Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

‘Fun’ isn’t a word often associated with politics. Many of us tend to think of it as a game played by powerful people in oak-panelled chambers, far away from the reality of our everyday lives. And, it’s this feeling that has led to widespread disengagement from politics and distrust in our institutions.

But what if politics was a game we could all play? 

CyberSmart client, Play Verto, seeks to answer that question. The social enterprise specialises in improving community engagement through gamification. Its app, Verto, allows the public to express their political views by answering questions in a play-based format. 

By combining technology and play, Play Verto is creating a space for wider participation and plurality of opinion in politics. 

However, handling public data brings cybersecurity challenges with it. We sat down with Ben Pook, Director of Play Verto, to discuss these and how using CyberSmart Active Protect has helped overcome them.

What are the security challenges you’ve faced as a startup? 

When you are in the start-up space, you tend to play many different roles and you are thinking a million things. You quickly learn that you need to be agile to accommodate that. However, data security is not something you want to play about with. There is often a lot to consider, which can easily be forgotten or simply not considered at all.

Play Verto is a data-led decision-making company. So, inevitably, we deal with a lot of sensitive data. Our customers depend on us to safeguard this, ensuring it’s collected and stored securely. The company also emerged around the time that GDPR was coming into place, raising another challenge. 

How did CyberSmart help you resolve your security challenges?

Cybersecurity is an intimidating subject, especially when you lack rudimentary knowledge.  What we like about CyberSmart is that they ‘dumb-down’ cybersecurity and compliance for you, providing an easy step-by-step guide to make sure you have all your bases covered. They walk you through GDPR, Cyber Essentials as well as ISO27001.

It’s also helpful in the sense that it allows you to say, ‘hey, have you thought about this?’ and if not, here is what you should do. It doesn’t matter that you don’t have years of experience working in information security or the means to hire a specialist.

How far is Play Verto into setting up CyberSmart? 

We’ve gone through the whole process and we have the certificates. It’s given us a kick-start; we now use the tools and information offered by CyberSmart to constantly re-evaluate our compliance and security.

In fact, it’s become part of our routine. Whenever we onboard someone new, they go through CyberSmart’s training and install the app on their devices to ensure they meet our security standards. We also have a fortnightly team meeting on cybersecurity.

Our company culture has become much more security-focused thanks to CyberSmart. 

What role has CyberSmart played in your relationship with customers and partners?

The impact of not having the right security measures in place is massive. Our customers and partners rely on us to keep their data secure. CyberSmart offers an additional service that is critical in giving both ourselves, as well as our customers, peace of mind.

When we take on a new client, they want to understand how we collect data, how we store it, where it is stored, which servers we are using etc. With CyberSmart, all of that information is one place and easily accessible. What’s more, the certificates themselves are a demonstration that we take security seriously in the eyes of our customers. 

What cost and time benefits have you experienced since using CyberSmart? 

Well, I think it really comes down to ‘what is the cost of not using it?’. We have a pretty good security culture in our company, but it costs to be ignorant. I would rather be the fool that asked than the fool that wished he did.

CyberSmart’s monthly subscription is also perfect for those in the start-up space. Shelling out thousands of dollars in one go is tricky for a small business. The subscription model makes CyberSmart’s tools accessible to organisations in a similar position to us when we first started.

What advice would you give to someone looking to tackle similar challenges to those you’ve faced?

To be honest, I’d probably recommend CyberSmart, particularly because of their customer service. The team is amazingly responsive and there’s no such thing as a silly question.  It almost feels like a personal relationship, they do a great job of building a rapport.

Are you a start-up looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

News articles have continued to highlight the impact Brexit could have on UK businesses in 2020. With everything from visas to regulations and import taxes, businesses face a lot of uncertainty in the coming years.  

However, despite Brexit continuing as a hot topic in business media, surveys have found that it is not the most pressing issue on business leaders’ agendas. Instead, data protection topped the list. 

The first half of 2019 saw data breaches leave 4.1 billion records across the world exposed, and they are continuing to occur on an almost weekly basis in the UK. The rapid sophistication of cyber attacks is leaving an increasing number of UK’s businesses vulnerable to these potentially devastating breaches.

80% of CEOs concerned about cyber threat

PricewaterhouseCoopers conducted a recent survey to gauge the key areas of CEO uncertainty and how they are taking action to address them. The findings found that eight out of ten CEOs are concerned about the threats posed by a cyber attack. 

This concern emerges among a growing abundance of news stories reporting enormous data and security breaches at top companies and organisations, which end up costing them hundreds of thousands in compensation. 

One of the most publicised cases of 2019 was the British Airways breach in which the details of about 500,000 customers were stolen by hackers. As a result, BA was charged a fine of £183 million.

This is a corporate example, but even small businesses are at risk of fines for violating GDPR data protection laws. If you’re wondering if you’re GDPR compliant, CyberSmart offers a simple, non-technical path to GDPR certification.

The public wants to know businesses are protecting their data

Media coverage and market research make it clear that cyber attacks are only going to increase in frequency in 2020, both in the UK and the rest of the world. But this is not just an issue for CEOs. 

The media attention garnered by cyber attack stories have made data regulations and privacy a key issue amongst the general public, who place an increasing premium on companies that take protection of their data seriously.

It’s more important than ever to show that businesses showcase their cyber security certifications and GDPR compliance. 

Pressure from consumers has been further motivation for CEOs to consider data privacy and compliance with data regulations as two of their top issues. 57% of respondents to PwC’s report cited public fears over security as a key factor.

Cyber security starts at the foundation

However, 2020 is expected to see more CEOs focusing on the configuration of their business in order to meet the requirements of cyber resilience. In the increasingly digital landscape of the future, cyber security will no longer be an added feature for organisations to incorporate as an afterthought, but rather a critical feature to be in-built into a business’ infrastructure.

As cyber attacks continue to pose a significant threat to UK businesses in 2020, it has never been more important for companies to ensure they are compliant with data protection laws and agreements. 

CyberSmart several ways that even small businesses can take precautions against cyber threats. Our Cyber Essentials and Cyber Essentials Plus certification offers simplify the process of keeping businesses up to date with UK laws while CyberSmart Active Protect secures your company devices around the clock. 

In addition, we offer products for IASME GDPR compliance enabling you and your company to meet protection standards and have peace of mind in your service.

The General Data Protection Regulation, or GDPR, was brought in by the European Union in 2018. The intention was to update data protection laws across all member states and ensure that companies would become compliant in their handling of data. A lot of businesses, however, still see GDPR as a nuisance. In fact, it acts to protect customers and businesses alike. Here, we discuss exactly how that is the case.

Security of data

Under GDPR, the data of individuals became much better defined. Anything identifiable to an individual is their personal data, and under GDPR users have the right to know who is in possession of their data and which organisations are using it. Customers have to agree to actions being taken with their data, so they have a far greater level of control over what companies are doing with their personal information. If they don’t like what a company is doing, they can simply withdraw their consent and request that a company deletes the data. This not only protects the customer but also benefits the business in that it ensures individuals can have a greater feeling of comfort that their data is being used legitimately.

Transparency of data

Customers are also given the right to be informed of what the purpose their data is being used for, exactly what data is collected, and if there have been any data security breaches. These wide-ranging reforms, designed to allow for a much greater level of transparency, ensure that customers are not only more secure but are also more aware of what exactly their data entails. When individuals are allowed to download all of the data that international companies hold about them, they have a better idea of what their data actually is, and can get a better idea of what sort of access they want to let companies have. Customers, therefore, are more likely to be trusting of what exactly a company does, since data is no longer an abstract concept but something more tangible. Two-thirds of Europeans have now heard of GDPR, demonstrating the reach of the regulation and its impact in boosting awareness. Compliant companies are therefore likely to benefit from the implementation of GDPR.

With the implementation of GDPR across Europe, companies are now considering data to be an intrinsic part of cyber essentials. Data handling is key to modern business operations, and to ensure that your company is completely compliant, you may need expert help. CyberSmart can help make a complicated bit of regulation, much simpler with our Privacy toolbox, click here to find out more.

The introduction of the General Data Protection Regulation – a.k.a. GDPR – was introduced in 2018. This new framework standardised and updated data protection law across the European market and most importantly gave consumers more say over how their data is handled, stored and shared.

However, considering how quickly data collection and analysis technologies are developing, this legislation wasn’t a one-size-fits-all solution. Subsequently, there are a few grey areas that left many organisations feeling confused – which is risky, considering the size of the potential fines.

Now, it seems that similar legislation with its own unique nuances will appear in the United States, adding a whole new layer of data privacy legislation for companies to navigate. Here, we discuss what American data privacy law is likely to bring going into 2020.

GDPR USA – What to expect

Although data privacy is a global issue, every region is developing its own distinct regulations. Although it’s likely there will be similarities between GDPR and American data privacy legislation, currently, there are no plans for a comprehensive, nation-wide GDPR USA. Instead – much to the dismay of many international companies – every state is drawing up its own plan. Currently, the two major ones businesses need to be aware of are California’s Consumer Privacy Act (CCPA) and the SHIELD Act.

CCPA

California’s Consumer Privacy Act, or CCPA, came into force as of 1 January 2020. The legislation has similarities with GDPR, however, there are important differences. For instance, under GDPR users must opt-in to third-party data sharing whereas, under CCPA, they need to opt-out. This means companies will have to have customised terms and conditions forms for Californian users. That said, the good news is that CCPA isn’t as far-reaching as GDPR. If your company turnover is less than $25 million and you don’t handle the data of more than 50,000 then the rules don’t apply.

SHIELD Act

In July 2019 New York State passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which will come into effect on 21 March 2020. Similarly to GDPR, this law is designed to standardise data privacy requirements. However, this is where it can get confusing; the wording of the legislation is suitably vague, with statements such as “data security should be appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” To add to the bill’s cryptic nature, if companies are already in compliance with historic data protection laws like HIPAA and the GLBA, they may already be compliant.

Get globally data compliant

Legislation like GDPR has global implications. With so many different laws emerging all over the world, it’s critically important that companies with international operations seek advice on data compliance and certification. Just look at some of the fines that have been dished out under GDPR – and legislation like CCPA empowers American states to enforce even heftier fines. Cyber Smart are the experts in cybersecurity compliance, and with IASME’s GDPR Readiness certification we can help your business ensure full GDPR compliance and the proper processes and policies are in place. Wherever your business operates, contact us to ensure you’re fully compliant.

The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.

Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:

• reveals racial or ethnic origin;
• reveals political opinions;
• reveals religious or philosophical beliefs;
• reveals trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning an individual’s health;
• data concerning a person’s sex life; or
• their sexual orientation.

Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. 

This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control. 

What does the new guidance say about how organisations should approach processing special category data?

Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing. 

There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

When it comes to cybersecurity, MSSPs traditionally provide two standard services: proactive or reactive. Some businesses prefer the reactive approach and require a fix for security issues only when they arise. For other businesses, horizon scanning and taking a more proactive approach fits their risk appetite and lets them stay one step ahead.

Being an MSSP, you have a responsibility to guide clients to the best approach for their business and one that matches their risk appetite. In this blog post, we look at the reasons why proactive compliance is better for businesses than a reactive approach when assessing cybersecurity firefighting.

The Reactive vs. Proactive Approach

A reactive approach towards security embraces the philosophy of wait until the security perimeter is breached then acting to fix it. An MSSP is typically responsible for cleaning up the mess after the security incident using this approach; one that might work with other services, but with cybersecurity, may have business crippling impacts.

Once a security incident has occurred, the damage has already been done. The loss of data and extended downtime of any systems has already caused financial, reputational or other losses to the client. Add on the cost in time and effort to ‘fix’ and the potential impacts, coupled with the loss of productivity or revenue do not make happy reading.

A proactive approach, on the other hand, is about anticipatory prevention measures and rapid notification that drives responsiveness. In this approach, the MSSP is responsible for assisting the client address the potential security risks before they can become problems. 

Cyber attacks do not sleep, and the proactive approach to cybersecurity defensive measures is the best approach to leave little to no room for attackers to exploit the system. The earlier a problem area or attack vector is identified, the easier it is to fix or to close the door to a potential breach. A proactive approach is a great way to ensure clients’ infrastructure is protected 24/7. It requires continuous engagement with clients and involves the design and deployment of preemptive strategies, tools and techniques with an awareness of threat intelligence to prevent security issues from becoming a concern.   

Drawbacks of Reactive Cybersecurity

The reactive approach may save cost for clients initially, but in the long run, it increases the risks of:  

• Increased costs. Once a breach has occurred, the financial impacts can be severe. GDPR data-breach fines are not insignificant to any business and the reputational damage costs could be even higher. For SMEs, these costs could be the difference between staying in business or having to close. And that is bad for the client and bad for the MSSP.
• Inappropriate damage control tools. The reactive firefighting approach is not about protecting businesses for the future. Instead, it is about running a damage control campaign to counter the effects of an ongoing security incident. There is no clear direction to take and often no clear security baseline to revert to rapidly to regain business control. When the breach occurs, the business may well blame the MSSP for not taking care of security more adequately.
• No clear resolution method. Unlike compliance, you never know what to expect with a reactive call from a client. The best method to resolve the issue may well vary according to the type of incident, the extent of the damage, and the size of the business. This makes it difficult to position pre-defined expertise or resources necessary to deliver reactive services. This uncertainty adds cost to the MSSPs business model that can be difficult, to pass through to clients.

Proactive Cybersecurity Compliance

A proactive compliance approach has a number of benefits for MSSPs:

• Reduced costs and recurring revenue. A data breach or ransomware attack can lead to substantial losses for a business. The financial losses may include damaged infrastructure, lost data, fines imposed by regulatory bodies, reputational damage and the cost of lost productivity. The risk of realising these costs can be mitigated through a proactive compliance approach. For MSSPs, the benefit is in offering clients a subscription-based compliance model. Since compliance is an ongoing process, your business can focus on building a recurring revenue stream based on a predictable financial model.
• A well-defined approach. Compliance can be achieved through well-defined processes such as the one used by CyberSmart. A proactive compliance service can be effectively planned and priced by MSSPs. As a preemptive approach, you know exactly the resources and personnel will need to dedicate to each client.
• Avoid disruptions and build credibility. The ultimate goal of compliance is to prevent risks to clients that could disrupt their business. Offering proactive services to clients delivers ongoing protection against cyberattacks and offers longer-term client relationships built on trust.

Conclusion

Cyberattacks are evolving, the targets change frequently and the risks and threats are not going to go away if we pretend they do not exist. For businesses, they should not sit back and wait to be breached but they should be encouraged to keep on the front foot and lower their risks. 

MSSPs focusing on selling compliance that delivers lowered risk of cyber attack is a great opportunity in the ever-expanding, digitally connected marketplace. Being proactive has great commercial benefits for them and their clients. It can build recurring revenue streams and a sustainable reputation for the MSSPs. For businesses, the benefits or a reduced risk profile are clear.

CyberSmart Active Protect provides everything your clients need to protect their businesses around the clock.  If you would like to learn more about how we can help you sell proactive security, feel free to reach out to us.

CyberSmart has become an official supplier on G-Cloud 11, a major government procurement framework. 

G-Cloud, created in 2014 by the Crown Commercial Service and Government Digital Service, makes government procurement easier, transparent and much more efficient, reducing the usual lengthy procurement processes from weeks/months down to days. It is straightforward and well guided.

After making it through a rigorous tender process, which ensured our products and services fit in with the needs of G-Cloud, we were confirmed as a supplier from July 2019, ensuring cybersecurity compliance and assurance are easily accessible to everyone on the framework.

The framework allows the central government, local authorities, NHS Trusts, Ministry of Defense and other public sector bodies (including agencies and arm’s length bodies) to access a central website and purchase cloud-based services. 

With CyberSmart Active Protect in G-Cloud 11, the tools are in place to ensure full cybersecurity compliance and assurance in public sector bodies and meet recognised cybersecurity standards across full organisations. 

From ensuring all devices are continuously compliant; to achieving certifications, often on the same day, such as Cyber Essentials, Cyber Essentials Plus or IASME GDPR Ready, the opportunity is now clear and much faster than before.

Jamie Ahktar, CyberSmart’s CEO said: “ Cybersecurity in the public sector is a matter of great concern, so we are happy to be able to provide our innovative platform and products, to support and safeguard key British organisations. Being included in G-Cloud 11 is yet another endorsement of CyberSmart’s platform, and is testament to our already successful and growing relationship with the public sector.”

Can you purchase via G-Cloud 11? See here for government guidance or contact us.

We are happy to announce, CyberSmart has secured £1.3 million in new financing led by deep-tech investor IQ Capital, after two years in stealth mode. This funding will allow us to further accelerate our rapid growth, build next-generation technical capabilities and secure Britain’s future as a leader in cybersecurity.

CyberSmart’s core mission is to protect and empower SMEs, often the weak link in cybersecurity, but at the same time, the bread and butter of UK business landscape. CyberSmart’s platform and products allow any size SME, with or without technical resources, to protect itself and its staff, easily and affordably. The exciting platform is bringing cybersecurity standards to the masses, with millions of UK SMEs in its sights, a truly scalable cybersecurity solution.

CyberSmart is able to automatically check, fix and certify for Cyber Essentials compliance – a UK government cybersecurity certification. This is recommended by the Information Commissioner’s Office (ICO) and is increasingly required across supply chains in multiple industries. 

A Cyber Essentials certification is easily attainable via the CyberSmart platform, reducing the cost and resource typically required to achieve compliance to a matter of hours. SMEs are able to maintain 24/7 compliance across multiple devices, a considerable challenge for most  SMEs. The products offers simplicity and scalability to a complex and manual process.

The London-based startup backed by IQ Capital and Seedcamp was founded by Jamie Akhtar and Mariella Thanner in January 2017. It uses cutting-edge technology and data science to assess and address a company’s cyber compliance and vulnerabilities. Designed to offer SMEs an innovative approach to compliance, it is being used by fast-growing (“Thriva, LiveSmart, Receipt Bank”), and more established businesses (“Hitachi, The Supreme Court”) alike. 

CyberSmart helps organisations identify weaknesses in their information security practices and develop proactive strategies to address cybersecurity threats, thwarting up to 99.3% of cyber threats.

Commenting on the announcement, Jamie Akhtar, CEO of CyberSmart said: “Having been in stealth mode since 2017,through both GCHQ’s Cyber Accelerator and CyLon, we’re excited to be able to scale our operations and start talking about how we’re helping to protect our nation’s most promising businesses from cyber threats. This funding will enable us to achieve scale, within our home market and invest in enhanced technical capability.”

The fundraise was led by specialist deep-tech VC, IQ Capital. The firm recently raised a $300m fund to continue deploying capital to deep-tech and AI startups, offering unrivalled knowledge and solid strategic advice to its portfolio companies

Kerry Baldwin, Partner at IQ Capital said: “CyberSmart is a superb example of the types of companies that IQ Capital invests in – deep tech startups with the potential for global scale. Cybersecurity is now at the top of the agenda at board-level for all data-rich businesses, however, few have proactive strategies in place to tackle the issue. CyberSmart is backed by the Government to help and certify businesses, and we are excited to be part of their growth journey.”

Commenting on the platform, Sally Blake, Marketing Director at Legal Edge said: “CyberSmart was recommended by our own clients who use the platform. They speak our language and are in tune with the requirements of SMEs. Their platform and processes were clearly explained and easily navigated and their responsive platform enables us to communicate and track our compliance activity. The team are extremely helpful, friendly and knowledgeable supporting you at every step of the journey.”

Founded in 2017 by Jamie Akhtar and Mariella Thanner, CyberSmart was selected, after a rigorous competition, to take part in the first GCHQ accelerator programme. From this, the companies were able to have access to government tenders and work with GCHQ’s international network of partners.