Keeping computer systems protected against viruses and other forms of malware is one of the first steps towards cybersecurity for an organisation. This is one of the five key requirements of the Cyber Essentials scheme that organisations need to fulfil. The most effective strategy for meeting this requirement is to make use of an antivirus product that can keep unwanted malicious content and programs away.

However, with a wide variety of antivirus products available out there, it can be difficult to choose the best one for your organisation. When choosing an antivirus solution, organisations need to keep a number of factors in mind including the pricing, features, and platforms it supports.

To assist you in making the right decision, we have listed the top 10 antivirus products that you can use when preparing for a Cyber Essentials certification.

1.      Trend Micro Worry Free Advanced

Trend Micro provides comprehensive protection against malware and viruses in the form of its Worry-Free Business Security Advanced antivirus solution. It covers all the basics antivirus features such as real-time scans and scheduled scans and comes with advanced features such as anti-spam, web content filtering, ransomware shield mobile device management, and email security. Additionally, the antivirus software can detect malicious activity through USB ports and external devices to provide security against physical breaches as well.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

2.      Panda Endpoint Protection Plus

The Panda Endpoint Protection Plus is highly rated as one of the best enterprise antivirus products because of its advanced features and budget-friendly price. The antivirus suite comes with a well-designed management console that enables you to monitor systems in real-time. It can protect your systems against basic as well as advanced threats such as malware, spam, malicious web content, and viruses. Even though this antivirus product can sometimes slow down your computer systems, it is a choice worth considering, particularly for small businesses.

Platforms it is available on: Android, Microsoft Windows, macOS, Linux.

3.      Norton Small Business

Norton Small Business provides tailored features to small enterprises, although the protection remains the same as the ones used by large organisations. Other than providing all the basic features for protection, Norton’s Small Business antivirus product provides protection across different devices with a single license. You need a single program to protect both remote and in-office systems and manage them over the cloud. Overall, it is a good value option with a simple installation and configuration process.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

4.      Kaspersky Small Office Security 5.0

An effective and user-friendly antivirus software that you can use to keep your systems protected is Kaspersky Small Office Security 5.0. According to independent testers, it blocks more than 99% of malware and associated hacking attacks. The features include real-time protection, anti-spam, content filtering, and firewall. The firewall is a welcome feature that can prevent unauthorised access to your data, along with strict control of your browsers that disallow access to malicious web content.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

5.      Bitdefender GravityZone Business Security

Bitdefender’s GravityZone Business Security is a good option to consider if you want a high level of protection against malware threats across devices. Even though the installation and setup process of this product is quite lengthy, the antivirus software is quite simple to use once you pass those stages. The features include real-time protection, URL filtering, firewall, anti-malware, and web advisor among others. However, unlike most other antivirus products on this list, Bitdefender does not provide device location services for finding lost devices with this solution.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

6.      Sophos Endpoint Protection

The Sophos Endpoint Protection antivirus is suitable if you are looking for basic protection at a low-cost. Even though it is not as good as the other antivirus products in this list in terms of usability, it does a fair job in keeping away malware and viruses. The plus point is that it is much cheaper than other solutions so it can be a suitable choice for SMEs. The Sophos Endpoint Protection Advanced provides advanced protection feature such as blocking suspicious URLs and monitoring user behaviour to detect threats.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

7.      ESET Endpoint Security

ESET Endpoint Security is a great all-in-one antivirus solution that provides you with protection against all kinds of malware including trojans, viruses, and ransomware. Like Bitdefender, the ESET can be difficult to install and configure but once everything has been set up it works perfectly in protecting the devices within your organisation. Other than its good overall performance, its adjustable pricing policy makes it an option worth considering for SMEs.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS, Linux.

8.      McAfee Endpoint Security

McAfee Endpoint Security is a cloud-based antivirus product that helps you secure and protects all internet-enabled devices within your organisation. It provides a variety of features that help in preventing, detecting, and eliminating malware from computer systems. The excellent customer support provided via multiple channels (email, live chat, and phone) make this a good choice for an antivirus solution.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

9.      Symantec Endpoint Protection

Symantec is a renowned company in the cybersecurity industry, particularly because of its feature-rich product. The Symantec Endpoint Protection Business is widely appreciated because of its high-performance and functionality. It provides a range of advanced protection features including intrusion prevention, firewall, behaviour monitoring, multi-level security policies, remote data management, and device location.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS, Linux.

10. Avast Business Antivirus Pro

Avast Business Antivirus Pro is a reliable antivirus product that comes with a range of malware protection features. The antivirus software provides advanced protection features including browser protection, firewall, anti-spam, remote control options, email protection, and basic antivirus. It provides protection against third-party software installation by providing sandboxing that enables you to run applications in a ‘secured’ environment.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

Conclusion

Regardless of how small or large an organisation is, one of the key steps that it can take to protect itself against cyberattacks is to use an effective antivirus solution. This is a major requirement that organisations must meet in order to be compliant with Cyber Essentials.

CyberSmart is an automated compliance service that helps organisations simplify the process of getting certified with leading standards such as Cyber Essentials. If you have any questions about which antivirus product you should choose for your business, get in touch with our experts right away.

A Subject Access Request (SAR) is the Right of Access allowing an individual to obtain records to their personal information, held by an organisation. GDPR, which became applicable in May 2018, provides individuals with the right of access to information.

It is essential that your organisation is aware of the basics of SARs and can handle them effectively to avoid large fines. In this blog post, we provide a six-step practical guide on how you can deal with subject access requests under the GDPR in 2023.

1. Recognise the request

The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.

Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.

Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.

2. Understand the time limitations

The GDPR requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.

However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.

3. Dealing with fees and excessive requests

You cannot charge a fee for providing information to individuals in response to a subject access request. However, there is one exception to this rule. If you receive a SAR that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or refuse to provide information at all.

There is still some speculation over what requests can be considered manifestly unfounded or excessive and therefore, it is advised that you take caution when refusing a SAR. Similarly, there is no certain threshold for the reasonable fee that you can charge. The ICO guidance suggests that it must be charged on the basis of the administrative costs associated with the retrieval of the requested information.

To be on a safer side, it is best not to charge a fee or refuse a SAR at all. But, if you choose to refuse to deal with a repetitive SAR then you should inform the individual within one month of the receipt of the request with the reasons for refusal.

4. Identify, search, and gather the requested data

The most time-consuming and labour-intensive part of responding to a subject access request is gathering the requested data. If an individual makes a broad request for access to all their personal data, then it can take weeks to identify and search for the information.

Personal data is defined as any information relating to an identifiable natural person under the GDPR. This broad definition makes it difficult to identify the information that you need to provide.

The ICO states that if an organisation processes a large amount of personal information, then it should ask individuals to clarify their request for information. Therefore, a good approach is to ask for additional parameters or specific pieces of information that individuals need from the SAR. However, it is important to understand that you will need to comply with the SAR even if the individual refuses to provide additional parameters.

It is advised that organisations should allocate someone to be in charge of coordinating the process of gathering requested personal data. Document management providers can help you carry out effective searches for data using the right date range and keywords. Even though these services can increase costs, it ensures that your organisation can comply with the information needs of a SAR in time and correctly.

5. Learn about what information to withhold

A challenging aspect of responding to a SAR is to decide what information to withhold from the requester. After you have gathered all the requested information, the next step is to filter out the information that you can legally hold back.

One particular concern is to ensure that when responding to a SAR, you should not disclose the personal data of other individuals. The Data Protection Act (DPA) 2018 states that you should not comply with a SAR if it would require you to disclose information about another identifiable individual.

The exceptions are when the other individual has given their consent to the disclosure, or the organisation finds it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.

Other than this, Section 45(4) of the DPA 2018 specifies special cases when you can withhold personal data of an individual. These include cases when non-disclosure leads to obstruction in an official or legal enquiry, or protection of public or national security.

Therefore, you should be careful about the information that you provide when complying with a subject access request. It is important to understand what information you can withhold to prevent a breach of other’s privacy or to support the public or national interest.

6. Developing and sending a response

Once you have all everything you need for the subject access request, the last step is to develop and send a response to the individual. Organisations need to provide the following information to the requester:

• Legal basis for and purpose of processing the personal data of the individual.
• Third-parties to whom the personal data has been disclosed.
• Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
• Expected period for which the personal data will be stored.
• Categories of personal data.
• Information about the origin of the personal data.

Most organisations will have provided much of the information above in their privacy policy already and so can reuse it from there.

For sending out the response in 2023, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. Secure online portals or encrypted email are recommended ways to deliver the response securely and efficiently.

Conclusion

Understanding how to deal with a subject access request is an important part of complying with the GDPR in 2023. We have outlined a step-by-step process that you can use to comply with a GDPR subject access request from individuals.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

One of the five major controls for the Cyber Essentials Scheme is to configure and deploy a network firewall. A firewall is a network security system that creates a buffer zone between your company’s network and external networks. In simple terms, a secure zone is created between devices in an organisation and the internet.

Cyber Essentials requires that all devices that are connected to the internet should be protected with a firewall. We will explain this requirement and how to comply with it from a non-technical perspective.

Types of firewall 

Before we proceed forward, it is first important to understand the two types of firewalls that can be used. A personal firewall can be installed on internet-connected desktops or laptops. Typically, most operating systems come with a built-in personal firewall.

A boundary firewall or network firewall can be used if you have a mix of different devices in your organisation. This provides a protective buffer around your entire network. In most cases, you need to set up a hardware firewall i.e. dedicated firewall machine to deploy a boundary firewall.

Understanding how firewalls work

A point-of-entry for attackers is when devices communicate with other devices and services across networks. If you can restrict access to this communication, the risks of attacks are reduced. Firewalls can help you achieve this by ensuring that only safe and necessary network services can be accessed via external networks such as the internet.

A network firewall is a dedicated network device that restricts the inbound and outbound network traffic to external devices and services. It prevents desktops, laptops, and mobile devices within a network from accessing malicious or harmful traffic.

Firewalls achieve this accomplish this by implementing restrictions that are known as firewall rules. These rules allow or block incoming traffic into a network depending on its source, destination, and communication protocol.

Firewall requirements of Cyber Essentials

The Cyber Essentials certification requires businesses to use and configure a firewall to protect all devices, particularly the ones that are connected to public or untrusted Wi-Fi networks. Every device in this scope must be protected by a properly configured firewall.

To comply with Cyber Essentials, organisations must:

• Disable permissive firewall rules once they become obsolete.
• Make use of personal firewalls on devices that are on untrusted networks such as a public Wi-Fi hotspot.
• Block unauthenticated and untrusted inbound connections by default.
• Ensure that manufacturer passwords and default settings are reviewed and updated according to the organisation’s security requirements.
• Make use of strong administrative passwords for firewalls. This means that the passwords should contain a mix of upper and lower-case characters, numbers, and symbols. Alternatively, remote administrative access should be disabled altogether.
• Use firewall rules that are approved and documented by an authorised individual such as the security administrator.
• Restrict access to the administrative interface. The interface is used to manage and configure firewalls from the internet. If there is a business need to provide the access then the interface should be protected with:
  • Two-factor authentication.
  • An IP whitelist that limits access to the interface from a small number of devices only.

Conclusion

A firewall is used for securing devices within a network and mitigating the risks of outsider attacks.  Setting up a properly configured firewall is one of the first steps towards a Cyber Essentials certification.

If you would like to learn more about network firewalls and how to configure them for Cyber Essentials, contact us right away. CyberSmart partners with you to make your journey towards becoming a secure and compliant organisation simpler and easier.

A major challenge for startups is figuring out how to invest in cybersecurity.

Despite the financial constraints, it is essential for startups to keep their online security in check, because the consequences are frightening. Statistics show that about 50% of all cyber attacks target small businesses and startups. Often, this is because of a lack of written internal policies.

Without a security policy, there is no reference for what needs to be done when a security threat arises within your startup. An information security policy can be complicated and often expensive to develop, but it is a fundamental component of cybersecurity.

In this article, we present a free information security policy guide for startups.

What should the information security policy cover?

There is no single approach to developing an information security policy that fits all organisations. Despite this, there are certain aspects that every security policy for startups should cover:

• The security requirements that are going to be met, compulsory ones like GDPR and then either Cyber Essentials, ISO 27001, or the IASME Governance framework.
• Who is responsible for information security tasks? It can be an internal security expert or a third-party supplier..
• The startup’s long-term commitment to cybersecurity including what they aim to achieve through the introduction of the policy.

What should be included in the information security policy?

Even though there is no fixed format for an information security policy, given below are some key questions that you should consider when framing your security policy.

• Who is responsible for your startup’s security?
• What are your security objectives?
• How are security incidents reported and managed? How can you learn from them?
• What type of information do you handle? Does it involve customer information?
• What ways can you use to protect different types of information?
• How do you measure risks?
• How should internet, email, and other communication channels be managed to minimise risks?
• What training and awareness do the employees need?
• What responsibilities should be given to employees for securing information?

Areas to cover in an information security policy

There are five general subject areas that should be addressed in an information security policy for startups:

1. Security measures: Guidelines for virus protection, passwords, confidentiality of data, and levels of access to information.
2. Disaster recovery: Instructions on how to recover from a disaster such as a data breach. Methods of data backup, including how often they should be made, should also be included.
3. Standards for technology: Details about the types of hardware, software, and other digital systems that can be purchased by the startup. This area will also cover a list of trusted partners or vendors from where systems are to be bought.
4. Acceptable use of technology: How should technology such as smartphones, desktop computers, email, and the Internet be used. What are the results of misuse and how can security be improved by limiting access to such technology.
5. IT services: Information about who will be responsible for providing technical support to employees. Often, this is a member of the IT team, but can be an external partner as well. Guidelines regarding planning, installation, and maintenance of computer systems should also be covered in this area.

Conclusion

Startups are at a constant risk of cyber threats, particularly because of a lack of an effective information security policy. It is important to not only have a security policy in place, but to make sure that it addresses the specific needs of your startup and employees. If you have not developed an information security policy yet, you should consider doing so right away to minimise loss.

CyberSmart recognises the budget and time constraints that most startups have when developing their information security policy. By subscribing to one of our plans you will get access to our free policy packs, sign up today for access. We look forward to assisting you in designing a cost-effective information security policy for fortifying your startup’s security.

An information security policy is a set of rules and guidelines that an organisation issues for securing its confidential data. Employees of the organisation should understand and follow the information security policy.

In this article, we list effective ways that you can use to develop a information security policy, or beef up your organisation’s existing information security policy.

1.     Address the problem of password management

Many organisations, despite knowing about the existence of their security issues, are often confused on how to address them. It might sound obvious, but this is where most of a company’s security failings can be resolved.

For instance security policies must pay much attention to password management. Employees choose their own passwords and are then responsible to manage and control them. However they should be provided with the tools to create, store and access the range of passwords they may need to use.

According to a report by Verizon published in 2017 on data breach investigations, is where things take a turn for the worst. It says that more than 4 out of 5 data breaches are happening due to compromised or weak passwords. In addition, a survey has reported that almost 80% of employees find password management a hassle. An issue that can be easily solved with a password manager.

The scale of the problem here demands that organisations address the clear problem of password management in their information security policy.

2.     Use a holistic approach

As a modern business you should understand the barrier between work life and personal life is becoming more and more indistinct. This idea extends to information security as well. Technology departments must tailor security guidelines around the modern employees work behavior.

Concepts such as BYOD (Bring Your Own Device) are gaining traction nowadays. Organisations need to take a more holistic approach to their information security policies, which involves looking beyond employee work logs and company related passwords.

A single employee, whether in-office or remote, can put the entire organisation’s information security at risk. This makes every employee a possible point of failure for the entire network. The information security policy should take this into consideration and adequately address the risks associated with BYOD. Doing so will allow them to protect the company’s information against attackers.

3.     Educate the employees

Educating employees about information security is an important process when it comes to protecting your organisation’s data.

Regular training sessions that stress the basic concepts of security such as the risks of public networks and password management should be conducted. These sessions can be delivered by internal security experts or third-party security services, depending on the resources available to your organisation.

The most common types of data breaches are caused by the lack of education of employees. Therefore, you should incorporate training and awareness in the organisation’s information security policy. For instance, a security training program can be introduced that requires employees to attend monthly security sessions held within your organisation.

4.     Automate and simplify

Simplify what you can, and automate what you cannot. This simple rule can help you improve your organisation’s information security policy significantly.

A simple information security policy will go a lot further than a binder filled with complex security procedures. This is because employees are more likely to circumvent a complex security measure than a simple one.

You should first attempt to simplify anything that you can within the security policy. For instance, make it clear what the minimum length for passwords should be, rather than just suggesting the use of strong passwords.

For things that cannot be simplified, such as the process of validating online websites, you can make use of tools such as firewalls to prevent employees from violating the policy.

Conclusion

For businesses, information security in today’s world is more of a necessity than a luxury. It is important for an organisation to make a holistic yet simple changes in their approach to information security policies, to address concerns related to cybersecurity.

CyberSmart understands that managing your information security policy can be an excruciating task. If you would like to learn more about how to improve your information security policy, get in touch with us right away. We would love to help you polish your security policy for mitigating risks of cyber attacks.

The cybersecurity sector is a crowded place when it comes to different standards, certifications, rules and regulations. It can also cause a lot of head-scratching and confusion for those not familiar with the best practice.

Founders and business owners often come to us and say they want to or have to get ISO 27001 certified. Hardly anyone knows when and how ISO 27001 makes sense for a small business and what other certifications can be achieved instead of ISO 27001 or used as a stepping stone towards achieving ISO 2700. Here is a brief overview of the most common cybersecurity standards in the UK: 

Cyber Essentials

In short, Cyber Essentials is a scheme designed by the UK government that aims to get all UK businesses to be able to manage their IT security to a certain level. It helps companies to implement basic levels of protection against cyberattacks, demonstrating to their customers and suppliers that they take cybersecurity seriously.

Established in 2014, the purpose of this standard is to develop necessary cybersecurity standard throughout an organisation. The standard is relatively technical and protects organisations from 80% of cyber-attacks. The most surprising factor we discovered as cybersecurity consultants was that most companies that had other standards, such as ISO 27001 or PCI-DSS implemented, would still fail under Cyber Essentials. The best use case for this standard is to implement it as a first defence and perimeter security before other standards are considered.

Cyber Essentials certification is a great first step towards GDPR. It serves as evidence that you have carried out basic steps towards protecting your business from internet-based cyber attacks.

Cyber Essentials Plus

Cyber Essentials Plus is the audited standard of Cyber Essentials. Besides including some additional controls, the implementation needs to be assessed by a Cyber Essentials Plus auditor. This obligatory audit creates additional trust in the standard and it is safe to assume that once Cyber Essentials is well-established, Cyber Essentials Plus will increasingly become mandatory.

IASME

This standard goes far beyond Cyber Essentials and can be described as a “mini version of ISO 27001:2017”. Together with the government, IASME developed this standard in order to create an easily adaptable and affordable alternative to ISO 27001. The IASME standard is specially tailored towards SME’s and includes processes, people and technology. In May 2018 both IASME standards will be expanded to include GDPR readiness. Both IASME standards require Cyber Essentials as part of the readiness as well. Similarly to cyber essentials, the IASME standard can serve as proof to customers and suppliers that their information is being protected. It is provided alongside the cyber essentials certification. There are two types: the standard self-assessment and the Gold standard, which requires an audit onsite.

ISO27001

ISO 27001 is an international information security standard. Including far over 100 controls the standard is frequently implemented by corporations or businesses dealing with critical infrastructure or the public sector. ISO27001 covers areas that include security policies, access control, operations security, human resources, cryptography and compliance. It does not cover GDPR*. However, an organisation can voluntarily include GDPR in their ISMS (Information Security Management System). 

*A note on GDPR: GDPR is NOT a standard, it’s a law, so we’ve excluded it here. 

If you have any questions about Information Security Standards or Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Here’s what everyone should be doing in 2018 in terms of cybersecurity and data protection:

(more…)

As you probably know already, schools and universities are not immune to attacks from disgruntled employees or other insiders. However, there is another key issue for school leadership teams that is unique to the education sector: students!

Students are often more digitally aware than most teachers and other school employees. This can lead to new digital platforms being introduced into the school environment without staff being made aware.  This insider threat to schools from students is not malicious; instead, it’s an issue of negligence in some cases or lack of awareness in other.

While students and teenagers may be tech savvy, they’re not often very security conscious. The consequences of exposing the school network to a data breach or cyber attack is often not properly understood. They are also not legally culpable for any actions that might result in a breach, so there is less of an incentive to take responsibility.

Adults are also potential insider threats; a teacher may bring a corrupted USB stick into school with their learning resources, or school admin staff may open and respond to a phishing email without understanding what it is. This is why schools must keep on top of their security policies and enforce them across the whole school community.

Awareness Of The Threat Landscape

The general lack of awareness about the types of attack a school network may be subjected to, what they look like, and where they come from is a major problem for the school as a whole.

All parties – IT departments, network managers, teachers, school employees and students – must be made aware of the threat landscape with relevance to their internet and network usage. Regular training should be part of the schools’ IT policy, raising awareness of the consequences of cyber attack to the school and individuals personally – which could include disciplinary actions.

Network Protection

School networks need robust defences in place to protect from threats such as malware or DDoS attacks. Antivirus, web filtering, firewall, device encryption, mobile data management and penetration testing should all be updated regularly and reviewed to keep pace with new threats and technologies.

Managing User Privileges

An effective way of limiting the potential damage an insider threat poses is to rigorously manage who has access to the network, and what they can and can’t do.

Both staff and students should only have limited access to the school’s network based on their requirements, reducing the opportunity for malicious or accidental misuse of the network. Managing user accounts should also include regularly reviewing what access individuals require, blocking access to some systems if individuals no longer need them, and deleting users when they leave the school.

If you have any questions about Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk

Protecting your data and organisation is hard work — let us help you make it easier.

As CyberSmart turns 1 year old, we are taking a moment to pause and reflect. This year was huge for us, individually and as a team. We had a vague idea, built a platform, got our first paying customers and closed a Pre-Seed round. At CyberSmart we believe in transparency, not only in regards to data, but also transparency in everything we do, transparency towards our stakeholders and eco-system. Hence, without further ado – here is what happened in 2017 at the CyberSmart HQ in East London.

(more…)

The legal sector remains a hot target for the full spectrum of threat actors. These include cybercriminals, hacktivists, state-sponsored groups. This is largely due to the wealth of sensitive data held within the industry. For example, patent data, merger and acquisition information, protected witness information and negotiation information. The scope is vast and not limited to the above list. Legal firms are equivalent to a pot of gold for any of these groups. So, what’s the state of cybersecurity in the legal sector and what can be done to improve it?

(more…)