Securing the links in your supply chain to prevent cyber attacks

Cyber attacks happen virtually every day, and the impacts data breaches can have on SMEs can be catastrophic. Falling foul of GDPR legislation  can result in fines, loss of trust in your company and ultimately loss of revenue – so it pays to be compliant. 

However, what about the other organisations in your supply chain? Do they require access to your data or systems? Could your security become compromised as a result? While you might have the right cyber essentials in place, can you say the same about your suppliers? These are just a handful of questions all company decision-makers should be asking. 

Supply chain attacks: a history 

Supply chain attacks are nothing new. In fact, one of the largest data breaches in history (when the US-based retailer Target had the credit/debit card information of up to 40 million customers stolen) happened when the firm’s POS system had been infiltrated via malware that came via a supplier. In 2013, attackers used the “trusted” connection between the supplier and Target’s system to gain easy access. 

Putting appropriate controls in place 

All SMEs should understand the risks suppliers may pose and should ensure the supply chain is subject to the appropriate security controls. A good starting point would be to request all suppliers show evidence of having attained “Cyber Essentials” certification – the UK’s recommended security standard. However, this might even be insufficient for high-risk suppliers, who need to go one further and get “Cyber Essentials Plus” accredited.

Mitigating against risk 

As a company, you need to decide which controls you insist upon your suppliers having before you decide to continue doing business with them. If suppliers are unwilling or otherwise unable to comply with these requests, you need to consider whether you can put procedures in place to protect your data that allow you to continue forging a working relationship with them. 

Cybersecurity is one of the biggest threats faced by SMEs in the UK today, and its impacts on every entity within a supply chain, from top to bottom, are far-reaching. It’s therefore imperative for all elements of the supply chain to work together to maintain the strictest possible security measures. 

Find out more 

If you’d like to know more about Cyber Essentials certification or are concerned that your business might not be adequately protected against supply chain cyber-attacks, why not contact Cybersmart today? A member of our team will be happy to discuss your requirements or arrange a security audit of your current systems. 

Proactive IT Security Compliance vs Reactive cybersecurity firefighting

Proactive IT Security Compliance vs Reactive cybersecurity

When it comes to cybersecurity, MSSPs traditionally provide two standard services: proactive or reactive. Some businesses prefer the reactive approach and require a fix for security issues only when they arise. For other businesses, horizon scanning and taking a more proactive approach fits their risk appetite and lets them stay one step ahead.

Being an MSSP, you have a responsibility to guide clients to the best approach for their business and one that matches their risk appetite. In this blog post, we look at the reasons why proactive compliance is better for businesses than a reactive approach when assessing cybersecurity firefighting.

The Reactive vs. Proactive Approach

A reactive approach towards security embraces the philosophy of wait until the security perimeter is breached then acting to fix it. An MSSP is typically responsible for cleaning up the mess after the security incident using this approach; one that might work with other services, but with cybersecurity, may have business crippling impacts.

Once a security incident has occurred, the damage has already been done. The loss of data and extended downtime of any systems has already caused financial, reputational or other losses to the client. Add on the cost in time and effort to ‘fix’ and the potential impacts, coupled with the loss of productivity or revenue do not make happy reading.

A proactive approach, on the other hand, is about anticipatory prevention measures and rapid notification that drives responsiveness. In this approach, the MSSP is responsible for assisting the client address the potential security risks before they can become problems. 

Cyber attacks do not sleep, and the proactive approach to cybersecurity defensive measures is the best approach to leave little to no room for attackers to exploit the system. The earlier a problem area or attack vector is identified, the easier it is to fix or to close the door to a potential breach. A proactive approach is a great way to ensure clients’ infrastructure is protected 24/7. It requires continuous engagement with clients and involves the design and deployment of preemptive strategies, tools and techniques with an awareness of threat intelligence to prevent security issues from becoming a concern.   

Drawbacks of Reactive Cybersecurity

The reactive approach may save cost for clients initially, but in the long run, it increases the risks of:  

  • Increased costs. Once a breach has occurred, the financial impacts can be severe. GDPR data-breach fines are not insignificant to any business and the reputational damage costs could be even higher. For SMEs, these costs could be the difference between staying in business or having to close. And that is bad for the client and bad for the MSSP.
  • Inappropriate damage control tools. The reactive firefighting approach is not about protecting businesses for the future. Instead, it is about running a damage control campaign to counter the effects of an ongoing security incident. There is no clear direction to take and often no clear security baseline to revert to rapidly to regain business control. When the breach occurs, the business may well blame the MSSP for not taking care of security more adequately.
  • No clear resolution method. Unlike compliance, you never know what to expect with a reactive call from a client. The best method to resolve the issue may well vary according to the type of incident, the extent of the damage, and the size of the business. This makes it difficult to position pre-defined expertise or resources necessary to deliver reactive services. This uncertainty adds cost to the MSSPs business model that can be difficult, to pass through to clients.

Proactive Cybersecurity Compliance

A proactive compliance approach has a number of benefits for MSSPs:

  • Reduced costs and recurring revenue. A data breach or ransomware attack can lead to substantial losses for a business. The financial losses may include damaged infrastructure, lost data, fines imposed by regulatory bodies, reputational damage and the cost of lost productivity. The risk of realising these costs can be mitigated through a proactive compliance approach. For MSSPs, the benefit is in offering clients a subscription-based compliance model. Since compliance is an ongoing process, your business can focus on building a recurring revenue stream based on a predictable financial model.
  • A well-defined approach. Compliance can be achieved through well-defined processes such as the one used by CyberSmart. A proactive compliance service can be effectively planned and priced by MSSPs. As a preemptive approach, you know exactly the resources and personnel will need to dedicate to each client.
  • Avoid disruptions and build credibility. The ultimate goal of compliance is to prevent risks to clients that could disrupt their business. Offering proactive services to clients delivers ongoing protection against cyberattacks and offers longer-term client relationships built on trust.


Cyberattacks are evolving, the targets change frequently and the risks and threats are not going to go away if we pretend they do not exist. For businesses, they should not sit back and wait to be breached but they should be encouraged to keep on the front foot and lower their risks. 

MSSPs focusing on selling compliance that delivers lowered risk of cyber attack is a great opportunity in the ever-expanding, digitally connected marketplace. Being proactive has great commercial benefits for them and their clients. It can build recurring revenue streams and a sustainable reputation for the MSSPs. For businesses, the benefits or a reduced risk profile are clear.

CyberSmart Active Protect provides everything your clients need to protect their businesses around the clock.  If you would like to learn more about how we can help you sell proactive security, feel free to reach out to us.

CyberSmart raises £1.3M VC funding to accelerate growth

We are happy to announce, CyberSmart has secured £1.3 million in new financing led by deep-tech investor IQ Capital, after two years in stealth mode. This funding will allow us to further accelerate our rapid growth, build next-generation technical capabilities and secure Britain’s future as a leader in cybersecurity.

CyberSmart’s core mission is to protect and empower SMEs, often the weak link in cybersecurity, but at the same time, the bread and butter of UK business landscape. CyberSmart’s platform and products allow any size SME, with or without technical resources, to protect itself and its staff, easily and affordably. The exciting platform is bringing cybersecurity standards to the masses, with millions of UK SMEs in its sights, a truly scalable cybersecurity solution.

CyberSmart is able to automatically check, fix and certify for Cyber Essentials compliance – a UK government cybersecurity certification. This is recommended by the Information Commissioner’s Office (ICO) and is increasingly required across supply chains in multiple industries. 

A Cyber Essentials certification is easily attainable via the CyberSmart platform, reducing the cost and resource typically required to achieve compliance to a matter of hours. SMEs are able to maintain 24/7 compliance across multiple devices, a considerable challenge for most  SMEs. The products offers simplicity and scalability to a complex and manual process.

The London-based startup backed by IQ Capital and Seedcamp was founded by Jamie Akhtar and Mariella Thanner in January 2017. It uses cutting-edge technology and data science to assess and address a company’s cyber compliance and vulnerabilities. Designed to offer SMEs an innovative approach to compliance, it is being used by fast-growing (“Thriva, LiveSmart, Receipt Bank”), and more established businesses (“Hitachi, The Supreme Court”) alike. 

CyberSmart helps organisations identify weaknesses in their information security practices and develop proactive strategies to address cybersecurity threats, thwarting up to 99.3% of cyber threats.

Commenting on the announcement, Jamie Akhtar, CEO of CyberSmart said: “Having been in stealth mode since 2017,through both GCHQ’s Cyber Accelerator and CyLon, we’re excited to be able to scale our operations and start talking about how we’re helping to protect our nation’s most promising businesses from cyber threats. This funding will enable us to achieve scale, within our home market and invest in enhanced technical capability.”

The fundraise was led by specialist deep-tech VC, IQ Capital. The firm recently raised a $300m fund to continue deploying capital to deep-tech and AI startups, offering unrivalled knowledge and solid strategic advice to its portfolio companies

Kerry Baldwin, Partner at IQ Capital said: “CyberSmart is a superb example of the types of companies that IQ Capital invests in – deep tech startups with the potential for global scale. Cybersecurity is now at the top of the agenda at board-level for all data-rich businesses, however, few have proactive strategies in place to tackle the issue. CyberSmart is backed by the Government to help and certify businesses, and we are excited to be part of their growth journey.”

Commenting on the platform, Sally Blake, Marketing Director at Legal Edge said: “CyberSmart was recommended by our own clients who use the platform. They speak our language and are in tune with the requirements of SMEs. Their platform and processes were clearly explained and easily navigated and their responsive platform enables us to communicate and track our compliance activity. The team are extremely helpful, friendly and knowledgeable supporting you at every step of the journey.”

Founded in 2017 by Jamie Akhtar and Mariella Thanner, CyberSmart was selected, after a rigorous competition, to take part in the first GCHQ accelerator programme. From this, the companies were able to have access to government tenders and work with GCHQ’s international network of partners.

Every device. Every user. Everywhere.

CyberSmart has a bold mission to protect and empower SMEs. In order to do so, we need to provide continuous compliance through the entire organisation. This is no small feat, as today’s organisations have diverse systems and modern ways of working. We are extremely excited to announce the next big step in our journey is now live.

A mobile world

The world has gone mobile, and SMEs are more than ever, relying on their mobile phones and tablets to do business. After all, they are pocket-sized computers, connected to fast mobile networks, with all the applications we need to be productive. The smartphone has allowed us to get the most out of these devices including handling and storing sensitive data, processing payments and communicating with others.

The ability to carry such devices in our pockets is driving growth and efficiency on a scale not seen before, allowing SMEs to do business, anywhere, everywhere. But like any internet connected device, this is leaving users open to mobile security threats.

Every device. Every user. Everywhere.

CyberSmart Active Protect is already protecting thousands of devices for hundreds of organisations in the UK, and now that protection and assurance can be deployed on mobile devices. Our new mobile application brings the best of our desktop app to every device in your organisation, securing every user, wherever they are, so your business can focus on what it does best, with peace of mind.

CyberSmart Active Protect

Active Protect checks mobile devices are configured to the recommended security practices, as per the requirements of Cyber Essentials. It guides users on how to protect the device and themselves. It also supports policy distribution to make sure users comply with their company’s internal policies. As it’s an app instead of a profile, it supports both user-managed and corporate provided devices.

cybersmart mobile app smart policy and phone security check

Why does my organisation need the mobile app?

  • Ensure all devices within the organisation are checked for compliance with Cyber Essentials, preventing potential cyber threats such as mobile spyware and malware.
  • Guides users through remediation if they need to address any issues.
  • Real-time information feeds back into the CyberSmart dashboard for a single view of compliance.
  • Allows users to read and agree on policies on their mobile devices.

What’s next?

The launch of Active Protect is just another step, albeit a very exciting one, in the CyberSmart journey towards our mission. Our team is focusing on rolling out many more advancements across our product range. This includes inspiring and educating SMEs on practices and strategies to combat cyber threats and further simplifying cybersecurity and compliance for organisations.

CyberSmart Active Protect is live in the following stores:

Which businesses is Cyber Essentials mandatory for?

Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. Organisations who achieve Cyber Essentials demonstrate they have considered and committed to bolstering their defences against common threats of cybercrime and reduce vulnerabilities of businesses to an accredited government standard. Backed by the UK Government, the Cyber Essentials scheme is not mandatory for everyone.

The European Union’s GDPR has been enacted into UK law and its regulations and requirements are mandatory on all businesses regardless of size.

Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a means to demonstrate their commitment towards addressing cybersecurity by achieving an accredited and registered certification standard.

However, for certain businesses Cyber Essentials is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.

Essentially all government contracts where your business will be required to:

  • Handle the personal information of any UK citizens; i.e. bank details or home addresses.
  • Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
  • Deliver IT products or services designed to store, process, or transfer data at an official level.

Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.

For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes business sense to consider achieving Cyber Essential certification first and not waiting to the last minute.

Ministry of Defence Contracts

The UK Ministry of Defence (MOD) places further emphasis on businesses being Cyber Essentials certified and requires all its suppliers to comply with the Cyber Essentials scheme.

The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials certified to carry on doing their business or to win contracts for businesses going forward.

Importance of Cyber Essentials

Should your business get a Cyber Essentials certification even if it is not mandatory for your business?


Cyber Essentials is an increasingly important certification to achieve for all businesses of all sizes in the UK. Even where not mandatory, the rise of consumer and client awareness of the impacts of cyber attacks or the consequences of personal data breaches, have rightly seen an increased demand for evidence that your business takes its responsibilities seriously and invests in cyber protection.

Be prepared to be asked by your clients to prove that you are committed to maintaining cybersecurity and with Cyber Essentials certification being able to quickly respond to prove it.

There are additional benefits to achieving Cyber Essentials, other than bidding for a government or MOD contracts. For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they will not be targeted. This is a misconception:

  • More than 60% of SMEs suffered a breach in 2016.
  • The average cost of a breach to these UK-based SMEs was £16,264.

It makes good business sense to invest the minor cost of certification to reduce this risk and mitigate any losses by achieving Cyber Essentials certification.


The Cyber Essentials scheme is mandatory for businesses and suppliers looking to bid for certain government contracts and all Ministry of Defence contracts. If you are a business that deals with the government or major industries in the UK, then it is essential you consider getting certified and maintaining your annual re-certification to keep the business contract.

For all other businesses, demonstrating to clients and customers that you have taken the essential steps to achieve basic cybersecurity, by being Cyber Essentials Certified, makes sound business sense.

CyberSmart is a cybersecurity service provider that helps organisations secure their systems and become Cyber Essentials certified. If you would like to discuss further on whether Cyber Essentials is mandatory for your business, contact us right away.

Why Cyber Essentials is Important for SMEs

Over the last few years, cyber attacks have become an imminent danger for businesses. With this growing threat, cybersecurity is now a responsibility rather than a luxury.

Despite this, most SMEs are at risk of being breached either through a lack of awareness or the lack of action. This is a concern for SMEs since the fines and costs associated with cyber attacks can put them out of business.

A KPMG survey suggests that only 23% of small businesses prioritise cybersecurity as a top concern. This is being said even though 60% of small businesses have experienced a cyber breach that led to brand damage and loss of clients.

As an SME, this is the right time to act and move forward with the cybersecurity agenda. The UK Government is helping these businesses by providing a range of standards and guidelines. The most useful of these perhaps is Cyber Essentials, particularly for small businesses.

In this blog post, we highlight benefits of Cyber Essentials for SMEs.

What is Cyber Essentials?

Cyber Essentials is a scheme backed by the UK government that was launched in 2014. The standard provides simple but effective guidelines that protect organisations against cyber attacks.

The primary aim of this scheme is to encourage and guide organisations to adopt the best practices in their information security strategy. Once fully implemented, Cyber Essentials will provide organisations with basic protection against the most prevalent cyber threats.

Even though it is not the silver bullet to cybersecurity, it is the first step in the right direction for SMEs to protect themselves in this age of cyber warfare.

Benefits of Cyber Essentials for SMEs

There are a number of benefits that SMEs can look forward to when getting certified for Cyber Essentials. Here are four reasons why Cyber Essentials is important for SMEs.

1.      It helps protect against common cyber attacks

A majority of cyber attacks exploit basic weaknesses in organisations such as the lack of updated software or well-configured firewalls. Often, these types of attacks are simple to defend against with straightforward strategies and Cyber Essentials provides those.

While there is no security strategy that will stop a hundred per cent of the attacks, Cyber Essentials helps organisations mitigate the risks of the most likely ones by providing a strong base for SMEs to work with.

2.      It prepares you for being GDPR compliant

The General Data Protection Regulation (GDPR) came into force earlier this year across the EU. As part of this regulation, organisations that are processing personal information of EU citizens need to protect this data against data theft and unauthorised access. If an organisation is found to be negligent to the GDPR in the event of a breach, the business could face fines of up to 4% of their global turnover.

Following the Cyber Essentials scheme can assist businesses in preventing these heavy fines and prepare them for compliance with GDPR. Even though the GDPR requires a lot more than the five controls in the Cyber Essentials scheme, the latter allow you to audit your internal security and fend off the basic security threats. It is the first step towards preparation of GDPR compliance for SMEs.

3.      It enables you to bid for government contracts

The UK Government has made it mandatory for suppliers to be compliant with the Cyber Essentials scheme to be eligible to bid for government contracts.

If a contract involves certain technical services or handling of sensitive information, then you need to be Cyber Essentials compliant. Therefore, for SMEs that are looking for a government contract, Cyber Essentials is the only way forward.

4.      It shows customers and vendors that you take cybersecurity seriously

Customers and even vendors can often be sceptical in dealing with you if you display little or no concern for cybersecurity. Becoming Cyber Essentials certified can help you establish the trust of clients and partners.

Once you are certified, you will be able to display a Cyber Essentials badge on your business website. This badge proves to customers, vendors, and investors that you take the security of systems and integrity of data seriously. This is particularly important if you are storing, processing, or transferring personal information or hosting sensitive data.


SMEs are as likely, if not more, as large organisations to be at risk of a cyber attack. An important step that SMEs can take to improve their cybersecurity is to get Cyber Essentials certified. This has a number of benefits including protection against prevalent cyberattacks and a competitive advantage for bidding on government contracts.

CyberSmart partners with SMEs to advise them on how to become compliant with leading schemes and standards such as Cyber Essentials. If you would like to learn we can help you become Cyber Essentials certified or Cyber Essentials in general, get in touch.

How long is Cyber Essentials valid for?

Following on from our last blog post, “Steps to prepare and pass Cyber Essentials” this post builds on that advice and discuses the time it takes to achieve certification.

Cyber Essentials scheme encourages businesses to adopt best practices to protect themselves against common security threats. With time, the variety and complexity of these cyber threats are increasing, consequently, cybersecurity standards such as such as Cyber Essentials are constantly evolving their requirements.

This is the reason most standards and schemes have a validity period for their certification. Cyber Essentials is reviewed annually and the UK Government recommends that all certificate holders must review their certification annually to remain on the official register of certified businesses.

In this blog post, we discuss the validity period for Cyber Essentials and how the recertification process works.

How much time does it take to get your business certified?

When you apply for Cyber Essentials, and following payment of £300 plus VAT (at the time of publication), you will receive a self-assessment questionnaire. You have up to 6 months to submit the questionnaire to the certifying body for review and a decision on your certification. If you fail to submit your self-assessment questionnaire within this period, your application will be cancelled, and you will have to make the payment again.

On average, we have found that it takes small businesses around 2 weeks to complete their assessment.

Following submission, it usually takes on average 3 days for the certification body to give you a response. If everything is in order, they will award you your Cyber Essentials certification.

In the case of Cyber Essentials Plus, the process takes a little longer and will typically involve an additional on-site audit and a system vulnerability scan from a registered competent contractor.

Depending on the time and size of your business, it can take up to 6 months to receive a Cyber Essentials Plus certification.

How long is your certification valid for?

There is no definitive period of validity for a Cyber Essentials certification. But, the UK government recommends that businesses renew their certification annually. If you fail to renew your certification within a year, you will be removed from the list of certified organisations.

Cybersecurity is continuously evolving with new requirements and best practices being established every day. To keep your business protected, it is important you stay updated with these new developments. Re-certifying helps demonstrate to your clients that you are improving your security to counter newer threats.

Your accreditation body should inform you by email around a month before you are expected to re-certify. When you receive this email, it is a good time to start preparing for the re-certification process.

How long does will it take to re-certify?

The recertification process is almost the same as the certification process.

Therefore, time durations are similar and you should receive your updated certification within 3 days of you submitting your assessment.

You should factor in the personal time and investment to re-enter all the original information from your previous applications to the recertification questionnaire as the sequence and content do change annually to reflect the changing security environment and requirements for cybersecurity.

In case of changes to the security infrastructure of your organisation, your answers should reflect the changes. If there are no changes, then you can copy and paste the answers from the questionnaire that you filled the previous year.


The bottom line is that you and your business need to re-certify annually to retain your accredited Cyber Essentials registration. The scheme’s current certified businesses are registered on a publicly accessible register, so there is no hiding if you have not completed your annual recertification.

The benefits of getting re-certified include improved protection against emerging cyber threats and reduced risk to your business through an annual review of your adherence to compliance standards.

CyberSmart is an automated compliance service that helps businesses seamlessly track and renew their Cyber Essentials certification. In our next post, we will look at how CyberSmart has been proven to speed up the process for you and your business, saving valuable time, effort and potentially cost. If you would like to learn more about how we can help you remain protected and compliant, get in touch with us right away.

Steps to Prepare and Pass Cyber Essentials (Checklist)

The Cyber Essentials scheme provides a basic yet effective framework for businesses to protect themselves against cyber attacks. Getting Cyber Essentials certified is one of the first steps that any organisations can take to protect their digital assets and their personal data, and for those seeking to engage in the UK Government supply chain contracts, it provides the mandatory certification required to bid.

Like all official certifications, achieving Cyber Essentials requires preparation and business investment in time, cost and some technical awareness.

In this blog post, we present a guide on how to prepare and pass Cyber Essentials.

1.     Create an Information Security policy

The first step is to develop a well-planned information security policy for your organisation. Your policy should establish the requirements and rules for cybersecurity at your company and to achieve Cyber Essentials, your policy should include:

  • The requirements for handling and processing personal data of customers, employees, and third-parties.
  • A password policy that describes the minimum requirements for passwords (such as length and complexity).
  • A set of guidelines that define what users can and cannot do, including access controls and internet usage.

Your security policy does not have to be long and complex document filled with technical details. Instead, it should document rules for cybersecurity in a simple, clear manner that all your employees and other third-parties with access to your systems or data can understand and readily comply with.

2.     Assign a Data Protection Officer

Although not mandatory for all organisations, appointing a single senior employee as a Data Protection Officer (DPO) can help you enforce the information security policy within your organisation.

For SMEs, assigning a DPO can be an important step as they can coordinate all the business security initiatives, and for external parties and IT users, they are the business’ single point of contact for queries and concerns related to security.

Cyber Essentials requires businesses to complete and submit a self-assessment questionnaire, and provide relevant evidence to support answers, in order to achieve certification.

Having a single point of focus in a DPO ensures that everybody understands who is responsible for completing the questionnaire and who to go to for best practise advice and guidance.

3.     Keep track of your digital assets

To make sure that all software and devices are protected, you should keep an inventory of digital assets. Ensure that you include the details of software versions and updates for both software and devices.

Knowing what and where your assets are is good practice and especially so with information security assets. It helps you keep software updated, which can often be essential, and the best first step to protect your systems and data.

Knowing what devices are present on, or can connect to your network, is the best way to identify unauthorised devices and to take action to remove or isolate them. Tracking your digital assets enables you to identify vulnerabilities and to keep a close watch on devices within your network.

4.     Enforce access control

Access control ensures that only authorised personnel have access to sensitive information and enforcing strong access control is an essential step for achieving Cyber Essentials certification.

Make use of a Role-Based Access Control (RBAC) system ensure IT users have only have the privileges that they need for their job role and access to only those systems they need to be effective and operate safely.

5.     Make use of the right tools and configurations

A firewall and antivirus are essential security tools required for Cyber Essentials.

Your firewall helps protect devices on a network from external threats such as those from the internet.

Your antivirus software protects your systems from viruses and other malware that can harm them, or corrupt or steal sensitive, personal or proprietary data.

You should ensure your firewalls are properly configured to disallow access to malicious content. Making use of a firewall and antivirus will help your business prevent the most common types of cyber attacks.

6.     Conduct regular security reviews

To ensure that your digital assets remain safe and protected, it is important to document, track, and review the effectiveness of the cybersecurity measures you have taken.

Knowing the strengths and weaknesses of your organisation’s network can help you fine-tune cybersecurity for better protection, especially as you grow. You should conduct regular security reviews to:

  • Track all devices and software, including when they were last updated.
  • Understand the types of devices being used throughout your organisation (e.g. laptops, desktops, servers etc).
  • Determine the effectiveness of your information security policy.
  • Ensure that all software and devices are properly configured for secure operations.


If you are a small to medium scale business getting started with cybersecurity can seem daunting, especially if you have no technical IT skills. However, achieving a Cyber Essentials certification is a great way to begin, and for a small investment of time and effort, it can significantly reduce your risk exposure. Take the steps outlined above and you will be well-prepared to pass Cyber Essentials.

CyberSmart is the automated platform to help businesses get and stay secure with recognised certification standards including Cyber Essentials. Businesses can gain certification as individual companies or can join the many organisations that have achieved Cyber Essentials by partnering with us today.

If you have any questions, whether it is preparing for Cyber Essentials, or how to protect your company systems and data, please reach out. We love to talk about Cyber Essentials and help companies with their data protection needs and smart certification

My Business Is Scaling; How Do I Secure My Customer Data

Whether it be personal or operational, stolen data often results in disaster for small businesses. It can result in loss of revenue, customer trust, and reputation for the business. Data breaches are a growing concern for UK businesses, particularly the ones that are scaling to expand their operations.

Implementing security measures at a small-scale is easy, but as your business grows, it becomes more difficult and complex implement efficiently. In this blog post, we provide some effective tips on how businesses can secure their customer data as they scale.

Encrypt your data

One way to increase the security of your confidential data is to store and transmit it in an encrypted format. This keeps your data secure even if hackers get access to it. The encryption renders the information unreadable and hence unusable by the hackers.

Encryption is a great prevention technique that solidifies your organisation’s defences against hackers. There are numerous encryption techniques and standards that can be used to protect your data. Consult with your service provider or security expert on which one you can use to ensure data confidentiality.  

Disable remote access

Most data breaches can be attributed to hackers gaining remote access to the network. To protect your business against this, it is recommended that you limit remote access to your network.

This can be achieved by disabling remote access from all external networks. Or, a possible way of limiting remote access is to whitelist devices that can remotely access your network. The remote access should be disabled for all other devices other than these.

Limit data accessibility

Access control or limiting data accessibility is an effective way to secure control data. It limits users within your network to access only the data that they need for their job.

Regardless of how well-known or trusted an individual is, their access to information should be restricted. For third-parties such as clients, you should create guest users that can only access the information that you wish to share with them.

There are several benefits of using access control. Firstly, it helps you to hold users accountable in the case data is illegally manipulated. Secondly, it allows for damage control in the case hackers breach your network and gain access to a user account. The hackers will only be able to access the information which the breached account can.

Educate your employees

Employees are integral to an organisation’s information security plan. Hackers can breach even the most advanced cybersecurity defences because of a simple mistake by an employee. For instance, you might have a strong password policy but if hackers can still manipulate employees to give away their passwords.

To prevent this, it is important to educate your employees. This can be done by implementing an information security policy and conducting training sessions. The information security policy should provide best practises and guidelines for employees. For instance, it should require employees to not share their personal information with anyone.

In the case of a breach, your information security policy should provide guidelines on what employees should do. New employees should be made aware of the information security policy and how to comply with it through training sessions.


It is essential for businesses, particularly SMEs that are growing, to secure their customer data. A breach can result in severe financial loss and irreparable reputation damage. Fortunately, you can take some measures to protect your information as your business expands. You can encrypt your data, limit remote access and data access, educate your employees, and monitor data for insider attacks.

CyberSmart partners with businesses to help them protect themselves from 80% of attacks. We provide automated compliance services that ensure businesses follow best practises for security. Feel free to reach out to us if you would like to learn more about how to secure your customer data.

Free Ways to Protect Your Business from Cyber Attacks

Cyber attacks have grown significantly in number over the years. Among these attacks, small businesses and startups are the most common targets. Factors such as the lack of access control or absence of an information security policy make businesses vulnerable to breaches.

It has become essential for SMEs to remain vigilant. As a business owner, you need precautionary steps to protect yourself against cyber attacks.

In this article, we guide you on how you can protect your business from cyber attacks, free of cost.

Develop a strong information security policy

The first step towards protecting your company from cyber attacks is to develop a strong security policy. Such a policy should consist of rules and guidelines that cover all aspects of the company’s cybersecurity. It is not important to just create an information security policy, but to enforce it as well.

In the 2016 cyber security intelligence index, IBM found that 60% of their cyber breaches involved employees. Even though most of these had wrong intentions, more than one-fourth of these incidents happened mistakenly, when the employees opened spam pop-ups, emails, or links.

This is the reason it is important to make sure that employees are aware of the information security policy. Documenting a formal security policy with detailed guidelines is the best way to keep your employees aware.

For instance, a clause found in most security policies is to make sure that strong passwords are used. For making the employees aware, you can document and pass out requirements such as passwords should be a minimum of 8 characters in length with special characters.

Similarly, a strong information security policy should have rules to minimise risk from the use of personal email, public Wi-Fi, third-party software, and external URLs and links.

Make use of encryption

All data that is saved on a company’s server or the cloud should be encrypted. The encryption of data ensures that even if data is breached, it cannot be used for malicious purposes.

Basically, encryption converts the data into an unreadable format until a specific key is provided to access the data. You can use a software or hire a third-party vendor for this purpose.

Businesses store confidential information about employees and customers such as their credit card information and national insurance number.

It is essential that you protect this information from getting breached in the first place. However, as a fail-safe, encryption should be used to prevent hackers from accessing the information.

Control access to restricted information

A simple rule of thumb for businesses should be: all information should not be available to everyone. This is because it makes your business more vulnerable. The more accessible your information, the higher the number of possible entry points for the hackers.

Sensitive data such as employee or customer information should be accessible by certain people only. This is known as access control. With access control, there are fewer chances of access by an unauthorised person.

This is an important step for securing your company from cyber attacks. You can implement access control by simply defining user roles and establishing user types within the system.

Once access control has been implemented, you should conduct a session to inform employees about compliance with the rules. For instance, you should tell them what kind of access is unauthorised, and who is allowed access to what data.

Update software and operating systems

A common entry point for hackers is by making use of known exploits in software and operating systems. Therefore, the developers of such software provide regular updates and patches to fix known exploits.

Cybersecurity is not concerned with the use of high-end premium software, but rather how updated your software is. It is best practice to always keep your software and operating systems updated. Schedule your systems to auto-update whenever a security patch or update comes out to minimise vulnerabilities.


With cybercrimes on the rise, businesses are now in an urgency to protect themselves. You can improve your business’ cybersecurity by following the strategies that we have outlined above.

Even if you cannot spend considerably on cybersecurity, these free ways will help you protect your business from cyber attacks.

CyberSmart knows the importance of protecting yourself against breaches. If you are looking for more information on the strategies above, or would like to learn about how to protect, contact us to get in touch with a professional from our team. We will help you strengthen your defenses without having to empty your wallet.