The journey to cybersecurity compliance isn’t easy. You might start at the basics of Cyber Essentials certification and progress to take on the challenge of ISO 27001 compliance. It takes effort to get certified but if you put in the work, you’ll reap the benefits. You could enjoy:

• Greater trust from customers and vendors
• The chance to bid for government contracts
• Protection from cyberattacks
• GDPR compliance

Two of the biggest challenges facing businesses are knowing where to get started and how to build knowledge, but you don’t have to navigate cybersecurity alone. We’ve put together this new, updated guide as your one-stop shop for the three most common UK cybersecurity certifications. 

What’s covered?

In this guide, we outline how to choose the right certification for your business, how to get certified, and where to go for support. 

• Cyber Essentials
  • With information on recent updates
• Cyber Essentials Plus
• ISO 27001
• How to make compliance easy
  • Advice on getting started
• Where to find support

So, if you're unsure about whether your business needs a cybersecurity certification or which one is right for you, start by downloading our guide. It's free and includes everything you need to know to make a decision.

The cost of cyber insurance can vary considerably depending on several factors. For example, the size of your business, the sector it’s in and the sensitivity of the data you deal with. However, in the current cyber threat landscape, the cost to your business of not having any cyber insurance in place could be catastrophic. So, let’s take a closer look at the cost of cyber insurance, what it covers, and what may impact your premiums.

What is cyber insurance and why do you need it?

Just as you insure your car against damage and loss, cyber insurance is a contract between you and an insurer whereby they agree to pay you for any losses you incur related to your IT infrastructure or data management. It’s a relatively new kid on the block in the world of insurance, only thought to have originated in 1997. 

However, with the rapid rise of the Internet, cyber insurance has become increasingly popular. Few businesses can now hope to succeed without some online presence. And, you need to do all you can to protect yourself from cyberattacks and the damage these can do to your company.

The bottom line is that cyber threats have skyrocketed in the last few years, with the rise in hybrid and remote working increasing the vulnerability to attacks of many businesses. In fact, recent research shows that in 2021 there were 50% more cyberattacks per week on corporate networks than in 2020.

If your company is a small or medium-sized business, you could be forgiven for thinking that you’re relatively safe from such threats. After all, media reports typically focus on attacks on large organisations, but this isn’t the case. Threats such as ransomware attacks can affect any company.

For example, the 2021 Verizon Data Breach Investigations Report revealed that 61% of all small and medium-sized businesses had reported at least one cyberattack in the previous year. What's more, 43% of all data breaches involve small and medium-sized businesses. 

According to Hiscox, a small business is hacked in the UK every 19 seconds. And cyber breaches cost the average small business £25,700 in basic ‘clear up’ costs each year. Although there are cybersecurity best practices you can adopt to decrease the likelihood of a successful attack, there's no such thing as complete protection. So, the next best thing is to purchase cyber insurance to help mitigate the risks and possible effects of a cyberattack.

Want to protect your business but unsure where to start? Check out our free guide to cyber insurance.

What’s the cost of cyber insurance?

There are two main costs when you take out cyber insurance:

• Your insurance premium: This is the basic cost of your insurance protection, payable monthly or yearly
• Your insurance excess: This is the lump sum that you pay if you make a claim. If you choose a small excess, this will usually make your insurance premium more expensive

As with all insurance, the cost of cyber insurance to your business depends on various factors:

• The size of your business: This can be a strong influencing factor on the cost of cyber insurance. The more staff you have, the higher the risk of you falling foul of phishing and social engineering attacks. A company with a large annual turnover is normally more expensive to insure than a smaller business
• Your business sector: Certain industries are more vulnerable to cyberattacks than others. For example, a finance organisation or charity may be at higher risk than a restaurant
• The strength of your cybersecurity: If the cybersecurity measures you have in place are robust, you may be rewarded with lower insurance premiums. It, therefore, pays to employ strong security protocols and educate your staff on cyber risks
• The amount and sensitivity of the data you deal with: If your business has a small customer base, or doesn’t hold a lot of sensitive data, you may pay less for your cyber insurance. For instance, a healthcare facility that stores lots of
  
  highly sensitive personal information will usually pay more than a hairdresser
• The level of cover you choose: If you opt for a basic policy, providing limited protection, it’s likely to be less expensive than a more comprehensive policy

Picking the right type of cover

Cyber insurance falls into two main types. And it’s important to choose the right one for your business. 

• First-party cover: This protects your company against the direct results of a cyberattack
• Third-party cover: This includes the indirect consequences of a cyberattack. It also provides protection for businesses that offer professional services to other businesses. For example, if you’re being sued by another company for errors you’ve made which have resulted in damages

First-party insurance is usually less expensive than a third-party policy.  However, it doesn’t provide as much protection. Not all businesses need third-party protection, but organisations that are mostly technology-based will probably need to consider it.

What cover do you get for the cost?

Cyber insurance will cover you for a range of cyber risks, including:

• Malware, including ransomware attacks
• Denial-of-service attacks
• Social engineering attacks, including phishing
• Data privacy breaches

Although it's difficult to estimate exactly what your cyber insurance costs might be (every business is different), it should cover you for:

• Loss of income
• Repair costs and damage control
• Fines and legal action, such as GDPR violation charges
• Ransom costs, if someone holds your data hostage
• Public relations support, to regain damaged trust
• Data breach measures, including investigative proceedings and customer support

Is the cost worth it for small businesses?

Despite the benefits of having cyber insurance, it's still underused. The DCMS' Cyber Security Breaches Survey 2022 found that only 43% of businesses have a cyber insurance policy. For many businesses, this is down to cost. Prices rose in the UK by 102% in the first quarter of 2022 alone.

So, is it worth it?

At the end of the day, an insurance policy won’t protect you from a cyberattack happening. Only strong cybersecurity can do this. But, given the speed and sophistication of cyberattacks, being hit as a small business isn’t a question of if it will happen, but when.

So, cyber insurance can be invaluable, as it will help to put you back into the state you were in before an attack took place. Your insurer can also provide skills and expertise, such as ransomware negotiation, PR cover, and data recovery skills that you might not have in-house.

The cyber insurance market is changing

Protecting your business on a budget can certainly be tricky, but new products are now disrupting the insurance space and offering more cost-effective solutions. Cyber insurance is evolving and CyberSmart is at the forefront of this revolution. 

The traditional, standalone cyber insurance model, without protection or monitoring, is fast becoming obsolete and driving substantial premium increases. Providing insurance before managing the risk is fundamentally flawed, leading to suboptimal outcomes for the insurer and the insured. However, CyberSmart takes a more holistic view of risk, not just looking at technology, but also at processes and people to reduce the level of cyber risk as a whole. 

With CyberSmart Active Protect, you can proactively manage risk 24/7. It identifies risks and provides simple, jargon-free instructions for fixing vulnerabilities. Our user-friendly platform ensures everyone in your business is working safely, with visibility of every device in your organisation.

In addition, we also offer £25k worth of enhanced cyber insurance for free with Cyber Essentials certification completed. So you can minimise your risk of cyberattacks, gain peace of mind, and cover yourself with affordable insurance, in case the worst should happen.

If you’re considering cyber insurance or just curious as to what it’s all about, check out our guide, Cyber Insurance Trends 2023. It’s a great introduction to the industry and you can download it, for free, here.

Cloud computing is everywhere. You probably don’t think about it all that much, but most of the platforms and software you use will be hosted in the cloud. However, while cloud-based platforms are generally the safest around, there are extra steps you can take to protect your business. Here are our top 5 tips for improving your cloud security.

1. Use Multi-factor authentication 

Multi-factor authentication (MFA) is an authentication tool that requires you to provide two or more verification methods to sign into an application. Rather than just asking for a username and password, MFA adds some extras. For example,  a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information only you know.

You’ve probably already used MFA plenty in your day-to-day life. Many applications now require it and we’re well on the way to it being a near-universal security tool.

This is happening for a very good reason. Strong passwords are important, but they aren’t infallible. A well-orchestrated brute force attack could still find a way through. In contrast, MFA is incredibly difficult for a cybercriminal to crack without access to your phone, fingerprints or deeply personal information.

Moreover, under the new Cyber Essentials requirements, MFA should always be used for accounts connecting to cloud services. 

Want to know more about the cyber threats small businesses face? Check out our guide.

2. Manage user access carefully

It’s likely you’re already doing this with some of the cloud-based software you use. After all, who pays for licences they don’t need? However, as a general rule, it’s important to give your staff access to all the resources and data necessary for their roles, and no more.

There are two key reasons for this. Firstly, it reduces the risk of someone editing or deleting important information by accident. But, more importantly, it protects you from hackers who have stolen an employee's credentials.

Practising proper segregation of user accounts limits the damage any successful breach can cause. To learn more about how to do that, check out our blog on admin users. 

3. Create a comprehensive off-boarding process

It’s never nice when a colleague leaves, especially if it’s not on good terms. But however staff leave, you need to make sure they no longer have access to cloud platforms, systems, data and customer information.

Of course, it’s unusual for employee off-boarding to go dramatically wrong, but that doesn’t mean you shouldn’t take precautions. Too many businesses leave the process weeks or even months after an employee has left, or forget altogether. 

This is a big security risk. By failing to cull access permissions for former employees, you’re losing control over who can access your systems and data, and potentially giving cybercriminals an easy route into your business.

To prevent the worst, you’ll need a systematic process for ensuring all access rights are revoked. This can be tricky as most employees will have access to a range of applications and platforms. So, to make it a simpler process, keep an up-to-date list of who has access to what. And, if you don’t have the bandwidth to do so in-house, there are plenty of tools available to automate the process.

4. Consider a cloud-to-cloud backup service

As we’ve mentioned, a direct breach of any cloud platform you use is unlikely (though not impossible). Nevertheless, the risk to your data from human error is high. Some 90% of all breaches start with some form of human error.

The problem is, should a cybercriminal corrupt your data or an employee delete something, most cloud platforms will only keep backups of deleted data for a specific period. This can range from days to months. So as well as checking with the provider what its policy is, it could be worth having a reserve option.

Many providers offer regular cloud-to-cloud backup services. And, it’s an option well worth considering for particularly important or sensitive data. 

5. Provide regular security training for employees

If you’ve read any of our blogs before, you’ll know we really hammer home the importance of staff training. Cloud platforms typically have very good defences, meaning the most likely way a hacker will bypass them is by stealing employees’ login credentials. This will usually happen through a social engineering attack, such as phishing.

The best way to counter this is with regular security training. That way, your people will be able to recognise potential threats and avoid them. There’s no such thing as one-size-fits-all security training. What the training looks like will depend on your staff and their knowledge gaps. 

However you do it, keep it regular, useful, and engaging. For more on how to get started, we recommend reading our blog on security training.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

Business email compromise (or BEC) attacks are a threat to organisations of any size. Here’s everything you need to know to protect your business.

How does a business email compromise attack work? 

A BEC scam is a form of social engineering attack. It usually involves an attacker impersonating the top dog (such as the CEO or founder) in a business to defraud the company and its employees, partners and customers. 

The bad guys achieve this by creating an email account with a very similar address to the real thing. For example, say your CEO’s email address is ‘john.smith@cybersmart.co.uk’, the hacker’s impersonation might be something like ‘js@cybersmart.gmail.com’. 

It’s just plausible enough that, were you in a hurry or unfamiliar with the real email address, you might share sensitive information or fulfil a request without giving it too much thought.

Like all social engineering scams, BEC attacks rely on creating a sense of urgency and implied trust in an email that comes from a seemingly legitimate source. A sense of urgency because employees are likely to hop to it pretty quickly if a CEO requests something. And, trust because of the assumed gravitas an email from an important person within a company carries.

What do business email compromise attacks seek to gain?

Cybercriminals use BEC attacks for all sorts of nefarious ends. It might be that they want to steal sensitive data, gain access to company systems, set up a ransomware attack or dupe the victim into paying for something. 

Sadly, BEC attacks lend themselves to just about any purpose, making them a highly versatile weapon for cybercriminals. 

Want to know more about the cyber threats small businesses face? Check out our guide.

Are there any famous examples?

As they often lead to huge losses for the victim, you’ve likely seen the results of successful BEC scams in the media – even if they weren’t necessarily reported using the term. 

Facebook and Google

Undoubtedly the most famous of all time was the Facebook and Google scam, carried out between 2013 and 2015. A Lithuanian cybercriminal called Evaldas Rimasauskas set up a spoof company named ‘Quanta Computer’ (which also happened to be the name of a real supplier).

Rimasauskas then emailed convincing fake invoices to both tech giants. Both duly paid, again, again and again, until they’d been defrauded out of $121 million. Rimasauskas was eventually caught in 2019 and sentenced to 5 years in prison for wire fraud. 

Toyota Boshoku Corporation

In 2019, cybercriminals contacted the finance department of a company in Toyota’s supply chain posing as a legitimate business partner. They used the classic social engineering tactic of creating a sense of urgency, claiming that the transaction needed to be paid quickly to avoid slowing the manufacturing process. 

Unfortunately, someone at the company took the bait. The subsidiary transferred more than $37 million in parts orders to the fake company. It remains one of the biggest losses to a BEC scam ever recorded. 

Reading these examples, it’s easy to form the impression that BEC scams are usually targeted at large companies. However, this isn’t the case.

Although Cybercriminals’ final target is often a big corporate, they’ve become more and more inventive about how they get there. As with many other forms of attack, many BEC scams now originate in the supply chain. Even if you’re a smaller business, it’s no guarantee that cybercriminals won’t try to use you as a backdoor into a larger organisation in your supply chain.

So, how can your business protect itself?

How can you protect your business?

Secure your supply chain

As we mentioned earlier, a large proportion of BEC attacks begin in the supply chain. So the best form of defence is to secure the links in your supply chain. 

How that looks in practice will depend on your business and who it works with. However, a great place to start is by ensuring your cybersecurity is up to scratch. Once that’s the case, talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. Many a breach could’ve been avoided with better communication across a supply chain.

Finally, aim to work with businesses that have Cyber Essentials certification as a minimum. This will give you confidence the suppliers and partners you work with take cybersecurity just as seriously as you.

To find out more about securing your supply chain, check out this blog.

Educate your staff

Like all social engineering attacks, BEC scams rely on human error. If your people can recognise the signs of a BEC scam, your business is less likely to be breached. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in BEC attacks such as posing as a supplier, creating a sense of urgency, or requesting suspiciously large amounts of money. The most important way to counter a BEC scam is simply pausing to think about the request and whether it’s legitimate, Training can help this become a habit. 

Create clear cybersecurity policies

To ensure your people know what good cybersecurity practices look like,  you need a clear, easy-to-follow cybersecurity policy. And make sure they know where to find it. A cybersecurity policy is only as effective as the number of staff who’ve read and followed it. 

Create a positive cybersecurity culture

The most formidable opponent of good cybersecurity isn’t the bad guys, it’s poor communication. Your employees need to feel comfortable raising concerns or reporting anything that doesn’t seem right. Without such a culture in place, you risk security threats being raised or discovered far too late. 

Encourage everyone in your organisation to ask questions, report anything that concerns them and learn as they go.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there's a new threat in town. 'Smishing'.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here's everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

“Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020. 

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC. 

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they're unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

If your business has employees who are hybrid or remote workers, you need to ensure their devices are secure and meet the requirements of Cyber Essentials. Cyber Essentials is the UK standard for organisations to follow to remain safe and secure from cybersecurity threats, and its requirements continue to be updated. Here’s how to make sure you’re covered when working remotely.

What are the steps to achieve Cyber Essentials certification remotely?

1. Make sure your employee networks meet Cyber Essentials requirements
2. List the equipment that each remote employee is using
3. Check software and licenses are up to date

What is a network?

Any single device connected to a router can be considered a network. For the purpose of Cyber Essentials, your ‘network’ is the devices linked to share resources, exchange files, or allow communication. 

For example, think of your office printer. Rather than setting up a single printer for every employee, you’ll have a single printer that everyone can use (and you’ll argue over whose turn it is to change the toner). This is the perfect example of a network.

What does a network look like in practice?

Most offices and workplaces use a Local Area Network (LAN). A LAN is usually confined to a small geographic area, say an office in Bow or a warehouse in Bolton. A LAN allows every device within the network to use a single internet connection, share files, and access or control other devices. 

It’s possible to connect everything from printers and phones to smart TVs, speakers, and security cameras. You can even connect the office fridge. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

How to get Cyber Essentials certified when working remotely

1. Check employee networks meet Cyber Essentials requirements

We’ve just gone through what a network is. However, with remote working, networks might look a little different. 

Any device connected to a router is considered a network. With multiple remote workers, you’ll have multiple networks. 

All you need to do is ensure that each router meets the requirements of cyber essentials. For example, you should ask each employee to change the default password on their router. 

2. List your remote employee equipment 

Question A2.8 of the Cyber Essentials assessment will require you to list all of your network equipment. But don’t worry, it’s pretty simple.

All you need to do is list the equipment each employee is using, as if you were in the office. 

What might this look like in practice? Let’s imagine a company with ten staff working from home. An equipment list will look something like this:

• 2 x Sky broadband with Sky router
• 6 x BT broadband with BT hub router
• 1 x TalkTalk broadband with TalkTalk router
• 1 x Virgin Media broadband with Virgin Media router
  
  

3. Check software and licenses are up to date

Any devices that home workers use to access organisation information should be covered by Cyber Essentials. And the software and licenses you use should be too. 

Make sure that software and licenses are:

• Up to date, licensed, and supported
• Removed from devices when they become unsupported
• Set to update automatically where possible

But what about other elements of the Cyber Essentials assessment process? Fortunately, as the entire assessment can be conducted remotely, you can complete the process no matter where your staff are working from. 

Hopefully, we’ve cleared up most of the confusion surrounding networks and Cyber Essentials. However, if you have any further questions, please don’t hesitate to get in touch with our team. 

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

It started as a normal day at work. You send a few emails, drink some coffee, and attend a few meetings. But then things take a turn for the worse. Your flustered finance colleague tells you they aren’t able to access your customer database and a strange message is displaying on the screen. It’s happened. You’ve been ransomware attacked.

But what do you do next? There’s plenty of information out there on how to prevent ransomware attacks from happening, but less on what to do if the worst does happen. So, here are our top tips for what to do next.

1. Take a deep breath and assess the damage 

This might sound obvious or slightly patronising, but it can be very difficult to stay cool and collected in the event of a breach. Many victims rush into paying the ransom straight away, giving them no wiggle room for negotiations with the attacker. 

So, first things first, take a moment to collect yourself, the hard work starts here. Once you’re ready, start assessing the damage. Has an attack definitely happened? Do you know which systems or files have been compromised? How far have the hackers got? These are all questions you’ll need to know the answer to.

Your next course of action will likely go in one of two directions. If your organisation has an incident response plan, follow that. If it doesn’t, don’t worry, you can follow the next steps on this list. 

2. Collect evidence 

This step shouldn’t take more than a few seconds, but it’s very important. You should immediately take a photo of the ransomware note. It doesn’t matter how you do it, a screenshot or a photo on your smartphone will work, but the key thing is to document the breach. This will help you in contacting your insurers and filing a police report.

3. Isolate the breach

Once it’s in, ransomware is designed to spread like wildfire across a network. To stop it from infecting every system in your business, you need to isolate the breach. 

That might sound complicated or techy, but it’s actually very simple. The easiest thing to do is disconnect the infected system(s) from your network so the ransomware can’t spread anywhere else. Doing this can stop a relatively minor breach from becoming business-threatening. 

4. Disconnect backups 

We’ve written at length on the importance of data backups before. And a successful ransomware attack is where they really come into their own. In the best-case scenario, it could save you from having to pay a ransom at all.

Unfortunately, cybercriminals know this. So most modern ransomware strains are coded to go after any backups you have. This means it’s important to secure your backups by disconnecting them from the rest of your network. And to be extra safe, we recommend locking down access to your backups until the infection has passed. 

5. Notify insurers and your IT provider

This step will be different for everyone, depending on whether you have cyber insurance or outsource any element of your IT to a third party. However, if you do have either, now’s the time to report the breach. You’ve completed the vital first steps to contain the threat and it’s time to bring in some help.

Your insurer needs to know for obvious reasons but both should be able to help you with the next steps. Many insurers are happy to put you in touch with experts and your IT provider should also be able to lend a hand.

At this point, it’s also worth notifying law enforcement and the ICO. Your insurers may require a police report to proceed and it can also help save other organisations from the same fate.

6. Identify the strain of ransomware

Unless you’re extremely unlucky, it’s unlikely your business is the first to be hit with whatever strain it’s been infected with. And this means it should be fairly easy to identify.

Free services like ID Ransomware allow you to upload a sample of your encrypted file(s), the ransom note, and the hacker’s contact info. They’ll then analyse this information and identify who or what has attacked you.

This is important for two reasons. First, who you’re dealing with will help inform your decision on whether to pay. Second, knowing what you’re dealing with is vital when you come to attempt to decrypt your files.

7. Try decrypting your files

Once you know the type of ransomware you’ve been infected with, it’s time to have a go at decrypting your files. This might be easier with the help of a cyber expert, but it’s not too difficult to do yourself. 

There are plenty of decryption tools available online. No More Ransom has a great selection of tools to decrypt most types of ransomware. All you need to do is find the strain you’ve been hit with from the list, download it and follow the installation process. The site is updated regularly, so even if you have been struck by a newer form of ransomware there should be something to help. 

Of course, this won’t always work. Ransomware is ever-evolving, with the bad guys constantly adding extra features. But it’s always worth a try.  

8. Reset passwords

You might have already done this step earlier on in the process. If so, give yourself a hearty pat on the back. If not, it’s time to reset all your business’s passwords. This is something you should be doing regularly anyway, but it can stop hackers from gaining access to other non-infected systems and attacking those too.

And, once the infection is completely removed, don’t forget to change them again.

9. Decide whether to pay or not 

Finally, we come to the trickiest part. Should you pay the ransom?

Sadly, there’s no absolute answer either way. Whether or not you decide to pay is completely conditional depending on the scenario you find yourself in. If you’ve managed to decrypt your files and the data the hackers have isn’t sensitive, you probably don’t need to pay.

Likewise, your insurer may instruct you not to pay. Cyber insurers are currently split upon ransomware best practices after years of near unanimity.

In other cases, paying might be the best option. For example, when the hackers have access to sensitive customer or financial data.

10. One last thing…

You may have noticed we haven’t mentioned communications to partners or customers. We’ve left this until last because, like paying the ransom, the decision is situation based.

If customer data has been stolen, then you need to inform clients and partners so they can secure their accounts. However, if the breach has only affected internal data, you may not need to communicate that to clients. 

Like the incident response plan we mentioned earlier, it’s well worth having an emergency communications plan ready to go in case you do get attacked.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

Another week, another good news story at CyberSmart. We've joined Kickstart’s new accelerator. Here’s what it all means.

What is Kickstart? 

Kickstart is one of Europe’s largest innovation platforms. It helps start-ups in a variety of sectors from FinTech to food and retail to innovate and scale sustainably. 

Since its founding in 2015, Kickstart has helped create over 220 commercial partnerships and supported 323 start-ups. 

What does the accelerator involve? 

Companies selected for the accelerator take part in a ten-week programme. It’s designed to breed commercial partnerships and encourage collaboration between start-ups and Kickstart’s partners. Its partners include AXA, Co-op, Swisscom, La Mobilière, PostFinance, Sanitas, The City of Zurich, Canton de Vaud, Credit Suisse, Galenica, CSS Insurance and others.

What does this mean for CyberSmart?

We’re delighted to be picked for the accelerator's InsurTech cohort. Not only did we beat some strong competition, with applications coming from 58 countries, but we’re also set to work alongside some of the biggest names in the FinTech and InsurTech industries. 

This represents a massive opportunity for us. We’ll learn from and collaborate with some of the best. And, it’ll help us generate new ideas, refine our current products, and reach more small businesses than ever before.

All in all, it’s another step in our journey to protect every small business from cyber threats. Stay tuned for what comes next.

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it's your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here. 

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.