Our latest research (to be released as a report) reveals fear among UK SMEs about insider threats. Some key findings include:

• Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the cost-of-living crisis.
• 38% believe this is due to increased malicious insider threats, and 35% believe it is due to negligent insider threats.
• 1 in 4 believe staff are overwhelmed or concerned about meeting their financial commitments.
• 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
• 17% believe employees will seek to harm the company's reputation due to resentment over salary cuts/stagnation and/or layoffs.

London, UK (15th June 2023) – Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the onset of the cost-of-living crisis. Of these respondents, 38% believe this is due to increased malicious insider threats (i.e., disgruntled employees making decisions that are not in the best interest of the company) and 35% believe it is due to negligent insider threats (i.e., overworked or distracted employees making mistakes). This is according to a survey of a thousand SME senior leaders across the UK, commissioned by CyberSmart, the category leader in simple and accessible automated cybersecurity technology for small and medium-sized enterprises (SMEs), and conducted by Censuswide.

In light of the economic uncertainty, almost 1 in 3 employers (29%) admit that employee salaries have stayed the same: in effect, resulting in a decline of real wages to accommodate for inflation. A further 11% have even gone so far as to reduce salaries. What’s more, nearly a quarter (24%) of SMEs have hit pause on recruitment, while 16% have laid off employees for budgetary reasons.

It is no coincidence then that 1 in 4 employers (24%) are finding that their staff are overwhelmed or concerned about meeting their financial commitments, while nearly a fifth (18%) find they are feeling overworked. Moreover, 16% believe their staff are less engaged or productive due to the stress, 14% think they are more disgruntled and 11% have noticed an increased rift between senior leadership and employees.

Remarkably, employers expect their employees might engage in the following activities whilst in this unhappy state.

• 22% believe employees will take on a second or third job during contractual hours.
• 22% believe employees will be more likely to make mistakes such as clicking on a phishing link.
• 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
• 17% believe employees will seek to harm company reputation due to resentment over salary cuts/stagnation and/or layoffs.
• 14% believe employees will use AI such as ChatGPT to do their job for them.
• 14% believe employees will steal money from the company or commit financial fraud.

“Not all businesses are experiencing a negative company culture as a result of the crisis. In fact, 20% believe the cost-of-living crisis has brought the company closer together and 16% of employees are becoming more motivated to impress senior leaders. Nevertheless, in times like these, it is crucial that employers are mindful of how their staff are coping,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “It only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk. This research highlights the importance of conducting regular security awareness training, but also the need to show up for employees with empathy and support.”

It should be noted that SME business leaders also consider external forces to be responsible for the growing risk of cyberattacks, with 32% attributing it to higher rates of supply chain fraud and 31% expressing concern about nation-state interference from hostile countries such as Russia and China.

Want to know more? Read the report in full here.

Cyber insurance is fast becoming a necessity for modern business. In the last 12 months alone, 39% of UK businesses identified a cyberattack. And, as cyberattacks increase in number, the need for small businesses to access reasonably priced cover is only going to grow starker.

However, cyber insurance is not without its problems. As the number of businesses being breached continues to grow, the industry is struggling to keep premiums at a level that’s affordable for smaller businesses. In turn, this is pushing traditional ‘standalone’ cyber insurance (without monitoring or extra protection) out of reach financially for many SMEs. 

But cyber insurance isn’t the only game in town. Some software providers and cybersecurity companies are beginning to offer a complementary option – cyber warranties. Let’s dive into the what, the why and the how.

What is a cyber warranty and how does it work? 

A cyber warranty is a relatively simple concept. Essentially, a cybersecurity company or software developer guarantees that they will pay out if their customers suffer a breach. 

The conditions of the warranty can vary. For example, it could be that the customer has to prove they were using the company’s product when they were breached. Or, alternatively, some providers will expect the customer to adhere to a set of security standards – say the five basic controls that make up Cyber Essentials certification.

Again, the losses the warranty will cover vary from provider to provider but it’s typically a fixed amount, for example, £1m. 

This is useful to SMEs for two key reasons. First, and most obviously, if something goes wrong and your business gets breached, you’ll get some money to cover the damages. Second, it should theoretically provide vendors with a huge incentive to ensure their products are totally watertight.

However, it’s not just SMEs who benefit. A cyber warranty can also give managed service providers a cost-effective method of remediating breaches for clients. Most providers allow any company doing remediation work to bill for it to the warranty, covering the costs.

Want to protect your business but unsure where to start? Check out our free guide to cyber insurance.

Why are cyber warranties needed? 

Cyber warranties come with a number of benefits, both for small businesses and the cybersecurity sector. As we’ve mentioned, they provide any business offering one with a gigantic incentive to produce very secure products – which can only be good for users and the sector as a whole.

Alongside this, they give customers an extra layer of protection they otherwise wouldn’t have, simply for buying software or a cybersecurity tool. What’s more, some cyber warranties ‘fill in the gaps’ in instances that insurers won’t always pay out for. For example, when a breach occurs due to a failure in a vendor’s product.

Is a cyber warranty an alternative to insurance? 

While cyber warranties can function well with cyber insurance as a complementary product, they aren’t an outright alternative. This is down to some of the limitations cyber warranties have.

A cyber warranty will only cover you in the conditions outlined by the vendor. For example, the warranty might not cover ransomware or business email compromise attacks. This isn’t necessarily a big problem, after all, even cyber insurance coverage is limited. However, this could leave you exposed if you don’t have alternative coverage, such as insurance. 

In short, the safest approach is to view cyber warranties as a useful safeguard that works in tandem with traditional cyber insurance.

Confused about whether cyber insurance is right for your business? Check out our new guide, covering all the basics you need to make an informed decision.

It looks like IT budgets will continue to grow this year despite the threat of a recession. 51% of organisations plan to increase their IT budget, with just 6% reporting they’d cut back on tech spending. 

At face value, this is good news. But with rising inflation, the real value of these budgets is less than last year. Because IT budgets need to stretch into every corner of businesses, there’s likely to be some pressure around spending. And the amount of IT budget spent on security could end up being less compared to last year. 

That could leave organisations more vulnerable to cyber threats, but cutting security costs doesn’t have to mean adopting a less robust security solution. Protecting your business from the most common and deadly attacks doesn’t have to break the bank.

How much should IT security cost?

It’s far too common to hear “how long is a piece of string?” when asking this question. 

For companies with 500 or more employees, it’s hard to define how much IT security should cost because their size, reach, and security needs are too variable and complex to assign a fixed number to. For example, last summer Google announced they’ll invest 10 billion dollars in cybersecurity over the next five years. 

But for smaller businesses, it doesn’t have to be complicated. 

• If you work alone, a good level of cover should cost you £1,000–£3,000 a year
• If you run a small business with 40 employees, a good level of cover should cost you £2,000–£5,000 a year
• If you have 250–499 employees, a good level of cover should cost you £8,000–£12,000 a year

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

How does that compare to the cost of a breach?

Let’s look at the amount of IT budget spent on security compared to the amount of IT budget spent because of security breaches. 

The UK Government’s Cyber Security Cyber Breaches Survey 2022 revealed that 39% of UK businesses identified a cyberattack in the 12 months before the survey. Where those businesses reported a material outcome, the average estimated cost was £4,200. For medium and large businesses, the average cost was £19,400. In another report, 73% of victims revealed they’d experienced more than one attack in a year, so the costs can quickly add up. Some costs are harder to calculate, such as damage to brand reputation and customer retention. 

What should you look for in a security solution?

Broadly speaking, you can break this up into two sections:

1. Supplier

Choose a cybersecurity supplier who can provide a good level of support, e.g. unlimited guidance. This is especially helpful if you’re a smaller or new business that’s just getting started with cybersecurity, as it’ll give you extra peace of mind. Look into the level of flexibility the supplier gives you, too. If budget and payment terms are a concern, a subscription-based service that offers monthly payments is more affordable than paying the whole year upfront.

2. Functionality

Look for a solution with buildable components so your security coverage can grow as you do.

Here are some key things to look for:

Certifications

Accreditations like the UK Cyber Essentials scheme outline the security procedures you should have in place to secure your data. It’s recommended for SMEs because it helps you to protect your business against 98.5% of the most common types of cybercrime, like phishing and malicious software. 

Privacy support

Your business must manage data safely, securely, and in compliance with data protection laws. Some providers will help you to field subject access requests, write data protection policies, and keep on top of your data protection obligations by providing tools and templates to streamline your processes.

24/7 monitoring and employee training

For complete peace of mind, look for providers that offer 24/7 monitoring of all devices connected to company data. They’ll check for the most common threats and vulnerabilities, helping you to manage risk and alerting you in the event of a breach.

To support this, look for solutions that include employee training alongside 24/7 device monitoring. More than three-quarters (77%) of senior IT leaders agree that internal security and governance risks are as high as external ones. So, it’s a good idea to keep your employees up-to-date with engaging and informative training sessions.

Insurance

Cyber insurance can support your business if you suffer a malicious attack or data breach. It can cover first-party (your assets) and third-party (customer data) so that in the event of an incident, you can recoup lost earnings due to operational downtime or reputational damage. 

What if you’re struggling to find the budget to pay for security?

Lots of companies will be trying to find ways to cut costs or reallocate money to cover non-negotiable expenses. If you’re struggling with the rising cost of living and balancing your budgets, these might help you to trim the fat a little.

• Can you reduce any old/redundant tech? This might help you to save money on subscriptions or hardware you don’t need
• Can you cut any non-essential spending? E.g., travel or office upgrades
• Could you re-evaluate partners and suppliers? Are they giving you the best deal or relying on your loyalty and pushing up prices? 

Recession-proof security

If you’re ready to take control of your business security, now’s a great time to start. It’s always better value for money to pay for security cover than suffer the cost of an attack and its repercussions. Be proactive, and make every penny count with the right solution for your business size.

Want to know more? Discover how to protect your business on a budget in our cost of living crisis guide.

With the economy taking a turn for the worse, you may be looking for ways to cut your business spending. However, when it comes to cybersecurity, you can’t afford to be complacent – cutting back on this could cost you more in the long run if you lay yourself open to cyberattacks. So, here we look at how you can reduce the cost of cybersecurity responsibly and stay safe online.

Risks are rising

When you consider the potential impact a cyberattack could have on your business, you want to be sure you’re protected as securely as possible. According to a study by TrendMicro, 60% of small businesses close within six months of a cyberattack. And, even if your organisation survives an attack, the cost of cybercrime can be crushing, as a study by Cisco found that 40% of small businesses hit by a severe cyberattack experienced at least eight hours of downtime.

You can’t afford to think that it won’t happen to you. Cybercrime incidents are now commonplace. According to the UK government’s Cyber Security Cyber Breaches Survey 2022, 39% of UK businesses had identified a cyberattack in the past 12 months. And those companies that reported a material outcome, such as loss of money or data, experienced an estimated average cost of £4,200. But, where only medium and large businesses were considered, this figure rose to £19,400.

Unfortunately, experts are also predicting that with the cost-of-living crisis, cyberattacks will rise even further as cybercriminals step up their efforts. And the indications are that this is already happening. According to the 2022 State of Phishing report from SlashNext, phishing attacks increased by 61% in 2022. The Anti-phishing Working Group (APWG) also reported that there were three million phishing attacks in the third quarter of the year. This was the worst quarter it had ever seen. In addition, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022, according to Kaspersky Lab.

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

The cost of cybersecurity

As rates of cybercrime have gone up, so has the cost of cybersecurity that can protect your business from so many risks. Organisations therefore often find that their spending on cybersecurity is substantial. For example, the Pursuing Cybersecurity Maturity at Financial Institutions report by Deloitte and the Financial Services Information Sharing and Analysis Center revealed that banks, insurance companies, investment managers, and other financial services companies spend between 6% and 14% of their IT budget on cybersecurity. This is approximately 0.2% to 0.9% of company revenue.

In light of these risks, how do you cut the cost of cybersecurity for your business responsibly without suffering severe consequences? It’s vital when considering cost-cutting in this area, that you strike a sensible balance between saving money and safeguarding your business. Well, thankfully, there are various measures you can take which will protect your business while keeping the cost of cybersecurity down.

Assess, prioritise and manage risks

The key to cutting the cost of cybersecurity responsibly is to assess, prioritise and manage risks. If your business has been operating for a while, the first step is to take stock of what tools are already in place. There may be some duplication, which you can remove to start making savings. You could also consolidate tools and use more automation, to improve efficiency without impacting your level of cybersecurity protection. 

It's impossible to guarantee 100% protection from every threat, but you can focus on limiting the most likely ones. One risk it pays to address is the threat of phishing attacks. Data shows that 91% of all cyberattacks start with a phishing email, so prioritise your defences against this. Phishing is a type of social engineering attack, whereby a cybercriminal sends a message intended to trick the recipient into revealing sensitive data or downloading malware. So, ensuring that your employees receive good cybersecurity awareness training will reduce the chance of them succeeding. This can be a relatively low-cost cybersecurity measure and sets your staff up as a human firewall to safeguard your business.

While it’s vital to protect your business network, rather than having an in-house IT team to manage your cybersecurity, which can be expensive, you could also explore the alternatives, such as deploying a comprehensive cybersecurity solution. For example, with CyberSmart Active Protect, you can protect every device in your business, around the clock, with no need for an in-house team, expensive tools, or specialist expertise. This also provides the invaluable cybersecurity staff training, you need to strengthen your defences.

Step up your cyber hygiene

Another important step you can take to keep your business secure and the cost of cybersecurity down is to boost your cyber hygiene. This involves adopting rigorous, proactive procedures to protect against cyber threats, such as:

Backing up all data

Ensure all data is backed up to a secondary source, such as cloud storage, to help prevent your information from being lost in a security breach. This may sound obvious, but it’s often overlooked.

Using good password management

Use unique, complex, and regularly updated passwords. You could also consider using a password manager app to generate new ones each time and store them safely.

Updating your software

Regularly review and update all your software to ensure you’ve got the latest protection against security threats.

Limiting access

Only give login details to employees for the systems they really need access to, and limit admin-level access to those who must have it. This can help prevent any employee-related security issues.

Providing company devices

Avoid letting employees use their own devices, if possible. It gives you more control over where your data is and keeps you safe if an employee leaves your business.

Free online guidance

If you run a small business and want to improve your cybersecurity without breaking the bank, check out the National Cyber Security Centre’s Small Business Guide: Cyber Security. This offers practical, affordable advice. 

It explains simple measures you can take to protect your organisation from malware, such as ensuring that your firewall is switched on. It’s important that you have secure internet connectivity, and this creates a ‘buffer zone’ between your network and external networks. This is a straightforward step to take, as most popular operating systems now include a firewall.

Further free and invaluable advice, more appropriate for medium and large businesses, on how to build strong cybersecurity is also available via the National Cyber Security Centre’s 10 Steps to Cyber Security.

Cyber Essentials certification

Finally, if you want to keep the cost of cybersecurity down as responsibly as possible, you should gain Cyber Essentials certification. This is a cost-effective, UK government-backed scheme which covers everything your business needs to do to protect itself from cyberattacks. Simply by being certified, you can reduce your cyber risks by up to 98.5%.

This could also bring welcome new business your way, as it’s a great way to demonstrate to new customers that you take cybersecurity seriously. It also gives you the ability to bid for government tenders that require Cyber Essentials certification. What’s more, if you gain your certification with us, you get £25k free enhanced cyber insurance, for added peace of mind.

Cautious cost-cutting

Reducing the amount you spend on cybersecurity responsibly is possible, but should be carried out with caution. However, with the right know-how, you can keep expenditure down and ensure your business has the strong cybersecurity protection it needs.

Want to know more? Discover how to protect your business on a budget in our cost of living crisis guide.

April 2023 is set to see more changes to the Cyber Essentials question set. Here’s everything you need to know and what it means for your business.

What’s happening? 

On 23rd January 2023, the NCSC published an updated set of requirements, version 3.1 for the Cyber Essentials scheme. These changes called the ‘Montpellier question set’, come into force on 24th April 2023 and will replace last year’s Evendine question set.

What are the changes?

1. The definition of ‘software’ has been updated to clarify where firmware is in scope.

2. Asset management is now included as a highly recommended core security function.

3. A link to the NCSC’s BYOD guidance is now included to help businesses better manage their devices.

4. Clarification on including third-party devices – all devices that your organisation owns that are loaned to a third party must now be included.

5. The ‘Device unlocking’ section has been updated to reflect that some vendors have restrictions on device configuration. If that’s the case, the recommendation is to use the vendor’s default settings.

6. The ‘Malware Protection’ section has been updated. You must make sure that malware protection is active on all devices in scope. All anti-malware software has to:

• Be updated in line with vendor recommendations
• Prevent malware from running
• Prevent the execution of malicious code
• Prevent connections to malicious websites over the internet

And, only approved applications, restricted by code signing, are allowed to execute on devices. You must:

• Actively approve such applications before deploying them to devices
• Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature

7. New information has been added about how Cyber Essentials affects businesses using zero trust architecture. In short, this should be affected by the Cyber Essentials controls.
8. The illustrative specification document for Cyber Essentials Plus has been updated. The changes to the malware section affect how an auditor carries out a Cyber Essentials Plus assessment and this will be discussed with customers when they book.
9. Several style and language changes have been made and questions reworded to make the process simpler and easier to understand.
10. The technical controls have been reordered to align with the self-assessment question set.

What does this mean for your business?

It’s relatively simple.

Any Cyber Essentials assessment that begins before 24th April 2023, will continue to use the current requirements. Meanwhile, any assessment that begins after 24th April will be assessed using the new Montpelier requirements.

The changes aren’t complicated and shouldn’t impact your ability to achieve certification or the time it takes to complete it. However, if you do have any questions, please get in touch and one of our team will be happy to talk you through it. 

Unsure whether certification is right for your business? Check out our guide to cybersecurity certifications in the UK.

With cyberattacks rife and rising all the time, cybersecurity is essential, but so too is cyber insurance. Although many businesses have been slow to adopt such cover, the world is beginning to wake up to the substantial benefits of cyber insurance for safeguarding an organisation. Here we look at the significant advantages it offers.

Why choose cyber insurance?

Businesses are increasingly at risk of falling foul of cyber-related incidents. Recent data shows that global cyberattacks increased by 38% in 2022, compared to 2021.  And the UK saw a massive 77% rise. The fact is, cybersecurity is never 100% effective.

Should the worst happen, having cyber insurance could be the difference in ensuring your business gets up and running again quickly. Some 60% of small businesses close within six months of suffering a cyberattack. So having some sort of back-up plan is crucial.

But why do you specifically need cyber insurance, rather than just standard business insurance? Well, cyber insurance is a specialist product that protects you from cyber risks and those related to IT infrastructure. The fundamental benefit of cyber insurance is that it covers risks that aren’t generally included in standard commercial liability policies, which tend to just cover costs related to technical issues, such as corrupted hard drives and lost devices.

Managing a cyber incident, such as a data breach or ransomware attack, requires detailed technical knowledge, which specialist cyber insurance can offer. Cyber insurance policies provide you with the means to implement incident response measures, such as legal assistance, public relations support and forensic investigation. 

As well as minimising any business disruption and supplying financial protection during an incident, a big benefit of cyber insurance is that it could help with any legal and regulatory actions after an incident. Although it won’t solve all your cybersecurity challenges or prevent a cyberattack from happening, cyber insurance can help your organisation get back on its feet.

Want to protect your business but unsure where to start? Check out our free guide to cyber insurance.

What could your cyber insurance cover?

As with other types of insurance, the benefits your cyber insurance includes will depend on the cover you choose. Opting for first-party cover will protect you against the direct results of a cyberattack. Alternatively, third-party cover is more comprehensive and will include the indirect consequences of a cyberattack. This provides protection for managed service providers (MSPs) that supply professional services to other companies. It’s key to covering your liability should a cyberattack on you lead to losses from a partner or customer.

Online threats are multiplying all the time, and cyber insurance will cover you for a wide variety of these risks, such as data privacy breaches, phishing attacks, distributed denial of service (DDoS) attacks, and malware, including the dreaded ransomware attack. 

Depending on the exact policy you choose, it should cover:

• Loss of business income 
• Legal action and fines, like GDPR charges
• Ransom costs, if your data is held hostage
• PR support to regain damaged trust
• Possible repair costs 
• Data breach measures, such as investigative proceedings

Access to expert advice and support

A key benefit of cyber insurance is that it gives you access to expert advice and support. Expertise on threat management is an important part of cyber insurance, and some insurers supply businesses with threat monitoring and management services. For example, according to the UK government’s Cyber Security Breaches Survey 2022, one organisation said that their insurance enabled them to monitor the dark web and flag if any of their accounts were being sold there.

Access to expertise on breach recovery was also named in the survey as a key reason organisations take out an insurance policy. This benefit can help companies ensure business continuity after a disruptive breach. Some policies also include access to expert forensic analysis of what caused the breach. This is important to help a business rectify the problem and implement preventative measures to make sure it doesn’t happen again.

Enhanced cybersecurity

Another valuable benefit is that a cyber insurance policy can help you build a strong cybersecurity framework. Insurers will require you to have a good level of security to be eligible for a policy. They usually carry out a risk assessment as part of the underwriting process to ensure your business isn’t a high risk. This can involve just completing a straightforward questionnaire or may go as far as involving an in-depth analysis of your security. However, like other kinds of insurance, your premium will decrease if you are judged to be a lower risk.

The eligibility criteria for cyber insurance cover can act as a framework to ensure good cyber hygiene. But, a simple way to boost your level of cybersecurity is to gain Cyber Essentials certification. Some insurers will offer discounts on insurance premiums if you have this, and simply by being certified, you can reduce your cyber risk by 98.5%. Cyber Essentials is a UK government-backed scheme covering everything your business should do to protect against cyberattacks, demonstrating that you take cybersecurity seriously.

Peace of mind

A big benefit of cyber insurance, which shouldn’t be overlooked, is that it provides considerable peace of mind. You can have all the strong cybersecurity possible to protect your business. However, with the ever-evolving threat landscape, you can’t be 100% sure you won’t still suffer from a cyberattack. With cyber insurance, you have the final safety net in place to ensure that you won’t have to worry about recovery costs if the worst happens and disaster strikes.

While cyber insurance doesn’t prevent an attack, it’s designed to stop a bad situation from getting worse. So, if you’re concerned about a cyberattack destroying your business, cyber insurance gives you complete peace of mind. You will have an extra layer of protection in addition to your cybersecurity, to cushion the blow.

Ideally, no business only does the bare minimum for their cybersecurity. But it’s understandable that many small or medium businesses are limited by their budget. If this is the case for yours, you need basic cybersecurity measures that are effective yet affordable.

Here’s how you can ensure your business is protected and secure, without breaking the bank.

5 basic cybersecurity measures for businesses

Cybersecurity mustn’t slip under the radar for small businesses. 43% of all data breaches involve small businesses, with 60% of these businesses filing for bankruptcy within six months of an attack. 

Luckily, the cybersecurity landscape is full of many great solutions to secure your business, ranging in complexity and price depending on the levels of protection you need. And it can be helpful to go back to basics in tough economic times.

You can do this without sacrificing security by following the control areas of Cyber Essentials. We’ve outlined them, and what they mean for small businesses, in this blog.

Here are some examples of the basic cybersecurity measures that any small business can take to maintain a good level of protection against cyber threats:

1. Make your business internet connection secure

There’s always a risk to your business network and equipment when you have a broadband connection. Think about it – it’s always on – so there’s always a window of opportunity.

Luckily there’s no need to fret. Instead, ensure that you’re using a business broadband package. They’re more comprehensive compared to a home broadband package and include proactive security measures.

For example, many business broadband options are equipped with higher-grade security software. You should look for features such as a VPN, firewall, and the ability to filter content. With this functionality, you don’t need to spend more on additional solutions because your key security features are built in.

Need help finding the right cybersecurity accreditation for your business? Check out our guide.

2. Switch on secure settings for business devices

Business equipment and software often come with the manufacturer’s default settings. This is useful to set things up quickly. But did you know that it’s easy to ‘upgrade’ your devices to a more secure setting?

Secure settings provide a greater level of protection against security vulnerabilities. Simply check the settings of your business equipment and take a critical look at its features and services. For more explicit advice, the National Cyber Security Centre provides free, trusted security guidance for businesses across a wide range of platforms.

You can also implement measures like multi-factor authentication across devices as an additional level of security. Or set up a locking mechanism across devices that require either biometric, password or PIN access.

3. Manage data access in your business

Check that only the right people have access to the data they need in your business. 

For example, only certain team members might need to access sensitive data, so they are the only ones that need permission. 

A ‘least privilege’ policy is the best method of managing data access in your business. It only allows users to have the minimum level of access or permissions needed to perform their jobs. This creates a safer environment for your data and reduces the risk of harmful, or accidental, actions. 

4. Protect against malware and viruses

Antivirus software is a basic cybersecurity measure for all businesses. It’s a type of software product that detects, quarantines, and blocks malware from running on your business devices. These are malicious programs that can impact your data, alter, or hijack functions, or monitor end-user activity.

If your budget is tight, you don’t necessarily have to spend a lot of money on antivirus software. There are free and built-in anti-virus solutions for most popular business platforms. If you’re looking for something a little more robust, read our blog that highlights our top 10 antivirus products.

5. Keep software and devices up to date

Manufacturers release regular updates for software and equipment like new features or bug fixes.

The programs, software, devices, systems, and tools you use every day will require updating every now and then. And if you’re using an old version of them that isn’t up-to-date, it leaves your business open to vulnerabilities. Ironically, even outdated antivirus software could be exploited by bad actors.

Regularly patching your software and devices avoids these problems. Making sure every tool in your business is running the latest version helps you create a safer working environment. 

Always cover the basic cybersecurity principles

Implementing these basic cybersecurity measures is a simple, straightforward, and affordable method of keeping your business secure. 

And for small or medium businesses looking for extra security qualifications, these steps are part and parcel of qualifying for a Cyber Essentials certification – a government-backed qualification that proves to customers and partners that your business protects itself from cyberattacks.

Still unsure about what the 'must haves' are when it comes to your business's cybersecurity? Then check out our guide to cybersecurity on a budget.

The economy has taken a battering in recent times, and there’s much talk about the so-called ‘cost-of-living crisis’ we’re now experiencing. Whether there’s a full-blown recession ahead, or not, it looks like the economic outlook won’t improve any time soon. And experts agree this will spark a surge in cyberattacks. So, let’s take a look at why cybercrime increases with the looming threat of recession.

Why we can expect cybercrime to increase

The word among industry analysts is that the ongoing economic downturn will result in a significant rise in cyberattacks. Cybercriminals are already exploiting the financial situation, with an increase in social engineering attacks such as phishing emails offering rebates on energy bills to target vulnerable individuals and businesses. And, by all accounts, we can expect a great deal more of the same to come, as a distinct correlation exists between an uptick in cyberattacks and economic uncertainty.

Data shows that some types of cyberattacks are already rising considerably. According to Kaspersky Lab, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022. Phishing attacks also increased by 61% in 2022, according to the 2022 State of Phishing report from SlashNext. And, the Anti-Phishing Working Group (APWG) reported that there were a total of three million phishing attacks in the third quarter of the year – amounting to the worst quarter it had ever seen. 

Considering cyber insurance for your business? Check out our new guide for everything you need to know.

What role do businesses play? 

There are many reasons why cybercrime is increasing amid the current economic uncertainty. But most importantly, businesses are having to make difficult decisions to rein in costs. This is completely understandable in the climate. After all, we're all trying to keep our heads above water, but this could have a direct effect on businesses' online safety.

Although it’s ill-advised to reduce cybersecurity budgets, many business leaders underestimate the value of cybersecurity. The situation isn't helped by the perceptions of cybersecurity within organisations. IT leaders can often find it difficult to justify spending on cybersecurity, which doesn't often deliver visible benefits in the way other OPEX spending does. Think about it; you're unlikely to hear much about your business's cybersecurity unless something goes wrong. 

The result is often cuts in places they shouldn't happen. Consequently, such companies are at higher risk of falling foul of cyberattacks.

Businesses may also decide to cut spending by letting staff go or not replacing those that leave. And this can also impact a company’s resilience to cybercrime. Cutting IT staff may mean you have fewer people to provide the necessary protection. 

This also increases the pressure on your remaining staff which can lead to mistakes and oversights, which weaken your defences further. For example, if they receive a phishing email they’re more likely to make an error of judgement and click on a link that could download malware into your network.

Cybercriminals aren’t immune to economic instability

If you’re still wondering why cybercrime is increasing, well, a recession hits cybercriminals as well as their victims. So, this can be a strong motivating factor for the bad guys to redouble their efforts and make more money. The hard fact is that a recession, or economic downturn, incentivises cybercriminals to invent new types of threats. This was demonstrated during the recession of 2008 when the FBI reported a 22.3% increase in online crime. 

More recently, a crisis of a different sort, the pandemic, sparked a similar surge in cybercrime. And there’s no reason to think the current hardships won’t create a similar spike. Companies will continue to lay off employees in the months ahead, and some may be tempted into cybercrime to make ends meet. Disgruntled employees who’ve been fired could also launch damaging attacks on businesses that have let them go, especially if they still have access to sensitive data.

Another repercussion of the recession is a possible rise in insider attacks from employees who are feeling the pinch. This is particularly likely in businesses that have been forced to freeze salaries. Cybercriminals can specifically target possible insiders to help with data breaches or cyberattacks, using social media and offering bribes. 

Fighting back on a budget

Cybersecurity isn’t a nice to have, it’s business critical. And this is never truer than in times of economic crisis. 

Small and medium-sized businesses often underestimate the danger they're in. In part, due to the perception that only large corporates are targets. However, the truth is that cybercriminals don’t discriminate and the effects can be devastating. In fact, research has found that 43% of all data breaches involve small businesses.

However, you don’t need expensive tools, expert consultants, or an in-house technical team, to protect your business from cyber threats. It’s perfectly possible to build good defences on a sensible budget. Tools like CyberSmart Active Protect offer everything you need to get your cybersecurity in order, without huge investment. 

Active Protect provides secures all employee devices that touch your company data. Just send a downloadable link to staff, and Active Protect will check around the clock for the most common cyber threats and vulnerabilities It also includes our training academy, which provides your employees with the basic cyber skills to better protect themselves and your business. 

Want to know more? Then check out our guide to cybersecurity on a budget.

If you’re wondering ‘Is cybersecurity really worth it?’ The short answer to this question is unequivocally, ‘Yes!’. Especially now that the economic climate is taking a downturn. In this cost-of-living crisis, the threat to your business from rising cybercrime rates could be even higher. But let’s see why cybersecurity is worth spending some money on compared to the cost of cybercrime.

False economy

Rising costs for just about everything means businesses have to make cutbacks. The trick to riding out the storm is recognising what’s an essential and what’s a luxury to cut. Cybersecurity falls into the ‘essential’ category. 

Cybersecurity should be thought of as an investment, not an expense. It protects you from the much greater costs of cybercrime. For example, business disruption and financial losses. In fact, all you can do to protect yourself in preparation for a possible attack will save you money in future. Cutting back on such a necessity would only be a false economy.

If you run a small business, you could be forgiven for thinking that cybersecurity isn’t worth it. You may conclude that your business isn’t at risk if you’ve seen the media coverage of cyberattacks on large corporations. Unfortunately, this isn't true. No business is too large or too small to be subjected to cybercrime. Research suggests that 43% of all data breaches involve small businesses. In fact, smaller businesses can be an attractive target as they may be less likely to have the necessary cybersecurity to keep their data safe.

Strong cybersecurity is always worth it. Beyond the immediate financial cost of cybercrime, which can be high, the damage to your business’s reputation if confidential data is exposed can be long-lasting. This may affect your ability to do business in future, especially if you’re in a sector that handles highly sensitive data, such as financial services and healthcare. Potential customers will think twice before handing over personal and financial details if they doubt that they’ll be protected.

The true cost of cybercrime to a business can be complex and far-reaching and may include:

• Significant monetary theft
• Substantial business downtime
• Damage to your business’s reputation
• An increase in your insurance premiums
• Loss of intellectual property
• Network repairs
• Public relation costs
• Compliance fines

Confused about Cyber Insurance? Check out our new guide for everything you need to know.

A good return on investment

Good cybersecurity delivers a good return on investment (ROI) by preventing or mitigating the impact of an attack. According to the UK Government’s Cyber Security Cyber Breaches Survey 2022, in the last 12 months, 39% of UK businesses identified a cyberattack. And, in the case of those organisations that reported a material outcome, such as loss of money or data, there was an average estimated cost of £4,200. However, where only medium and large businesses were considered, this figure rose to £19,400. Far worse, according to a study by TrendMicro, 60% of small businesses close within six months of a cyberattack. 

What’s more, another survey found that 83% of small and medium-sized businesses aren’t financially prepared to recover from a cyberattack. Indeed, a report by the European Union Agency for Cybersecurity (ENISA) revealed that 85% of surveyed small and medium-sized enterprises agreed that cybersecurity issues would seriously affect their businesses, and 57% admitted they would most likely go out of business.

Even if your company survives such an attack, the cost of cybercrime can be devastating. A study by Cisco found that 40% of small businesses that are hit by a severe cyberattack experienced at least eight hours of downtime, accounting for a large part of the overall cost of a security breach. 

So, a relatively small investment in cybersecurity today gives you a good ROI by saving you money in the long run.

The rising rate of cybercrime

The chances of being the victim of cybercrime are also growing fast, so the time is right to get your house in order and protect your business with reliable cybersecurity. 

Rates of cybercrime have been increasing for years, with a rapid rise in remote and hybrid working heightening companies’ vulnerability to attack. But over the last year, attacks have spiked. For example, the percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022. And, according to the 2022 State of Phishing report from SlashNext, phishing attacks have also increased by 61% in 2022.

Experts warn that with the cost-of-living crisis, we should expect cybercrime to escalate even more and cyberattacks to increase in sophistication. Unfortunately, there is a correlation between tough economic times and a rise in cyberattacks. More people may be tempted to turn to cybercrime, and there could be an increase in social engineering attacks specifically designed to exploit the financial hardship of recipients, manipulating vulnerable victims into handing over valuable data.

So, now is not the time to cut back on cybersecurity, as the cost of cybercrime means it’s just not worth taking the risk.

Good cybersecurity needn’t be daunting

This may all sound worrying, but it really is easy to protect your business, and this doesn’t have to cost the earth. As the UK Government’s Small Business Guide: Cyber Security says: ‘Cyber security needn’t be a daunting challenge for small business owners’. 

However, many enterprises still need to protect themselves sufficiently. According to a report from Kaspersky, as many as a quarter of UK companies admit to underfunding cybersecurity, even though 82% have suffered cyberattacks. Another study also found that one-third of companies with 50 or fewer employees were using free, consumer-grade cybersecurity, leaving themselves more vulnerable to attacks.

A big reason for this could be that protecting your business on a budget can be tricky – employing experts or investing in the latest tools can be costly. However, reliable cybersecurity does not have to be prohibitively expensive or complicated. CyberSmart Active Protect provides robust protection with no need for pricey tools, consultants, or an in-house team. It’s a cost-effective and easy way to secure all employee devices that touch your company data. Simply send a downloadable link to your staff and Active Protect will do the rest, checking 24/7 for the most common cyber threats and vulnerabilities.

So, when you consider the cost of cybercrime and the rising number of attacks, cybersecurity is undoubtedly worth it.

Do you run a small charity or legal aid firm? If so, you could be eligible for funded Cyber Essentials certification to help you put basic cybersecurity measures in place. Here’s everything you need to know.

What is the funded Cyber Essentials scheme? 

Small charities and legal aid firms protect and serve some of the most vulnerable in our society. However, unfortunately, they’re also a key target for cybercriminals. The NCSC’s Cyber Breaches Survey 2022 revealed that 30% of UK charities identified a breach in the last 12 months.

The reason for this is simple. Charities and legal aid firms process large volumes of highly sensitive data but often have relatively weak defences – making them an ideal target for cybercriminals.

To counter this, the National Cyber Security Centre and IASME have launched the new Funded Cyber Essentials Programme. This offers small organisations in high-risk sectors free, practical support to help put basic cybersecurity controls in place and achieve Cyber Essentials certification. 

How does the scheme work? 

Qualifying organisations will receive up to 20 hours of remote support with a Cyber Essentials Assessor – all at no cost. Our assessors will spend this time helping you identify and implement the improvements needed to meet the 5 technical controls of Cyber Essentials. We’ll follow this up with an assessment to ensure everything is in place. 

With our guidance, you’ll be ready to take the Cyber Essentials and Cyber Essentials Plus certifications. If it’s not possible for you to complete Cyber Essentials Plus after 20 hours of support, we’ll give you clear directions on how to become assessment ready. 

Is the certification free? 

Yes. IASME has agreed to fund both Cyber Essentials and Cyber Essentials Plus certification for successful applicants to the scheme.

Who is eligible for the scheme? 

To qualify for this scheme, your organisation must be:

• A micro or small business (1 to 49 employees) that offers legal aid services
• A micro or small charity (1 to 49 employees) that processes personal data

No previous cybersecurity experience or certification is required. Even if you’re completely new to cybersecurity, we’ll guide you through the process.

How long is the scheme running for? 

The scheme runs until the end of March 2023. However, it’s worth noting that IASME is offering a limited number of funded packages. So it’s worth getting your application in as soon as possible. 

What is Cyber Essentials?

The Cyber Essentials scheme is a UK-government-backed cybersecurity certification that outlines the security procedures a company should have in place to secure its data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

Cyber Essentials Plus includes all of the same technical controls but with one major difference. Whereas Cyber Essentials is a self-assessed certification, Cyber Essentials Plus includes a technical audit of your systems. This next step gives you 

complete peace of mind your cybersecurity is up to scratch. And, your clients and partners don’t have to take your word for it that you’re cyber secure – they can rely on the expertise of a professional.

Can I apply to the scheme through CyberSmart? 

Yes. As the UK’s leading provider of cybersecurity certifications, we’re proud to be taking part in this scheme. 

To apply for the scheme, head to IASME’s Funded Cyber Essentials page and fill in the form at the bottom of the page. If you’re successful in your application, IASME will pass you over to us (or another certification body) to complete the certification process.

Alternatively, if you’re one of our partners or MSPs and want to refer a customer for the scheme, get in touch. We can apply on your client's behalf and ensure the support and certification is carried out by CyberSmart.

Want to know more about cybersecurity certifications? Check out our in-depth guide to cybersecurity certifications in the UK.