BYOD and Cyber Essentials explained

BYOD and Cyber Essentials

You’ve probably heard the phrase BYOD before. ‘Bring Your Own Device” has been the darling of business and technology journalists for much of the last decade. And BYOD really is more than just hot air and hyperbole. For SMEs, it has the potential to change the way we approach procurement and resourcing forever.

However, what you’re less likely to have read about, is its connection with the Cyber Essentials certification. So, if you’re considering taking the plunge and adopting a BYOD policy, read our short guide first. 

What is BYOD?

BYOD, or Bring Your Own Device, is simply giving employees the option to use their own devices for work. And this can mean everything from their own smartphones through to tablets and laptops. 

Why do businesses adopt BYOD?

Like most business decisions, the benefits of switching to BYOD are largely cost-based. As any SME founder will tell you between grimaces, procuring hardware for all your staff can be eye-wateringly expensive. So having employees use their own is an immediate boost to a businesses’ bottom line. A Cisco report into BYOD found that businesses using it saved on average $350 per person, per year. 

But it’s not all about the money. BYOD also offers employees greater choice over the tools they use for work. Anyone who’s ever used an Apple laptop at home and Windows machine at work (or vice versa) knows how annoying it can be to keep switching between operating systems. So why not let your people choose? 

On top of this, BYOD can provide productivity benefits. The same Cisco study revealed that workers save an average of 81 minutes per week by using their own devices, or nine working days every year. And it can even improve employee wellbeing. In a study produced by Samsung, 78% said it helped them achieve a better work-life balance. 

What does it have to do with Cyber Essentials? 

So BYOD has many benefits and is becoming ever-more popular in the UK – 45% of UK businesses in 2018 had some form of BYOD plan. But what does this have to do with Cyber Essentials?

Well, it’s actually very simple. Any device being used for work purposes is likely to connect business networks and access company data. This poses security risks. 

As we discussed in our recent ebook on remote working, employees using their own devices to access company networks and data can present a host of problems. Personal devices will often have inferior security tools to business ones. Employees are less likely to follow strict security protocols on their own devices. And, there’s plenty of evidence to suggest that we all engage in riskier behaviour when using our personal laptops and phones.

All of this can expose your business to unnecessary risks. But it doesn’t mean you need to scrap your plans for BYOD.

Does Cyber Essentials cover BYOD? 

If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials. This includes doing some after-hours work on your home computer, accessing the company Google Drive, and even browsing work emails on your mobile. 

If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials

It’s all too easy to fall into the trap of considering personal devices some separate entity, entirely disconnected from work. But that just isn’t the reality of many of our working lives. In our ‘always-on’ culture the personal and professional have a habit of bleeding into each other, particularly in an era when many of us are working remotely. 

This means it’s vital you ensure that all devices used for work, whether personal or company-provided, follow the core tenets of Cyber Essentials. For example, ensuring security settings are switched on and up-to-date, anti-malware tools are installed, and apps are regularly updated. 

What if you don’t have a formal BYOD policy? 

Even if your business doesn’t have a formal BYOD policy, it’s still important you guard against the threat posed by personal devices. To illustrate, at CyberSmart we don’t have a formal BYOD policy, but we know many of our people use their phones to access emails and files. 

So to ensure we’re not giving cybercriminals a backdoor into the business, we ask that every employee installs CyberSmart Active Protect on any device they might access work from. The CyberSmart app constantly checks any device that it’s installed on is compliant with Cyber Essentials and flags any problems to both us and the user. This means that however our staff choose to work, we can be sure they’re doing it safely. 

BYOD has the potential to totally transform the way your business looks at procurement. But it also requires good cyber hygiene if it’s to be liberatory rather than a liability. So if you’re considering adopting BYOD, start by getting Cyber Essentials certified. 

CTA button

CyberSmart nominated for 3 awards

Network group awards

Three really is the magic number for CyberSmart. We’re delighted to announce we’ve been nominated for three awards at the upcoming Network Group Awards 2020.

Who is Network Group?

Network Group is a member-owned organisation committed to transforming the customer experience and driving customer-led growth in the tech sector. It aims to do this by providing tech business leaders access to peer group support, development tools and new opportunities.

What are the awards for?

We’ve been nominated in three categories at this year’s awards: 

  • Specialist Vendor of the Year
  • Business Product of the Year
  • Biggest Impact New Partner

We’re especially pleased to have been nominated in the ‘Biggest Impact New Partner’ category. Firstly, because we’re up against some truly innovative businesses. And, secondly, because our goal is to make an impact globally. 

Cybercrime is projected to cost the world $6 trillion annually by 2021, and 58% of it targets small businesses. Meanwhile, businesses with the resources to weather continuous cyberattacks are gaining an unfair advantage over small businesses who don’t. We call this the ‘cybersecurity gap’. 

Our aim is to help SMEs all over the world bridge this gap, by improving their understanding of cybersecurity and giving them the tools to better protect themselves. So, to be recognised as making an impact, even at this early stage, is real motivation for 2021 and beyond. 

Are you a small business looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

What is cyber hygiene?

Cyber hygiene

If you’ve been considering improving your cybersecurity lately, chances are you’ve come across the phrase ‘cyber hygiene’. And you’re probably also wondering what it means. Cyber hygiene is one of those slippery phrases that seems to change meaning depending on who’s using it.

So, in the interests of clearing up some confusion, here’s our guide to cyber hygiene. What it is. Why it’s important. And, what it looks like in practice. 

A definition of cyber hygiene 

Simply put, cyber hygiene is the steps and practices every organisation should take to ensure good digital health and protect themselves against cyber threats. The idea behind cyber hygiene is that these practices should become part of our day-to-day routine. Think of it as a bit like your physical hygiene, say brushing your teeth twice a day, washing your hands regularly, or wearing a face mask. 

Why is it important?

In the same way that if you don’t look after your teeth you’ll eventually end up with a hefty dentist’s bill, your cybersecurity needs constant maintenance to avoid a breach. 

But cyber hygiene’s importance goes beyond simple maintenance. There’s a widespread perception among SMEs that cyber-attacks are something that happens to bigger, higher-profile companies. It’s not hard to see why- after all, the news cycle is filled with tales of the latest Fortune 500 behemoth to suffer an embarrassing breach.

Unfortunately, this couldn’t be further from the truth. According to research from the Federation of Small Businesses, in the last two years alone, SMEs were subject to 10,000 cyberattacks daily. And 1 in 5 reported suffering a breach during the same period. 

In the last two years alone, SMEs were subject to 10,000 cyberattacks daily

What’s more, the risks are only growing with many businesses switching to remote working. A recent report from VMWare reveals that 91% of businesses globally have seen an increase in cyber attacks since countries began implementing lockdown measures. On top of this, home office networks are 3.5 times more likely to be hacked than corporate ones. 

Maintaining a good standard of cyber hygiene is the most effective way to guard against all of these threats. 

What does good cyber hygiene look like in practice? 

We’ve tackled why cyber hygiene is important but what does achieving it actually involve? 

Good cyber hygiene is probably best divided into three broad categories: occasional check-ups, daily routines and good behaviours. Let’s take each in turn.

Occasional check-ups 

People are often surprised by how many cyber threats can be averted simply by giving your corporate devices and networks a regular health check. When software is out of date, firewalls and anti-malware aren’t switched on, or security settings aren’t configured properly, you provide cybercriminals with an easy route into your business. 

Start by checking every device in the company is running the latest version of any software you use and it’s security settings are configured to the highest level of protection. Also ensure that your network is secure and that all anti-malware and firewall tools are switched on, up-to-date and configured properly. 

Daily routines 

Cyber hygiene is as much about what you do and how you do it as it is about maintenance. A great place to start is by putting in place universal practices across your organisation.

This includes steps like setting up a strong password policy, using two-factor authentication for anything coming in or out of your business and keeping work devices for work purposes.

Good behaviours

Few of us set out to put our workplace at risk with our actions online. But we’re all human. And whether it’s through misunderstanding the risks or just being a little careless, many of us do exactly that on a daily basis.

Getting everybody on your business on the same page about your cybersecurity standards is just as important as keeping your tech fighting fit. The best way to do this is to ensure your business has clear, understandable policies in place so everyone understands what they need to do (or not do). And it’s no use hiding them away on some long-forgotten corner of your server. Make sure they’re easy to find and everyone has access to them. 

Three simple ways to get your cyber hygiene up to scratch 

The steps we’ve outlined so far might feel a little overwhelming. Where do you start? Surely running through all that will take forever? And what do you do if cybersecurity isn’t really your forte?

Fortunately, there are three very simple routes to improving your cyber hygiene – regardless of your budget or level of expertise. 

1. Get a Cyber Health Check

Before you start improving your organisation’s cyber hygiene, you need to know your current level. In other words, it’s time for a check-up.

Our soon-to-be-released Cyber Health Check is a simple way to assess your current level of cybersecurity. We’ll run some tests to check how you’re doing. Then, once we’re done, we’ll send you a free downloadable report to tell you what you need to improve and some recommendations for how to do it.

2. Get Cyber Essentials Certified 

Another option is to complete the UK government’s Cyber Essentials certification. The scheme covers the essential actions every business should take to ensure its digital security and protect against cyberattacks. Cyber Essentials assesses five criteria on the way to certification: 

  • Is your internet connection secure?
  • Are the most secure settings switched on for every company device?
  • Do you have full control over who is accessing your data and services?
  • Do you have adequate protection against viruses and malware?
  • Are devices and software updated with the latest versions? 

Not only does the Cyber Essentials scheme cover all of the maintenance steps we discussed earlier, research also shows it could help protect your business against 98.5% of cyber threats. And that’s not all. Many government bodies require Cyber Essentials certification from any supplier or service provider they work with. So getting certified could open up new avenues for your business.

Even if you’re not likely to work with the public sector, Cyber Essentials certification is a great way to demonstrate to customers and potential partners that you’re serious about protecting their data.

3. Use an active protection tool 

As we’ve said throughout this piece, maintenance is key to good cyber hygiene. But that doesn’t mean you have to set aside a day each month to check your defences are in order. There’s a far simpler, less time-consuming way to achieve the same thing.

The CyberSmart Active Protect scans your company devices 24/7, checking for updates, firewalls and security measures. If anything’s configured incorrectly or out-of-date Active Protect lets you know, allowing you to fix issues in a couple of clicks. And, to make sure your people stay safe, Active Protect lets you check on the individual status of their devices, and distribute company security policies across them.

Practising good cyber hygiene is a necessary part of modern business. But, as we’ve hopefully demonstrated, it doesn’t need to be time-consuming, complex or costly. So why not get started today? After all, where’s the harm in a check-up?

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

How SMEs can beat the cybersecurity skills gap

Cybersecurity skills gap

According to government statistics, the UK has a cybersecurity problem. More specifically, a ‘skills gap’. But what do we actually mean by a skills gap? How did we get here? And, what can smaller companies do to address it

What do we mean by a ‘skills gap’? 

Although the phrase ‘skills gap’ is a neat way to describe the problem, it’s a little vague. Whose skills are we talking about? Does it mean that every small business should have a bonafide cybersecurity expert in-house? 

Let’s dig a little deeper.

The Department for Digital Culture, Media and Sport (DCMS) defines the skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ 

The DCMS backs this definition up with some pretty alarming statistics. 48% (some  653,000) of businesses in the UK have a ‘basic’ skills gap. This means they lack the confidence to carry out the fundamental security tasks laid out by the Cyber Essentials scheme. These include things like setting up configured firewalls, storing or transferring personal data, and detecting and removing malware. 

But the problems don’t end there. 

Approximately 408,000 businesses (30%) have more ‘advanced’ skills gaps. These include areas such as penetration testing, forensic analysis and security architecture. Another 27% have a gap when it comes to incident response. 

Looking to improve your cybersecurity but lack the skills to get started? Check out the CyberSmart platform. It’s your automated, in-house cybersecurity officer.

Why does the UK have a cybersecurity skills gap? 

To get to the bottom of why the UK has a cybersecurity skills gap, we have to look back. Way back. Specifically, we’re heading to the 1990s – a decade of Britpop, Blairism and bad fashion, and when the internet began to take off as a public utility. Of course, the internet had been around in some form for much longer, but the late nineties marked the point when businesses and consumers really started to use it. 

At the dawn of the modern internet, cybersecurity knowledge was mostly confined to the experts. Universities were just beginning to offer qualifications in the subject and some of the more forward-thinking businesses were offering staff training. But, for the most part, cybersecurity expertise was the preserve of academics, tech companies and a handful of specialist firms. 

Fast forward a couple of decades and not much has changed. Even though every business and individual now uses the internet for nearly every daily task, cybersecurity teaching in schools remains in its infancy and optional most of the time. Many universities now offer cybersecurity courses but it is a niche subject, usually studied by postgraduates. Meanwhile, few businesses offer anything more than rudimentary cyber skills training that usually culminates in ‘switch your antivirus on’. 

All of these things combined have created a world in which very few of us know much about cybersecurity. In turn, this scarcity has made cybersecurity expertise one of the most sought after skills in the UK economy. 

For SMEs, hiring your own in-house expert is prohibitively expensive. And even outsourcing the problem to a specialist firm is still likely to take an almighty bite out of your IT budget. So, short of humming loudly and pretending the problem doesn’t exist or heading back to school, what can small business leaders do about it? 

What can SMEs do about it? 

Some things will always require calling in the experts. If your business is covered on the basic skills front but needs more advanced knowledge, you’re probably not the average SME and it’s worthwhile consulting with specialists or hiring an in-house guru.

However, for everyone else, there’s a lot you can do to protect your business without in-house skills or eye-wateringly expensive expert help. Let’s take a look at some options. 

Take a government-standard certification 

The UK government has been worried about our collective lack of skills for a while now. In the past few years, you’ve probably seen or read news reports about encouraging kids to study STEM subjects and learn basic coding skills. But while these are noble aims that will improve society tremendously in 10-15 years, we need a solution now. 

So, back in 2014, the UK government created the Cyber Essentials scheme. The scheme covers the essential actions every business should take to ensure it’s digital security and protection from cyberattacks. Think of it as ‘cyber hygiene’ –  a bit like washing your hands, brushing your teeth or wearing a face mask. 

And this approach really works. Research from the University of Lancaster reveals that businesses can mitigate cyber risks by as much as 99%. What’s more, the certification process is relatively straightforward. The entry-level Cyber Essentials certification is a self-assessment that can be taken and passed in as little as 24 hours. 

The more advanced version, Cyber Essentials Plus, includes an onsite or remote assessment from an expert and is a little more complex. However, this can also be completed for little cost in a few days. 

If you’re unsure of which is right for your business, take a look at our handy guide covering the differences in more detail. 

Automate the problem 

Cyber Essentials certification is a great starting point. But your business’s cybersecurity requires year-round maintenance. It’s a bit like your car or bicycle. You might put it in for a service or MOT once a year, but in the period between visits to the shop, components wear out or break, leaving your vehicle less than roadworthy.

The same is true of cybersecurity. It’s very unlikely that nothing will change in the year between Cyber Essentials certifications. Software will need to be updated, new devices are added, and previously unknown threats emerge. 

Tackling this manually is a job in itself, one that few SMEs have the skills, budget, or time for. Fortunately, you don’t need to run out and nab a recent cybersecurity graduate from your local university. Tools like the CyberSmart Active Protect can keep an eye on your cybersecurity for you all year long.

This automated software continually scans for vulnerabilities, such as out-of-date software, incorrectly configured security settings and switched off defences. All you need to do is flick a switch if something’s not right, and the platform takes care of the rest. 

The UK’s cybersecurity skills gap will shrink. Heavy investment in the sector and the generation of burgeoning experts in our schools and universities point to a more secure future. However, this doesn’t mean we all have to wait until 2030 to do business safely. There is plenty your business can do today without expert knowledge. 

Are you looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Playing politics: customer spotlight on Play Verto


‘Fun’ isn’t a word often associated with politics. Many of us tend to think of it as a game played by powerful people in oak-panelled chambers, far away from the reality of our everyday lives. And, it’s this feeling that has led to widespread disengagement from politics and distrust in our institutions.

But what if politics was a game we could all play? 

CyberSmart client, Play Verto, seeks to answer that question. The social enterprise specialises in improving community engagement through gamification. Its app, Verto, allows the public to express their political views by answering questions in a play-based format. 

By combining technology and play, Play Verto is creating a space for wider participation and plurality of opinion in politics. 

However, handling public data brings cybersecurity challenges with it. We sat down with Ben Pook, Director of Play Verto, to discuss these and how using CyberSmart Active Protect has helped overcome them.

What are the security challenges you’ve faced as a startup? 

When you are in the start-up space, you tend to play many different roles and you are thinking a million things. You quickly learn that you need to be agile to accommodate that. However, data security is not something you want to play about with. There is often a lot to consider, which can easily be forgotten or simply not considered at all.

Play Verto is a data-led decision-making company. So, inevitably, we deal with a lot of sensitive data. Our customers depend on us to safeguard this, ensuring it’s collected and stored securely. The company also emerged around the time that GDPR was coming into place, raising another challenge. 

How did CyberSmart help you resolve your security challenges?

Cybersecurity is an intimidating subject, especially when you lack rudimentary knowledge.  What we like about CyberSmart is that they ‘dumb-down’ cybersecurity and compliance for you, providing an easy step-by-step guide to make sure you have all your bases covered. They walk you through GDPR, Cyber Essentials as well as ISO27001.

It’s also helpful in the sense that it allows you to say, ‘hey, have you thought about this?’ and if not, here is what you should do. It doesn’t matter that you don’t have years of experience working in information security or the means to hire a specialist.

How far is Play Verto into setting up CyberSmart? 

We’ve gone through the whole process and we have the certificates. It’s given us a kick-start; we now use the tools and information offered by CyberSmart to constantly re-evaluate our compliance and security.

In fact, it’s become part of our routine. Whenever we onboard someone new, they go through CyberSmart’s training and install the app on their devices to ensure they meet our security standards. We also have a fortnightly team meeting on cybersecurity.

Our company culture has become much more security-focused thanks to CyberSmart. 

What role has CyberSmart played in your relationship with customers and partners?

The impact of not having the right security measures in place is massive. Our customers and partners rely on us to keep their data secure. CyberSmart offers an additional service that is critical in giving both ourselves, as well as our customers, peace of mind.

When we take on a new client, they want to understand how we collect data, how we store it, where it is stored, which servers we are using etc. With CyberSmart, all of that information is one place and easily accessible. What’s more, the certificates themselves are a demonstration that we take security seriously in the eyes of our customers. 

What cost and time benefits have you experienced since using CyberSmart? 

Well, I think it really comes down to ‘what is the cost of not using it?’. We have a pretty good security culture in our company, but it costs to be ignorant. I would rather be the fool that asked than the fool that wished he did.

CyberSmart’s monthly subscription is also perfect for those in the start-up space. Shelling out thousands of dollars in one go is tricky for a small business. The subscription model makes CyberSmart’s tools accessible to organisations in a similar position to us when we first started.

What advice would you give to someone looking to tackle similar challenges to those you’ve faced?

To be honest, I’d probably recommend CyberSmart, particularly because of their customer service. The team is amazingly responsive and there’s no such thing as a silly question.  It almost feels like a personal relationship, they do a great job of building a rapport.

Are you a start-up looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

CyberSmart gets a rebrand

CyberSmart rebrands

Today is a big day for CyberSmart. 

After months of preparation, countless workshops and a fair few late nights, we’re delighted to announce the launch of our new branding and website.

What’s changing? 

Everything. We’re unveiling a brand new look, website and vision to take us forward into the next stage of our development. Here’s CyberSmart CEO and co-founder, Jamie Akhtar on what the rebrand means:

“Our mission has been and always will be to make security accessible for every organisation. We want to see a world where every business, no matter how small, can be cyber secure. Our new branding aspires to reflect this.” 

Why the rebrand? 

The last few months have really brought home the importance of good cyber hygiene. With businesses from Tyneside to Truro working from home due to COVID-19, it’s never been more crucial that everyone has access to the tools they need to stay cyber secure.

So, it’s time our branding reflected our vision, as our Chief Growth Officer, Sam Soares explains:

We have gone beyond the look, the logo, the colours. The CyberSmart brand has been reimagined from the ground up, looking into where we are heading in the future. COVID has ushered us into a new world- one where proper cyber hygiene is no longer an option for businesses. Our new vision is to build a safe and healthy digital society.” 

We couldn’t have done it without our friends over at Outfly, a pioneering design agency who, like us, specialise in helping SMEs achieve their vision.

What does this mean for our customers? 

For the time being, the way you access the CyberSmart Dashboard won’t change. And neither will the functionality within it.

However, we’ve got big plans for the future and the rebrand is only the beginning. We’ll be revealing more over the next few months, so keep your eyes peeled for news.

In the meantime, if you haven’t seen the branding, take a look around our new site.

CTA button

Inside CyberSmart Active Protect: what’s monitored and what’s not

This month, we made the decision to include our CyberSmart Active Protect with all of our certification options. We did this because we know real security can’t be achieved through a certification audit once a year; it requires continuous assessment of compliance.

We also know that up to 98.5% of cyber attacks can be prevented by following the controls that our software monitors. That’s why we encourage businesses and their employees to install the app on any device that might be used for work purposes.

And that’s where things get sticky. A work app on my personal phone? That monitors me?

We get it. It all sounds a bit Big Brother. So we’re here to clear up exactly what we ‘monitor’ with our CyberSmart Active Protect and why it’s good for employees as well as businesses.

What we see

What an employer sees on devices that have the CyberSmart Active Protect installed:

  • Whether your device is complying with the five controls of Cyber Essentials
  • Which software you have installed on your computer and if it is up-to-date
  • The make, model, and year of your device
  • Your operating system (like Microsoft Windows or Apple’s macOS) and which version you are running

What we don’t

An employer can’t see anything but what’s listed above but here are a few points for clarification:

  • Which websites you visit
  • Which apps you have installed on your mobile device (these are different from software. Your employer has no way to see if you downloaded CandyCrush again after you so admirably recovered from your addiction)
  • Your physical location with the device
  • When you are online or how much you are using different software on your devices

Checking your vitals

One of our engineers described CyberSmart Active Protect as an ‘ongoing health check.’ This is a good way to think about it. We’re taking your vital signs but we don’t get into any more detail than we need to. Is your firewall still up? Is a piece of software out of date that could leave a door open for attack? If it is, you’ll get a notification and clear instructions on how to fix it.

It’s good for employees too

When a device is hacked, criminals aren’t just looking for business data on customers. They will take any useful piece of information they can. With the CyberSmart Active Protect installed, employees will enjoy the benefits of protecting their personal data as well as the company’s on their personal devices.

Take the first step to protecting your business and your employees today. If you got your Cyber Essentials certification through CyberSmart, you can now access one free license to CyberSmart Active Protect via your dashboard.