure with data security in mind. This is especially troubling given how attractive healthcare breaches can be to hackers (personal health information is worth an average of 10 times more than financial information on the black market). Not to mention the dire risk to patient care when day-to-day functions are interrupted. 

Here are some of the ways in which the current healthcare system is more susceptible to breach than ever and why incorporating security practices needs to be prioritised:

A complex supply chain

When we speak about the healthcare industry we aren’t just talking about hospitals and computers full of medical records.

The healthcare system is possibly the most complex supply chain in our economy. It includes everything from cleaning supplies to CRM appointment reminder software, scanning machines to climate-controlled storage of drugs shipped from all corners of the globe.

It is common practice for hackers to target the supply chains of the organisations they want to access. It is very often these small suppliers- 15 or 20 employee companies- that offer an open door through weak security practices. A November 2019 study by Orpheus of NHS suppliers showed that 95% lacked advanced security protection. 88% of them had already experienced some sort of email and employee password leaks before working with the NHS.

There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.

There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.

Data gone digital

The days of paper records are all but gone in healthcare. And with good reason. Digitised patient data makes it easy to quickly communicate between internal hospital departments and outpatient clinics, and to ensure information is always accessible and up-to-date. 

However, it also makes the institutions that hold this data an increasingly attractive target. Once acquired, patient data can be held for ransom or sold on the black market.

Last year, an Israeli research group exposed more insidious potential consequences when it demonstrated how a hacker could very quickly and realistically add or remove medical conditions (such as the appearance of a tumour) on 3D medical scans in real-time. Although this would likely only be used to target specific individuals for specific reasons- they mentioned insurance fraud and political assassination- it demonstrates how severe the consequences can be for even a simple breach.

Connected and outdated devices

From hospital lifts to MRI machines and implanted pacemakers, the healthcare system is increasingly connected to the internet. Doctors and nurses rely on these machines to monitor patient health and to serve as a partner in diagnosis.

Unfortunately, every connected device offers another potential entry point for hackers and the level of security of each device varies widely. Some of them are new and modern but others, such as expensive scanners may be ten or 15 years old. They are running on outdated operating systems and no one has the time or skillset to patch them.

A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.

Hacked devices can be hard to detect and are likely running on many devices now unbeknownst to staff. A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.

Over-stretched staff

A key part of any industry’s cyber health is knowledge and good practice among its organisations and employees. JAMA Internal Medicine reports that the majority of breaches related to data privacy in healthcare were the result of employee error and unauthorised disclosure.

In the already overstretched world of hospitals, it is no wonder that cyber security is the last thing on the minds of most workers. It makes sense. Our healthcare providers are trained to take care of patients, not to be IT experts. 

But the NHS is the largest employer in the UK and we must come to accept that cyber security awareness is a critical part of every job- and may do its own work to save lives.

Many of these breaches could be prevented through the basic cyber hygiene covered in the government-backed Cyber Essentials scheme. This includes maintaining strong password protection, up-to-date software and firewalls, and anti-malware. If you are a healthcare provider or supplier, consider getting certified in Cyber Essentials.