5 easy cybersecurity New Year’s resolutions for 2021

cybersecurity New Year's resolutions

According to research from popular exercise app Strava, the second Friday of January is “quitters’ day”– the day when people are most likely to give up on New Year’s resolutions. 

It’s the day when all those promises made in good faith back in December go up in smoke. Running shoes across the land are hurled to the back of the nearest cupboard, never to see the light of day again. Gym memberships are forgotten about. And new hobbies fall by the wayside.

The biggest problem with most New Year’s resolutions is their difficulty. Sure, the long-term gains might be amazing, but what about the months of pain and effort to get there?

But not all resolutions have to be difficult or doomed to failure. Take, for example, our list of easy cybersecurity New Year’s resolutions. 

Unlike attempting a couch to 5k or taking up a new hobby, they don’t require hours of your time to see results. Nor do you need to go out and buy expensive new tools or overhaul existing processes. All it takes is a few tweaks here and there to get your business’s cybersecurity fighting fit for the year ahead.

And the best part? Once you’re in the habit, you’re unlikely to break them. 

1. Start patching and updating software regularly 

We bang the patching drum a lot at CyberSmart. Regular readers of our blog will have noticed we mention it at every possible opportunity. But, as repetitive as it might be, there’s a very good reason behind our love affair with patching.

Regularly updating your software and operating systems is the easiest, most time-efficient way to improve your cybersecurity. Even, the best software becomes outdated or develops gaps and, when it does, cybercriminals suddenly have an easy route into your business. 

Fortunately, avoiding the worst is incredibly easy and it shouldn’t take you more than a couple of minutes each month. All it requires is that you check every now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

To learn more about patching, check out our recent blog on the subject. 

2. Create a password policy

Of all the resolutions on this list, creating a secure password policy is by far the simplest. Most of us know the importance of strong passwords, but that doesn’t stop us using the same easily-guessable phrase we’ve been using since 2001 for everything. We’re only human after all. 

The problem is this poses a huge security risk. It only takes a cybercriminal to crack one insecure password in your business for disaster to strike. But the good news is fixing it is simple.

Set up a password policy and ensure everyone in the business follows it. Often, it doesn’t take much more than a well-worded email and a few friendly nudges to get everyone on board.

What should go in the policy? Well, a strong password policy should have four key points:

  • Use complex passwords that are a combination of letters, numbers and symbols. In-built browser tools like Google Chrome’s password generator are great for this
  • Change passwords regularly
  • Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
  • Use two-factor authentication (2FA) wherever possible 

3. Use encryption 

Encryption is one of those technologies that everyone has a vague notion they should be using. However, many of us get put off by misconception that it’s difficult to set up or hard to understand if you’re not a techy type.

In reality, this couldn’t be further from the truth. You probably already use encryption a lot in your daily life, you just don’t know it. Ever sent a message using WhatsApp? That’s encryption. Bought something from a web store? Encryption.

We won’t go into exactly how it works (if you’d like to know more we have a whole blog on the subject) but, essentially, encryption randomises data so that only an authorised recipient with a key can see it. 

Due to the complexity of the randomisation process, encryption is near impossible to break so it offers a level of security passwords alone can’t match. Better still, once you’ve set it up and are used to using it, it’s unlikely you’ll ever have to think about it again.

4. Make cybersecurity part this year’s budget

Attacks on SMEs now account for 58% of all cybercrime. What’s more, small businesses’ ability to absorb an attack is limited. Research from insurance and risk consultancy firm, Gallagher, found that over 50,000 UK SMEs would collapse if hit by a cyberattack.

Given the risks, you would expect cybersecurity to be top of most businesses’ budgeting lists. However, that’s often not the case. It’s not hard to see why; if you’re an SME performing financial wizardry each year just to keep things ticking over, cybersecurity can feel like a ‘nice to have’ rather than a priority. It’s this that leads to many smaller businesses making do with anti-virus and little else.

Unfortunately, firms who do this are playing Russian roulette without being conscious of it. Sooner or later, an enterprising cybercriminal will take advantage of weak defences, no matter how small your business. It’s a simple thing, but make 2021 the year cybersecurity features in your annual budget.

5. Get Cyber Essentials certified 

If you’ve heard of Cyber Essentials, you’re likely questioning this suggestion. Isn’t Cyber Essentials certification a long, drawn-out process that takes weeks to complete? It’s hardly fitting for a list of ‘easy’ resolutions.

Well, the truth is that getting Cyber Essentials certified can be like that. However, it doesn’t have to be. At CyberSmart we offer a Cyber Essentials certification process that can take as little as 24 hours, with no need for constant back and forth. We’ll tell you whether you’re going to pass before you submit and help you address any problems, so you only need to do it once.

Getting Cyber Essentials certified is a requirement for many government tenders and can protect your business from 98.5% of cybersecurity threats. But the benefits don’t end there. It’s also a great indicator of your business’s commitment to security, marking you out as trustworthy and safe to potential partners and customers.

So concludes our 2021 cybersecurity New Year’s resolutions. Although we’d recommend doing everything we’ve suggested, even adopting just one will noticeably improve your business’s cybersecurity. So why not kick the year off with a resolution you’ll keep? 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

How to shift to working from home permanently without compromising your cybersecurity

Coronavirus has the potential to change the world of work forever.

Unless you’ve spent the last few months consciously avoiding the media, chances are you’ve read that sentence a lot. From morning talk shows to breathless newspaper op-eds, it feels like everyone is talking about the society-wide shift to working from home.

But what started as a necessary evil that many businesses adopted reluctantly has turned into something else. First came announcements from Twitter and Facebook that employees would be allowed to ‘work from home forever’ if they chose. This was followed by a host of other businesses including Google, Amazon, JPMorgan, Captial One, Slack, Salesforce, Microsoft and PayPal extending their work-from-home options.

Why is this happening?

Well, it’s actually very simple. An increasing number of businesses are seeing the real benefits of a more permanent shift to remote working.

Why rent office space for 300 people when you could use a smaller venue for essential meetings at half the cost? Why insist staff make long commutes into the office, when they’re happier and more productive working from home? 

For many organisations, the COVID-19 pandemic has turned these questions from water cooler conversations into key pillars of business strategy. 

If your business is considering making the switch to permanent remote working, are you prepared for the risks you should be aware of? And, how can you overcome them and ensure your people are working safely? 

What risks does working from home present? 

While switching to remote working offers benefits in productivity and real estate savings, it also comes with some risks. Here are a few of the most common. 

Unsecured personal devices 

The first question to ask is: can you be sure your people will follow the same security protocols they would in the office? The networks and security tools your staff use at home are likely to be far less secure than those in the office. Home office networks are 3.5 times more likely than corporate networks to be infected by malware, according to a report from BitSight. 

There may even be a psychological element to this. As ZDNet has reported, 52% of employees believe they can get away with riskier behaviour when working from home. For example, sharing confidential files via email instead of the usual, safer channels. 

Lack of remote-working policies and procedures

Part of the reason employees are exposing themselves to risk at home is simply a lack of knowledge of these risks. The COVID-19 pandemic developed so quickly that many businesses didn’t have time to put in place clear policies and procedures for working from home so employees were literally left to their own devices.

This makes cybersecurity a bit of a guessing game, particularly for the less security-literate of your staff. 

Heightened risk of attack

Cybercriminals are smart but they’re largely opportunistic. And it hasn’t taken them long to figure out that switching to remote working has made businesses vulnerable.

VMWare’s recent Global Threat Report, reveals that 91% of global respondents have seen an increase in cyber attacks as a result of employees working from home. Meanwhile, the proportion of attacks targeting remote workers increased from 12% of all email traffic in March to 60% just six weeks later. 

91% of organisations have seen an increase in cyber attacks as a result of employees working from home.

Keen to exploit our hunger for coronavirus updates, cybercriminals have set up thousands of COVID-19-related ‘news’ sites. These double up as hosts for malware and domain names to launch phishing attacks from. Without the robust controls deployed by most corporate networks, it’s incredibly easy for people working from home to fall into the trap. 

The other area cybercriminals are targeting more regularly is VPNs. VPNs have long been a weak point for cybersecurity. They were only ever intended for small numbers of workers to use occasionally, not whole companies all the time. As a result, many VPNs are insecure and provide cybercriminals with a much wider ‘attack surface’ with which to launch threats

Reliance on the Cloud

We talked about some of the potential issues with cloud storage in a recent blog and, while it’s the safest option for businesses, it’s not invulnerable to attack. 

Working from home naturally increases your reliance on the Cloud. And this isn’t necessarily a bad thing. However, cybercriminals are becoming better all the time at breaking through providers’ defences and intercepting data as it moves between employees’ devices and the cloud. 

How can you overcome these risks? 

We’ve tackled some of the risks involved in switching to working from home, so what can you do about it?

Provide clear policies and encourage communication

This is the most important step on this list. If your people don’t know which behaviours are harmful, they can’t correct them. Ensure all security policies for workers are clear and easy to follow. If you don’t have a remote working security policy, now’s the time to draft one.

Alongside this, work to foster a culture of communication. That way, employees will feel comfortable asking for help with anything they don’t understand and reporting anything suspicious to internal security teams. All too often, security mistakes are made because staff feel ‘silly’ raising their concerns. 

Ensure the right security is in place 

Many of the most common threats can be prevented simply by ensuring your people have the tools they need. Check that all corporate-owned or managed devices are equipped with the best security capabilities. Also, make sure that the security best practices you’d use in the office are extended to the home environment. 

Maintain good password hygiene

Set up a password policy and ensure everyone follows it. Employees should always use complex passwords and two-factor authentication, as well as change passwords regularly. 

Make sure software is up to date

Your employees should regularly install updates and patches for the software on their devices, no matter how much they might enjoy not restarting their laptop for months on end. 

Keep it professional

Encourage your workers to keep work devices for work and personal devices for everything else. Limiting the number of sites employees visit can limit the risk of attack. 

Secure Wi-Fi access points

Network gateways are an underappreciated aspect of good cyber hygiene. Most of us don’t think much about our WiFi once it’s up and running. However, changing the default settings and passwords on a router can reduce the potential of attack from connected devices.

Understand the risks

Hopefully, this article has been some help in identifying some of the risks remote working presents. But it can’t be stressed enough that understanding the risks is key to preventing them. IT teams need to identify the most likely areas of attack and prioritise the protection of areas of your business that cybercriminals could do the most damage to. 

Although the switch to working from home comes with difficulties, it’s also a golden opportunity to remould the way your business functions. Alongside, the obvious real estate savings, remote working promises happier employees, more productive work and greener business practices. Don’t let poor cybersecurity stand in the way of your business embracing the future. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

Encryption explained: how does it work and why do SMEs need it?

Most of us have heard of encryption. It’s that recipe for secrecy that techy types talk about all the time. But for many of us, that’s where the knowledge ends.

However, for small businesses looking to improve cybersecurity, encryption can be a vital weapon in your arsenal- and one that isn’t so hard to understand. Here’s a simple explanation of what encryption is, why you need it, and when to use it.

What is encryption?

Although encryption, much like ‘the blockchain’, can seem like another one of those unfathomable technical terms, it’s actually pretty simple.

Encryption is most commonly used to protect data in transit and at rest. Ever sent a Facebook Messenger or WhatsApp message? That uses encryption. Or, a payment using online banking? Also encryption. How about buying something from a web store? You guessed it, encryption again.

You get the picture. Encryption is used everywhere in our daily lives, but how does it work?

In non-technical terms, encryption is a way of randomising data so that only an authorised recipient can understand the information. Encryption converts plaintext – for example, the text in an email between you and a colleague – and converts it into ciphertext, a string of random numbers and letters. To unlock the real message or data, you need an encryption key, which is a set of mathematical values that only the sender and the recipient of the message know, like so:


Photo PixelPrivacy

The principle is much the same as a password, but better (as we’ll see).

Why does your business need it?

So we’ve covered, in very simple terms, what encryption is. The next question is why should SMEs be using it? It’s easy to assume that if you’re not a huge multinational, processing reams of sensitive information, that your standard security tools such as firewalls and secure passwords are enough to protect your data. However, there are three key reasons why this isn’t the case.

Cyber attacks are on the rise

It’s likely not news to you that cybersecurity threats to SMEs are on the rise. Barely a week goes by without another news story or set of figures released to that effect. Indeed, the Federation of Small Businesses estimates that SMEs are collectively subject to almost 10,000 cyber-attacks a day.

A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year.

A big part of the problem is the ever-increasing volume and variety of malware out there. A recent report from cybersecurity experts, Malwarebytes, reveals that detections of new malware continue to increase by 1% year-on-year. This might not sound like much, but when we’re talking about detections in the tens of millions, it soon adds up.

In this environment, it’s getting harder and harder to stay ahead of the threat. However, adopting encryption can act as a strong second line of defence. For instance, someone in your organisation accidentally clicks on a malware link in an email (something we’ve all done at least once), potentially exposing your data to an attacker. Using encryption means that they won’t be able to read whatever they find without a key, meaning your data is safe.

You’re using a cloud service

Cloud computing is now a vital part of the daily operations of most SMEs. And if you’re doing business entirely in the cloud, and don’t store any sensitive data on employees’ devices, you’re safe, right? After all, the likes of Amazon, Google, and Microsoft spend billions of dollars a year on the security of their cloud services.

Unfortunately, this is only partly true. Obviously storing your data in a cloud is far better than having everything on vulnerable systems, but that doesn’t mean it’s entirely safe.

To give an example, let’s say you use a cloud-based platform like Office 365 for your everyday operations. A would-be hacker can still intercept your data as it moves between your device and the cloud. As we’ve already mentioned, this is unlikely if you’re working with a reputable cloud provider, but it’s not impossible or even that uncommon. Using strong encryption can help protect you against this by adding another layer of defence.

Passwords aren’t the be-all and end-all

Now, you may be thinking ‘but my business has a clear password protection policy and we regularly change our passwords for laptops and devices, surely that’s enough?’
Not quite. While it’s true that a strong security policy can help protect your business against regular theft and even less sophisticated cyberattacks, it’s not enough to protect you from the really harmful stuff.

Hackers are always finding a way around even the strictest security policies and new methods for cracking passwords appear all the time. To be totally sure, you need an a solution that allows you to completely encode everything on your device. This means that even in the event someone does manage to break in, all they’ll be able to extract is random gobbledegook that’s little use to anyone without the right encryption key.

How do you use encryption?

Finally, let’s take a look at how you can use encryption to protect your business. Encryption can take many forms. How you use it will depend on what you need it for, but some common uses include:

End-to-end encryption – This guarantees data sent between two parties cannot be viewed by anyone else. Most of the internal communication tools such as Slack or Google Hangouts will come with this as standard, but it’s worth checking whichever messaging tool you use.

Cloud storage encryption – A service offered by cloud storage providers that transforms your data or text using an algorithm and stores it safely in the cloud.

Encryption as a Service (EaaS) – EaaS represents the next step up from cloud storage encryption. It’s the perfect tool for small businesses who want to use encryption but lack the resources to do manage it themselves. EaaS subscription models typically include full-disk, database, and file encryption.

Of course, these are far from the only uses of encryption. You can also use it to protect certain fields on your website, encrypt everything leaving or entering your web server and a hundred other things besides. The above are just the most common applications for SMEs.

Data is more important than ever to SMEs. In fact, in our data-driven economy, it’s often the most valuable asset a business possesses. Basic cyber-hygiene such as encryption can go a long way towards helping you protect it.

Show your customers you value their data by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Get started