Coronavirus has the potential to change the world of work forever.

Unless you’ve spent the last few months consciously avoiding the media, chances are you’ve read that sentence a lot. From morning talk shows to breathless newspaper op-eds, it feels like everyone is talking about the society-wide shift to working from home.

But what started as a necessary evil that many businesses adopted reluctantly has turned into something else. First came announcements from Twitter and Facebook that employees would be allowed to ‘work from home forever’ if they chose. This was followed by a host of other businesses including Google, Amazon, JPMorgan, Captial One, Slack, Salesforce, Microsoft and PayPal extending their work-from-home options.

Why is this happening?

Well, it’s actually very simple. An increasing number of businesses are seeing the real benefits of a more permanent shift to remote working.

Why rent office space for 300 people when you could use a smaller venue for essential meetings at half the cost? Why insist staff make long commutes into the office, when they’re happier and more productive working from home? 

For many organisations, the COVID-19 pandemic has turned these questions from water cooler conversations into key pillars of business strategy. 

If your business is considering making the switch to permanent remote working, are you prepared for the risks you should be aware of? And, how can you overcome them and ensure your people are working safely? 

What risks does working from home present? 

While switching to remote working offers benefits in productivity and real estate savings, it also comes with some risks. Here are a few of the most common. 

Unsecured personal devices 

The first question to ask is: can you be sure your people will follow the same security protocols they would in the office? The networks and security tools your staff use at home are likely to be far less secure than those in the office. Home office networks are 3.5 times more likely than corporate networks to be infected by malware, according to a report from BitSight. 

There may even be a psychological element to this. As ZDNet has reported, 52% of employees believe they can get away with riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. 

Lack of remote-working policies and procedures

Part of the reason employees are exposing themselves to risk at home is simply a lack of knowledge of these risks. The COVID-19 pandemic developed so quickly that many businesses didn’t have time to put in place clear policies and procedures for working from home so employees were literally left to their own devices.

This makes cybersecurity a bit of a guessing game, particularly for the less security-literate of your staff. 

Heightened risk of attack

Cybercriminals are smart but they’re largely opportunistic. And it hasn’t taken them long to figure out that switching to remote working has made businesses vulnerable.

VMWare’s recent Global Threat Report, reveals that 91% of global respondents have seen an increase in cyber attacks as a result of employees working from home. Meanwhile, the proportion of attacks targeting remote workers increased from 12% of all email traffic in March to 60% just six weeks later. 

91% of organisations have seen an increase in cyber attacks as a result of employees working from home.

Keen to exploit our hunger for coronavirus updates, cybercriminals have set up thousands of COVID-19-related ‘news’ sites. These double up as hosts for malware and domain names to launch phishing attacks from. Without the robust controls deployed by most corporate networks, it’s incredibly easy for people working from home to fall into the trap. 

The other area cybercriminals are targeting more regularly is VPNs. VPNs have long been a weak point for cybersecurity. They were only ever intended for small numbers of workers to use occasionally, not whole companies all the time. As a result, many VPNs are insecure and provide cybercriminals with a much wider ‘attack surface’ with which to launch threats. 

Reliance on the Cloud

We talked about some of the potential issues with cloud storage in a recent blog and, while it’s the safest option for businesses, it’s not invulnerable to attack. 

Working from home naturally increases your reliance on the Cloud. And this isn’t necessarily a bad thing. However, cybercriminals are becoming better all the time at breaking through providers’ defences and intercepting data as it moves between employees’ devices and the cloud. 

How can you overcome these risks? 

We’ve tackled some of the risks involved in switching to working from home, so what can you do about it?

Provide clear policies and encourage communication

This is the most important step on this list. If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow. If you don’t have a remote working security policy, now’s the time to draft one.

Alongside this, work to foster a culture of communication. That way, employees will feel comfortable asking for help with anything they don’t understand and reporting anything suspicious to internal security teams. All too often, security mistakes are made because staff feel ‘silly’ raising their concerns. 

Ensure the right security is in place 

Many of the most common threats can be prevented simply by ensuring your people have the tools they need. Check that all corporate-owned or managed devices are equipped with the best security capabilities. Also, make sure that the security best practices you’d use in the office are extended to the home environment. 

Maintain good password hygiene

Set up a password policy and ensure everyone follows it. Employees should always use complex passwords and two-factor authentication, as well as change passwords regularly. 

Make sure software is up to date

Your employees should regularly install updates and patches for the software on their devices, no matter how much they might enjoy not restarting their laptop for months on end. 

Keep it professional

Encourage your workers to keep work devices for work and personal devices for everything else. Limiting the number of sites employees visit can limit the risk of attack. 

Secure Wi-Fi access points

Network gateways are an underappreciated aspect of good cyber hygiene. Most of us don’t think much about our WiFi once it’s up and running. However, changing the default settings and passwords on a router can reduce the potential of attack from connected devices.

Understand the risks

Hopefully, this article has been some help in identifying some of the risks remote working presents. But it can’t be stressed enough that understanding the risks is key to preventing them. IT teams need to identify the most likely areas of attack and prioritise the protection of areas of your business that cybercriminals could do the most damage to. 

Although the switch to working from home comes with difficulties, it’s also a golden opportunity to remould the way your business functions. Alongside, the obvious real estate savings, remote working promises happier employees, more productive work and greener business practices. Don’t let poor cybersecurity stand in the way of your business embracing the future. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

When it comes to cybersecurity, MSSPs traditionally provide two standard services: proactive or reactive. Some businesses prefer the reactive approach and require a fix for security issues only when they arise. For other businesses, horizon scanning and taking a more proactive approach fits their risk appetite and lets them stay one step ahead.

Being an MSSP, you have a responsibility to guide clients to the best approach for their business and one that matches their risk appetite. In this blog post, we look at the reasons why proactive compliance is better for businesses than a reactive approach when assessing cybersecurity firefighting.

The Reactive vs. Proactive Approach

A reactive approach towards security embraces the philosophy of wait until the security perimeter is breached then acting to fix it. An MSSP is typically responsible for cleaning up the mess after the security incident using this approach; one that might work with other services, but with cybersecurity, may have business crippling impacts.

Once a security incident has occurred, the damage has already been done. The loss of data and extended downtime of any systems has already caused financial, reputational or other losses to the client. Add on the cost in time and effort to ‘fix’ and the potential impacts, coupled with the loss of productivity or revenue do not make happy reading.

A proactive approach, on the other hand, is about anticipatory prevention measures and rapid notification that drives responsiveness. In this approach, the MSSP is responsible for assisting the client address the potential security risks before they can become problems. 

Cyber attacks do not sleep, and the proactive approach to cybersecurity defensive measures is the best approach to leave little to no room for attackers to exploit the system. The earlier a problem area or attack vector is identified, the easier it is to fix or to close the door to a potential breach. A proactive approach is a great way to ensure clients’ infrastructure is protected 24/7. It requires continuous engagement with clients and involves the design and deployment of preemptive strategies, tools and techniques with an awareness of threat intelligence to prevent security issues from becoming a concern.   

Drawbacks of Reactive Cybersecurity

The reactive approach may save cost for clients initially, but in the long run, it increases the risks of:  

• Increased costs. Once a breach has occurred, the financial impacts can be severe. GDPR data-breach fines are not insignificant to any business and the reputational damage costs could be even higher. For SMEs, these costs could be the difference between staying in business or having to close. And that is bad for the client and bad for the MSSP.
• Inappropriate damage control tools. The reactive firefighting approach is not about protecting businesses for the future. Instead, it is about running a damage control campaign to counter the effects of an ongoing security incident. There is no clear direction to take and often no clear security baseline to revert to rapidly to regain business control. When the breach occurs, the business may well blame the MSSP for not taking care of security more adequately.
• No clear resolution method. Unlike compliance, you never know what to expect with a reactive call from a client. The best method to resolve the issue may well vary according to the type of incident, the extent of the damage, and the size of the business. This makes it difficult to position pre-defined expertise or resources necessary to deliver reactive services. This uncertainty adds cost to the MSSPs business model that can be difficult, to pass through to clients.

Proactive Cybersecurity Compliance

A proactive compliance approach has a number of benefits for MSSPs:

• Reduced costs and recurring revenue. A data breach or ransomware attack can lead to substantial losses for a business. The financial losses may include damaged infrastructure, lost data, fines imposed by regulatory bodies, reputational damage and the cost of lost productivity. The risk of realising these costs can be mitigated through a proactive compliance approach. For MSSPs, the benefit is in offering clients a subscription-based compliance model. Since compliance is an ongoing process, your business can focus on building a recurring revenue stream based on a predictable financial model.
• A well-defined approach. Compliance can be achieved through well-defined processes such as the one used by CyberSmart. A proactive compliance service can be effectively planned and priced by MSSPs. As a preemptive approach, you know exactly the resources and personnel will need to dedicate to each client.
• Avoid disruptions and build credibility. The ultimate goal of compliance is to prevent risks to clients that could disrupt their business. Offering proactive services to clients delivers ongoing protection against cyberattacks and offers longer-term client relationships built on trust.

Conclusion

Cyberattacks are evolving, the targets change frequently and the risks and threats are not going to go away if we pretend they do not exist. For businesses, they should not sit back and wait to be breached but they should be encouraged to keep on the front foot and lower their risks. 

MSSPs focusing on selling compliance that delivers lowered risk of cyber attack is a great opportunity in the ever-expanding, digitally connected marketplace. Being proactive has great commercial benefits for them and their clients. It can build recurring revenue streams and a sustainable reputation for the MSSPs. For businesses, the benefits or a reduced risk profile are clear.

CyberSmart Active Protect provides everything your clients need to protect their businesses around the clock.  If you would like to learn more about how we can help you sell proactive security, feel free to reach out to us.

CyberSmart has a bold mission to protect and empower SMEs. In order to do so, we need to provide continuous compliance through the entire organisation. This is no small feat, as today’s organisations have diverse systems and modern ways of working. We are extremely excited to announce the next big step in our journey is now live.

A mobile world

The world has gone mobile, and SMEs are more than ever, relying on their mobile phones and tablets to do business. After all, they are pocket-sized computers, connected to fast mobile networks, with all the applications we need to be productive. The smartphone has allowed us to get the most out of these devices including handling and storing sensitive data, processing payments and communicating with others.

The ability to carry such devices in our pockets is driving growth and efficiency on a scale not seen before, allowing SMEs to do business, anywhere, everywhere. But like any internet connected device, this is leaving users open to mobile security threats.

Every device. Every user. Everywhere.

CyberSmart Active Protect is already protecting thousands of devices for hundreds of organisations in the UK, and now that protection and assurance can be deployed on mobile devices. Our new mobile application brings the best of our desktop app to every device in your organisation, securing every user, wherever they are, so your business can focus on what it does best, with peace of mind.

CyberSmart Active Protect

Active Protect checks mobile devices are configured to the recommended security practices, as per the requirements of Cyber Essentials. It guides users on how to protect the device and themselves. It also supports policy distribution to make sure users comply with their company’s internal policies. As it’s an app instead of a profile, it supports both user-managed and corporate provided devices.

Why does my organisation need the mobile app?

• Ensure all devices within the organisation are checked for compliance with Cyber Essentials, preventing potential cyber threats such as mobile spyware and malware.
• Guides users through remediation if they need to address any issues.
• Real-time information feeds back into the CyberSmart dashboard for a single view of compliance.
• Allows users to read and agree on policies on their mobile devices.

What’s next?

The launch of Active Protect is just another step, albeit a very exciting one, in the CyberSmart journey towards our mission. Our team is focusing on rolling out many more advancements across our product range. This includes inspiring and educating SMEs on practices and strategies to combat cyber threats and further simplifying cybersecurity and compliance for organisations.

CyberSmart Active Protect is live in the following stores:

Here’s what everyone should be doing in 2018 in terms of cybersecurity and data protection:

(more…)

You’ve heard that it’s something your business needs, but what is Cyber Essentials? Get your answers here as we explain what it is, how to get certified, and whether it’s worth it.

The Cyber Essentials scheme is a government-created scheme designed to help SMEs stay protected and productive in a world of increasing cyber threats.

The certification gives you a solid cybersecurity foundation to build upon. And it’s highly recommended for SMEs because it protects you against 98.5% of the most common cyber threats.

In a nutshell, Cyber Essentials includes two things:

1. Five controls every business needs to mitigate the risk from common cybersecurity threats
2. A mechanism for SMEs to show customers, investors, and insurers that they’re serious about cybersecurity

Who runs Cyber Essentials?

Cyber Essentials was created by the National Security Centre (NCSC). The NCSC was assembled in 2016 and combines expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure. They’ve pooled their collective knowledge into a cybersecurity certification that any business can access.

Want to protect your business from 98.5% of cyber threats? Get Cyber Essentials certified today.

What areas does Cyber Essentials cover?

Cyber Essentials covers five key areas of cybersecurity across your IT infrastructure. It even covers common outliers, like thin clients, BYOD, and home working devices. The certification is updated as new technology becomes commonplace to keep pace with today’s working world.

The five Cyber Essentials controls

1. Firewalls. The boundary defences of your networks
2. Secure configuration. Security measures for building or installing devices
3. User access control. Managing user access and admin rights
4. Malware protection. Protection from malicious software
5. Patch management. Making sure all systems are updated correctly

How it works

The Cyber Essentials Certification is a self-serve activity. All you have to do is complete a self-assessment questionnaire and submit it via an online portal. The assessment questionnaire is about 30 pages long and is broken up into 8 sections. It includes questions like:

A4.7. Have you configured your boundary firewalls so that they block all other services from being advertised to the internet? By default, most firewalls block all services from inside the network from being accessed from the internet, but you need to check your firewall settings.

On average, we’ve found that it takes small businesses around 2 weeks to complete an assessment. When you submit your assessment, the certification body reviews and grades your application. They have a ‘pass/fail’ system, so once you’ve passed, you’re good to go.

What happens if you fail?

If you fail your certification the first time around, don’t panic. You’ll get feedback from the assessor, so you know what you need to address. They give you two working days to resolve any issues and resubmit for further review without any further cost. If you don’t get the fixes done in time, you may be charged again.

You can avoid this scenario with the support of a Cyber Essentials certification provider. With this support, you can be certified in as little as 24 hours.

How long does the certification last for?

Cyber Essentials certification lasts for 12 months. During that time, your business can be listed on the NCSC’s Cyber Essentials Certification search, so potential customers or investors can confirm your due diligence to cybersecurity. After 12 months, you must reapply to renew your certification.

Is it worth having?

Yes.

The sad truth is that every business, no matter how small, could be connected to the target of a cyberattack. Suppliers, third-party vendors, and large organisations exist in an interconnected ecosystem. An attack on one part of that ecosystem could affect anyone in the supply chain.

That’s why we believe that Cyber Essential is worth having. It’s a low-effort way for any SME to go from 0% protection to 98.5% protection from the most common cyber threats. In as little as 24 hours, you can transform your IT security.

It’s mandatory for some businesses to have Cyber Essentials. If your business wants to secure government or MOD contracts, Cyber Essentials is… well, essential.

PwC revealed that 85% of consumers “wish there were more companies they could trust with their data”. And in the B2B space, more than 25% of businesses expect double-digit growth in cyber budgets in 2022. So you can bet that they’ll look hard at their potential vendors and suppliers, too.

And while Cyber Essentials isn’t a panacea for all cyber threats, it provides a valuable set of controls that deliver cost-effective cybersecurity for any business. With this foundation and protection from over 98% of common cyber threats, you can start to grow your business with confidence.

So, is Cyber Essentials right for your business? That depends on what your business goals are. But, if you want to…

• …protect your business from the most common cyberattacks
• …be certified and visible on a public register 
• …win new business by displaying your cybersecurity credentials
• …have a clear picture of your business’s cybersecurity

…then Cyber Essentials is for you.