It started as a normal day at work. You send a few emails, drink some coffee, and attend a few meetings. But then things take a turn for the worse. Your flustered finance colleague tells you they aren’t able to access your customer database and a strange message is displaying on the screen. It’s happened. You’ve been ransomware attacked.

But what do you do next? There’s plenty of information out there on how to prevent ransomware attacks from happening, but less on what to do if the worst does happen. So, here are our top tips for what to do next.

1. Take a deep breath and assess the damage 

This might sound obvious or slightly patronising, but it can be very difficult to stay cool and collected in the event of a breach. Many victims rush into paying the ransom straight away, giving them no wiggle room for negotiations with the attacker. 

So, first things first, take a moment to collect yourself, the hard work starts here. Once you’re ready, start assessing the damage. Has an attack definitely happened? Do you know which systems or files have been compromised? How far have the hackers got? These are all questions you’ll need to know the answer to.

Your next course of action will likely go in one of two directions. If your organisation has an incident response plan, follow that. If it doesn’t, don’t worry, you can follow the next steps on this list. 

2. Collect evidence 

This step shouldn’t take more than a few seconds, but it’s very important. You should immediately take a photo of the ransomware note. It doesn’t matter how you do it, a screenshot or a photo on your smartphone will work, but the key thing is to document the breach. This will help you in contacting your insurers and filing a police report.

3. Isolate the breach

Once it’s in, ransomware is designed to spread like wildfire across a network. To stop it from infecting every system in your business, you need to isolate the breach. 

That might sound complicated or techy, but it’s actually very simple. The easiest thing to do is disconnect the infected system(s) from your network so the ransomware can’t spread anywhere else. Doing this can stop a relatively minor breach from becoming business-threatening. 

4. Disconnect backups 

We’ve written at length on the importance of data backups before. And a successful ransomware attack is where they really come into their own. In the best-case scenario, it could save you from having to pay a ransom at all.

Unfortunately, cybercriminals know this. So most modern ransomware strains are coded to go after any backups you have. This means it’s important to secure your backups by disconnecting them from the rest of your network. And to be extra safe, we recommend locking down access to your backups until the infection has passed. 

5. Notify insurers and your IT provider

This step will be different for everyone, depending on whether you have cyber insurance or outsource any element of your IT to a third party. However, if you do have either, now’s the time to report the breach. You’ve completed the vital first steps to contain the threat and it’s time to bring in some help.

Your insurer needs to know for obvious reasons but both should be able to help you with the next steps. Many insurers are happy to put you in touch with experts and your IT provider should also be able to lend a hand.

At this point, it’s also worth notifying law enforcement and the ICO. Your insurers may require a police report to proceed and it can also help save other organisations from the same fate.

6. Identify the strain of ransomware

Unless you’re extremely unlucky, it’s unlikely your business is the first to be hit with whatever strain it’s been infected with. And this means it should be fairly easy to identify.

Free services like ID Ransomware allow you to upload a sample of your encrypted file(s), the ransom note, and the hacker’s contact info. They’ll then analyse this information and identify who or what has attacked you.

This is important for two reasons. First, who you’re dealing with will help inform your decision on whether to pay. Second, knowing what you’re dealing with is vital when you come to attempt to decrypt your files.

7. Try decrypting your files

Once you know the type of ransomware you’ve been infected with, it’s time to have a go at decrypting your files. This might be easier with the help of a cyber expert, but it’s not too difficult to do yourself. 

There are plenty of decryption tools available online. No More Ransom has a great selection of tools to decrypt most types of ransomware. All you need to do is find the strain you’ve been hit with from the list, download it and follow the installation process. The site is updated regularly, so even if you have been struck by a newer form of ransomware there should be something to help. 

Of course, this won’t always work. Ransomware is ever-evolving, with the bad guys constantly adding extra features. But it’s always worth a try.  

8. Reset passwords

You might have already done this step earlier on in the process. If so, give yourself a hearty pat on the back. If not, it’s time to reset all your business’s passwords. This is something you should be doing regularly anyway, but it can stop hackers from gaining access to other non-infected systems and attacking those too.

And, once the infection is completely removed, don’t forget to change them again.

9. Decide whether to pay or not 

Finally, we come to the trickiest part. Should you pay the ransom?

Sadly, there’s no absolute answer either way. Whether or not you decide to pay is completely conditional depending on the scenario you find yourself in. If you’ve managed to decrypt your files and the data the hackers have isn’t sensitive, you probably don’t need to pay.

Likewise, your insurer may instruct you not to pay. Cyber insurers are currently split upon ransomware best practices after years of near unanimity.

In other cases, paying might be the best option. For example, when the hackers have access to sensitive customer or financial data.

10. One last thing…

You may have noticed we haven’t mentioned communications to partners or customers. We’ve left this until last because, like paying the ransom, the decision is situation based.

If customer data has been stolen, then you need to inform clients and partners so they can secure their accounts. However, if the breach has only affected internal data, you may not need to communicate that to clients. 

Like the incident response plan we mentioned earlier, it’s well worth having an emergency communications plan ready to go in case you do get attacked.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

The fifth generation of wireless technology, or 5G, promises many things. But beyond grandiose pledges of hyper-connected living, truly scalable virtual reality, and a new golden age for business, 5G’s rollout has been far from smooth.

Unless you’ve (wisely) been consciously ignoring the news, it’s hard to miss the furore surrounding 5G. First, came British 5G towers being pulled down and set on fire due to COVID-19 conspiracy theories. Next, the UK’s decision to ban Chinese firm Huawei from its 5G network. Then, a backlash from environmental activists lamenting 5G’s potential footprint. 

But away from the big headline stories, there’s another side to 5G. It’s a potential gamechanger for small businesses. 

What benefits does 5G offer to small businesses? 

5G provides a host of benefits to small businesses, ranging from the simple to the fantastical. 

Speed

5G networks are engineered to be fast. Really fast. The most transformative part of 5G is its ability to reduce the time (or ‘latency’ if you prefer the techy term) it takes for data to get from one point to another. 5G promises speeds up to seven times faster than the fastest 4G browsing experience. 

For small businesses, this could improve everything from communication with customers to remote working to video conferencing. 

Smart offices

The term ‘smart office’ was all the rage a couple of years ago. We were promised a world of self-booking meeting rooms, automated energy controls and desk-monitoring software. The theory went that this would usher in a new era of happy, engaged employees, optimised office spaces,  and reduced real estate costs. 

However, at the time, the technology to truly automate the office environment wasn’t quite there. With 5G, that’s all about to change. The availability of superfast internet could finally make smart offices available, for very little cost, even to small businesses. 

Looking to improve cybersecurity in your business? Start by getting Cyber Essentials certified. 

Real-time communication

5G’s low latency could transform the way businesses communicate. Imagine a world in which your interactions with customers, staff and employees took place instantly, wherever they are in the world. 

No more waiting for emails to come through. Files uploaded to shared drives in seconds. And, video conferencing that doesn’t freeze every five minutes. That’s the future 5G promises. 

Remote working 

Unless you live in Sweden or have been extremely lucky, chances are you’re reading this at home. Most businesses have had to learn how to work remotely in the last six months. And, for the most part, we’ve all adapted well. 

However, we’re all familiar with the problems working from home presents. How well you’re able to work remotely largely depends on the quality of your internet connection. The additional capacity and speeds 5G offers could change this. Instead of playing the postcode lottery, employees will be able to access high speeds and low latency in even the worst internet black spots. 

IoT

The internet of things (IoT) is another term you’ll have heard a lot in the last few years. But beyond many of us using voice-controlled devices in our homes, it’s yet to really take off. 

5G’s improved connectivity will allow businesses to link up everything from printers and smartphones to office monitoring software.

The bottom line

In short, 5G will make small businesses more efficient, extending their ability to do more with fewer resources and in less time. And this won’t just save costs, it’ll also improve customer experience and boost revenue as a result. 

What risks does bring 5G bring for SMEs? 

Unfortunately, the benefits of 5G apply to cybercriminals as much as they do businesses. 

More attacks 

Although stronger, faster connections are a boon for small businesses, the same is true for cybercriminals. As businesses use 5G as a platform to innovate, so will the bad guys. 5G provides a better tool to launch sophisticated cyberattacks faster, more efficiently, and in greater numbers. 

More opportunities for cybercriminals 

5G enables greater use of IoT devices. And this will have huge benefits for small businesses.

Gartner predicts that there will be 20.4 billion IoT devices in use globally by the end of this year – just in time for the widespread launch of 5G. 

However, with more connected devices, comes more opportunities for the bad guys to break in. It only takes one poorly secured device for cybercriminals to find their way in. And, while it’s always been the case that one weak link is enough, IoT devices increase the risk simply because there are so many of them.

Decentralisation could lead to disruption 

This risk is a little more complex, so bear with us while we run through a short history lesson on network security. 

Traditionally, networks were hub and spoke designs. Essentially, everything flowing through a network eventually came back to the central hub, usually a data centre. This made practising good cyber hygiene pretty simple, as you could protect everything from this central point.

With 5G, these ‘hubs’ are decentralised to a web of digital routers throughout the network. This means that there isn’t a central point where everything can be checked and cybersecurity protocols put in place. Instead, this needs to be done throughout the network, upping the chances security will be overlooked and cybercriminals given a route in. 

What should you do to protect your business? 

Although some of the risks we’ve outlined above are the responsibility of internet service providers, you should never rely on secondhand security alone. There are plenty of things you can do to ensure your business reaps the rewards of switching to 5G, without exposing it to greater risks. 

Check the right security is in place 

Run regular checks to ensure every device used in your business is equipped with the best security capabilities. This includes any IoT devices you’re using such as voice assistants or smart printers. Tools like CyberSmart Active Protect can help automate this process, by running a scan of all devices every 15 mins. 

Make sure software is up to date

No one likes running software or operating system updates, but it is important. Often software providers will include patches to fix known vulnerabilities in updates, protecting you against new cyber threats. Ensure all software is configured to update automatically across all company devices or perform regular checks. 

Get Cyber Essentials certified 

According to a report from Lancaster University, the measures laid out by the UK government’s Cyber Essentials (CE) scheme can mitigate 98.5% of cybersecurity risks. If you’re not already CE certified, following the process will help you build a great base level of security before you make the jump to 5G. 

Maintain good password hygiene

We say it a lot, but setting up a password policy and ensuring everyone follows is a vital step. Always use complex passwords, change them regularly, and set up two-factor authentication, 

Clear security policies 

If you don’t have a security policy in place for 5G and the use of IoT, now’s the time. But it’s not enough just to have a security policy in place, your people also need to understand it. Check all security policies for workers are clear, easy to follow and stored in a central location everyone can access. 

5G is here. In less than four years time one billion devices will rely on it, and your business will very likely contain some of them. Of course, this brings risks. But the bad shouldn’t outweigh the good. By adopting a policy for 5G early and establishing simple, but effective security protocols you can make sure your business is primed to ride the next great wave of connectivity. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Over the last few years, cyber attacks have become an imminent danger for businesses. With this growing threat, cybersecurity is now a responsibility rather than a luxury.

Despite this, most SMEs are at risk of being breached either through a lack of awareness or the lack of action. This is a concern for SMEs since the fines and costs associated with cyber attacks can put them out of business.

A KPMG survey suggests that only 23% of small businesses prioritise cybersecurity as a top concern. This is being said even though 60% of small businesses have experienced a cyber breach that led to brand damage and loss of clients.

As an SME, this is the right time to act and move forward with the cybersecurity agenda. The UK Government is helping these businesses by providing a range of standards and guidelines. The most useful of these perhaps is Cyber Essentials, particularly for small businesses.

In this blog post, we highlight benefits of Cyber Essentials for SMEs.

What is Cyber Essentials?

Cyber Essentials is a scheme backed by the UK government that was launched in 2014. The standard provides simple but effective guidelines that protect organisations against cyber attacks.

The primary aim of this scheme is to encourage and guide organisations to adopt the best practices in their information security strategy. Once fully implemented, Cyber Essentials will provide organisations with basic protection against the most prevalent cyber threats.

Even though it is not the silver bullet to cybersecurity, it is the first step in the right direction for SMEs to protect themselves in this age of cyber warfare.

Benefits of Cyber Essentials for SMEs

There are a number of benefits that SMEs can look forward to when getting certified for Cyber Essentials. Here are four reasons why Cyber Essentials is important for SMEs.

1.      It helps protect against common cyber attacks

A majority of cyber attacks exploit basic weaknesses in organisations such as the lack of updated software or well-configured firewalls. Often, these types of attacks are simple to defend against with straightforward strategies and Cyber Essentials provides those.

While there is no security strategy that will stop a hundred per cent of the attacks, Cyber Essentials helps organisations mitigate the risks of the most likely ones by providing a strong base for SMEs to work with.

2.      It prepares you for being GDPR compliant

The General Data Protection Regulation (GDPR) came into force earlier this year across the EU. As part of this regulation, organisations that are processing personal information of EU citizens need to protect this data against data theft and unauthorised access. If an organisation is found to be negligent to the GDPR in the event of a breach, the business could face fines of up to 4% of their global turnover.

Following the Cyber Essentials scheme can assist businesses in preventing these heavy fines and prepare them for compliance with GDPR. Even though the GDPR requires a lot more than the five controls in the Cyber Essentials scheme, the latter allow you to audit your internal security and fend off the basic security threats. It is the first step towards preparation of GDPR compliance for SMEs.

3.      It enables you to bid for government contracts

The UK Government has made it mandatory for suppliers to be compliant with the Cyber Essentials scheme to be eligible to bid for government contracts.

If a contract involves certain technical services or handling of sensitive information, then you need to be Cyber Essentials compliant. Therefore, for SMEs that are looking for a government contract, Cyber Essentials is the only way forward.

4.      It shows customers and vendors that you take cybersecurity seriously

Customers and even vendors can often be sceptical in dealing with you if you display little or no concern for cybersecurity. Becoming Cyber Essentials certified can help you establish the trust of clients and partners.

Once you are certified, you will be able to display a Cyber Essentials badge on your business website. This badge proves to customers, vendors, and investors that you take the security of systems and integrity of data seriously. This is particularly important if you are storing, processing, or transferring personal information or hosting sensitive data.

Conclusion

SMEs are as likely, if not more, as large organisations to be at risk of a cyber attack. An important step that SMEs can take to improve their cybersecurity is to get Cyber Essentials certified. This has a number of benefits including protection against prevalent cyberattacks and a competitive advantage for bidding on government contracts.

CyberSmart partners with SMEs to advise them on how to become compliant with leading schemes and standards such as Cyber Essentials. If you would like to learn we can help you become Cyber Essentials certified or Cyber Essentials in general, get in touch.

Following on from our last blog post, “Steps to prepare and pass Cyber Essentials” this post builds on that advice and discuses the time it takes to achieve certification.

Cyber Essentials scheme encourages businesses to adopt best practices to protect themselves against common security threats. With time, the variety and complexity of these cyber threats are increasing, consequently, cybersecurity standards such as such as Cyber Essentials are constantly evolving their requirements.

This is the reason most standards and schemes have a validity period for their certification. Cyber Essentials is reviewed annually and the UK Government recommends that all certificate holders must review their certification annually to remain on the official register of certified businesses.

In this blog post, we discuss the validity period for Cyber Essentials and how the recertification process works.

How much time does it take to get your business certified?

When you apply for Cyber Essentials, and following payment of £300 plus VAT (at the time of publication), you will receive a self-assessment questionnaire. You have up to 6 months to submit the questionnaire to the certifying body for review and a decision on your certification. If you fail to submit your self-assessment questionnaire within this period, your application will be cancelled, and you will have to make the payment again.

On average, we have found that it takes small businesses around 2 weeks to complete their assessment.

Following submission, it usually takes on average 3 days for the certification body to give you a response. If everything is in order, they will award you your Cyber Essentials certification.

In the case of Cyber Essentials Plus, the process takes a little longer and will typically involve an additional on-site audit and a system vulnerability scan from a registered competent contractor.

Depending on the time and size of your business, it can take up to 6 months to receive a Cyber Essentials Plus certification.

How long is your certification valid for?

There is no definitive period of validity for a Cyber Essentials certification. But, the UK government recommends that businesses renew their certification annually. If you fail to renew your certification within a year, you will be removed from the list of certified organisations.

Cybersecurity is continuously evolving with new requirements and best practices being established every day. To keep your business protected, it is important you stay updated with these new developments. Re-certifying helps demonstrate to your clients that you are improving your security to counter newer threats.

Your accreditation body should inform you by email around a month before you are expected to re-certify. When you receive this email, it is a good time to start preparing for the re-certification process.

How long does will it take to re-certify?

The recertification process is almost the same as the certification process.

Therefore, time durations are similar and you should receive your updated certification within 3 days of you submitting your assessment.

You should factor in the personal time and investment to re-enter all the original information from your previous applications to the recertification questionnaire as the sequence and content do change annually to reflect the changing security environment and requirements for cybersecurity.

In case of changes to the security infrastructure of your organisation, your answers should reflect the changes. If there are no changes, then you can copy and paste the answers from the questionnaire that you filled the previous year.

Conclusion

The bottom line is that you and your business need to re-certify annually to retain your accredited Cyber Essentials registration. The scheme’s current certified businesses are registered on a publicly accessible register, so there is no hiding if you have not completed your annual recertification.

The benefits of getting re-certified include improved protection against emerging cyber threats and reduced risk to your business through an annual review of your adherence to compliance standards.

CyberSmart is an automated compliance service that helps businesses seamlessly track and renew their Cyber Essentials certification. In our next post, we will look at how CyberSmart has been proven to speed up the process for you and your business, saving valuable time, effort and potentially cost. If you would like to learn more about how we can help you remain protected and compliant, get in touch with us right away.

Whether it be personal or operational, stolen data often results in disaster for small businesses. It can result in loss of revenue, customer trust, and reputation for the business. Data breaches are a growing concern for UK businesses, particularly the ones that are scaling to expand their operations.

Implementing security measures at a small-scale is easy, but as your business grows, it becomes more difficult and complex implement efficiently. In this blog post, we provide some effective tips on how businesses can secure their customer data as they scale.

Encrypt your data

One way to increase the security of your confidential data is to store and transmit it in an encrypted format. This keeps your data secure even if hackers get access to it. The encryption renders the information unreadable and hence unusable by the hackers.

Encryption is a great prevention technique that solidifies your organisation’s defences against hackers. There are numerous encryption techniques and standards that can be used to protect your data. Consult with your service provider or security expert on which one you can use to ensure data confidentiality.  

Disable remote access

Most data breaches can be attributed to hackers gaining remote access to the network. To protect your business against this, it is recommended that you limit remote access to your network.

This can be achieved by disabling remote access from all external networks. Or, a possible way of limiting remote access is to whitelist devices that can remotely access your network. The remote access should be disabled for all other devices other than these.

Limit data accessibility

Access control or limiting data accessibility is an effective way to secure control data. It limits users within your network to access only the data that they need for their job.

Regardless of how well-known or trusted an individual is, their access to information should be restricted. For third-parties such as clients, you should create guest users that can only access the information that you wish to share with them.

There are several benefits of using access control. Firstly, it helps you to hold users accountable in the case data is illegally manipulated. Secondly, it allows for damage control in the case hackers breach your network and gain access to a user account. The hackers will only be able to access the information which the breached account can.

Educate your employees

Employees are integral to an organisation’s information security plan. Hackers can breach even the most advanced cybersecurity defences because of a simple mistake by an employee. For instance, you might have a strong password policy but if hackers can still manipulate employees to give away their passwords.

To prevent this, it is important to educate your employees. This can be done by implementing an information security policy and conducting training sessions. The information security policy should provide best practises and guidelines for employees. For instance, it should require employees to not share their personal information with anyone.

In the case of a breach, your information security policy should provide guidelines on what employees should do. New employees should be made aware of the information security policy and how to comply with it through training sessions.

Conclusion

It is essential for businesses, particularly SMEs that are growing, to secure their customer data. A breach can result in severe financial loss and irreparable reputation damage. Fortunately, you can take some measures to protect your information as your business expands. You can encrypt your data, limit remote access and data access, educate your employees, and monitor data for insider attacks.

CyberSmart partners with businesses to help them protect themselves from 80% of attacks. We provide automated compliance services that ensure businesses follow best practises for security. Feel free to reach out to us if you would like to learn more about how to secure your customer data.

Cyber attacks have grown significantly in number over the years. Among these attacks, small businesses and startups are the most common targets. Factors such as the lack of access control or absence of an information security policy make businesses vulnerable to breaches.

It has become essential for SMEs to remain vigilant. As a business owner, you need precautionary steps to protect yourself against cyber attacks.

In this article, we guide you on how you can protect your business from cyber attacks, free of cost.

Develop a strong information security policy

The first step towards protecting your company from cyber attacks is to develop a strong security policy. Such a policy should consist of rules and guidelines that cover all aspects of the company’s cybersecurity. It is not important to just create an information security policy, but to enforce it as well.

In the 2016 cyber security intelligence index, IBM found that 60% of their cyber breaches involved employees. Even though most of these had wrong intentions, more than one-fourth of these incidents happened mistakenly, when the employees opened spam pop-ups, emails, or links.

This is the reason it is important to make sure that employees are aware of the information security policy. Documenting a formal security policy with detailed guidelines is the best way to keep your employees aware.

For instance, a clause found in most security policies is to make sure that strong passwords are used. For making the employees aware, you can document and pass out requirements such as passwords should be a minimum of 8 characters in length with special characters.

Similarly, a strong information security policy should have rules to minimise risk from the use of personal email, public Wi-Fi, third-party software, and external URLs and links.

Make use of encryption

All data that is saved on a company’s server or the cloud should be encrypted. The encryption of data ensures that even if data is breached, it cannot be used for malicious purposes.

Basically, encryption converts the data into an unreadable format until a specific key is provided to access the data. You can use a software or hire a third-party vendor for this purpose.

Businesses store confidential information about employees and customers such as their credit card information and national insurance number.

It is essential that you protect this information from getting breached in the first place. However, as a fail-safe, encryption should be used to prevent hackers from accessing the information.

Control access to restricted information

A simple rule of thumb for businesses should be: all information should not be available to everyone. This is because it makes your business more vulnerable. The more accessible your information, the higher the number of possible entry points for the hackers.

Sensitive data such as employee or customer information should be accessible by certain people only. This is known as access control. With access control, there are fewer chances of access by an unauthorised person.

This is an important step for securing your company from cyber attacks. You can implement access control by simply defining user roles and establishing user types within the system.

Once access control has been implemented, you should conduct a session to inform employees about compliance with the rules. For instance, you should tell them what kind of access is unauthorised, and who is allowed access to what data.

Update software and operating systems

A common entry point for hackers is by making use of known exploits in software and operating systems. Therefore, the developers of such software provide regular updates and patches to fix known exploits.

Cybersecurity is not concerned with the use of high-end premium software, but rather how updated your software is. It is best practice to always keep your software and operating systems updated. Schedule your systems to auto-update whenever a security patch or update comes out to minimise vulnerabilities.

Conclusion

With cybercrimes on the rise, businesses are now in an urgency to protect themselves. You can improve your business’ cybersecurity by following the strategies that we have outlined above.

Even if you cannot spend considerably on cybersecurity, these free ways will help you protect your business from cyber attacks.

CyberSmart knows the importance of protecting yourself against breaches. If you are looking for more information on the strategies above, or would like to learn about how to protect, contact us to get in touch with a professional from our team. We will help you strengthen your defenses without having to empty your wallet.

Small and medium sized companies are putting a third (32%) of their revenue at risk because they are falling for some of the common misconceptions around cyber security, leaving them vulnerable to losing valuable data and suffering both financial and reputational damage.

Organisations in any industry face this risk. Due to the capability and sophistication of attackers securing personal data will always be in development. There is still reasons to make it as hard as possible and not be victim to the most basic attacks.

We’ve written a list of the most common reasons organisations get hacked and how you can avoid them.

Difficult to visualise the impact of risk mitigation

Businesses are always looking to increase their growth rate. At early stages, startups tend to spend a high percentage of their time in building innovative features & investing in user acquisition. This usually leaves behind little to no budget for investing on other things such as cybersecurity. Similarly, enterprises need to meet revenue goals for each quarter to maintain their stock prices.

It is often difficult to convince such startups and revenue-driven companies to invest their money in projects that do not directly contribute to an increase in revenue. Planning ahead will save you money in the long term, and cybersecurity is something you should insure your organisation with sooner, rather than later. Pro-active defense rather than reacting to a breach.

It is difficult to quantify how much damage such a breach can cause. In some cases, it can be something trivial that doesn’t require public disclosure (still reported to the ICO). Whereas in other cases, it could permanently damage an organisation’s reputation.

Lack of incentives

Attempting to hack systems is inexpensive. Yet, a successful hack can lead to huge profits for hackers through extortion and theft. The payoff of a successful hack against the relatively little investment is an incentive for hackers.

On the other hand, when businesses take measures towards cybersecurity, there is little incentive to look forward to. From a day-to-day’, high street business perspective, it is not perceived a valuable incentive. Even though the benefits of implementing cybersecurity measures far outweigh the losses.

When your organisation takes out an insurance, you pay your premiums upfront before benefiting from the protected losses in an unplanned event such as a fire or break-in. The same attitude should be considered when protecting your business with cybersecurity, you will be grateful for having put in protections earlier rather than once you’ve been hacked.

Indeed, the motivation for hackers is far greater than the motivation of businesses to protect against them. Think long term, and think about the headache you will prevent from having to deal with a critical situation.

Inadequate training of employees

For the most part, technology can keep its own attackers out. However, it is often the technology users that unknowingly allow hackers and malicious software in.  We have seen that on most occasions, computers are not the points of failure, but instead it is the people who are targeted in social engineering attacks. These attacks are used in a variety of ways to trick employees into providing their sensitive information. For instance, hackers might impersonate officials or large companies/orgs via email, SMS or phone calls. Commonly known as phishing, SmSishing & vishing.

Even if a business has covered cybersecurity from a technological perspective, there is more to be done. Social engineering attacks, can be easily prevented by holding regular training sessions for employees on information security. Emphasising a culture which provides an adequate reporting process without inducing fear on staff job security. Educating employees is one of the best tools to protect your business’ cybersecurity.

Absence of an information security policy

Cybersecurity is not just about intrusion detection and prevention. A key part of it is about ensuring that preventive measures are in place to reduce the risks of intrusion in the first place. This human element is one part of cybersecurity that most often gets ignored.

Any organisation that wants to strengthen its cybersecurity needs a detailed set of guidelines that address these ‘humanistic’ issues. This is where it is important to have an information security policy in place. A well-written information security policy addresses subjects such as password protection, software updates, and access to web content.

It is important to mention that an information security should be documented in a manner that is easy to understand for employees. It is one thing to create a security policy, but the key is to actually implement it within an organisation.

Conclusion

Most businesses feel that cybersecurity is an overhead cost to their operations. It is not until these organisations suffer significant losses to breaches that they realise how important cybersecurity is. With the rise in cyberattacks over the last few years, it is now time for businesses to all sizes to start taking cybersecurity seriously.

CyberSmart provides cost-effective cybersecurity compliance that help businesses protect themselves. If you would like to discuss further on the importance of cybersecurity for your business, feel free to reach out to us.

Keeping computer systems protected against viruses and other forms of malware is one of the first steps towards cybersecurity for an organisation. This is one of the five key requirements of the Cyber Essentials scheme that organisations need to fulfil. The most effective strategy for meeting this requirement is to make use of an antivirus product that can keep unwanted malicious content and programs away.

However, with a wide variety of antivirus products available out there, it can be difficult to choose the best one for your organisation. When choosing an antivirus solution, organisations need to keep a number of factors in mind including the pricing, features, and platforms it supports.

To assist you in making the right decision, we have listed the top 10 antivirus products that you can use when preparing for a Cyber Essentials certification.

1.      Trend Micro Worry Free Advanced

Trend Micro provides comprehensive protection against malware and viruses in the form of its Worry-Free Business Security Advanced antivirus solution. It covers all the basics antivirus features such as real-time scans and scheduled scans and comes with advanced features such as anti-spam, web content filtering, ransomware shield mobile device management, and email security. Additionally, the antivirus software can detect malicious activity through USB ports and external devices to provide security against physical breaches as well.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

2.      Panda Endpoint Protection Plus

The Panda Endpoint Protection Plus is highly rated as one of the best enterprise antivirus products because of its advanced features and budget-friendly price. The antivirus suite comes with a well-designed management console that enables you to monitor systems in real-time. It can protect your systems against basic as well as advanced threats such as malware, spam, malicious web content, and viruses. Even though this antivirus product can sometimes slow down your computer systems, it is a choice worth considering, particularly for small businesses.

Platforms it is available on: Android, Microsoft Windows, macOS, Linux.

3.      Norton Small Business

Norton Small Business provides tailored features to small enterprises, although the protection remains the same as the ones used by large organisations. Other than providing all the basic features for protection, Norton’s Small Business antivirus product provides protection across different devices with a single license. You need a single program to protect both remote and in-office systems and manage them over the cloud. Overall, it is a good value option with a simple installation and configuration process.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

4.      Kaspersky Small Office Security 5.0

An effective and user-friendly antivirus software that you can use to keep your systems protected is Kaspersky Small Office Security 5.0. According to independent testers, it blocks more than 99% of malware and associated hacking attacks. The features include real-time protection, anti-spam, content filtering, and firewall. The firewall is a welcome feature that can prevent unauthorised access to your data, along with strict control of your browsers that disallow access to malicious web content.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

5.      Bitdefender GravityZone Business Security

Bitdefender’s GravityZone Business Security is a good option to consider if you want a high level of protection against malware threats across devices. Even though the installation and setup process of this product is quite lengthy, the antivirus software is quite simple to use once you pass those stages. The features include real-time protection, URL filtering, firewall, anti-malware, and web advisor among others. However, unlike most other antivirus products on this list, Bitdefender does not provide device location services for finding lost devices with this solution.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

6.      Sophos Endpoint Protection

The Sophos Endpoint Protection antivirus is suitable if you are looking for basic protection at a low-cost. Even though it is not as good as the other antivirus products in this list in terms of usability, it does a fair job in keeping away malware and viruses. The plus point is that it is much cheaper than other solutions so it can be a suitable choice for SMEs. The Sophos Endpoint Protection Advanced provides advanced protection feature such as blocking suspicious URLs and monitoring user behaviour to detect threats.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

7.      ESET Endpoint Security

ESET Endpoint Security is a great all-in-one antivirus solution that provides you with protection against all kinds of malware including trojans, viruses, and ransomware. Like Bitdefender, the ESET can be difficult to install and configure but once everything has been set up it works perfectly in protecting the devices within your organisation. Other than its good overall performance, its adjustable pricing policy makes it an option worth considering for SMEs.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS, Linux.

8.      McAfee Endpoint Security

McAfee Endpoint Security is a cloud-based antivirus product that helps you secure and protects all internet-enabled devices within your organisation. It provides a variety of features that help in preventing, detecting, and eliminating malware from computer systems. The excellent customer support provided via multiple channels (email, live chat, and phone) make this a good choice for an antivirus solution.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

9.      Symantec Endpoint Protection

Symantec is a renowned company in the cybersecurity industry, particularly because of its feature-rich product. The Symantec Endpoint Protection Business is widely appreciated because of its high-performance and functionality. It provides a range of advanced protection features including intrusion prevention, firewall, behaviour monitoring, multi-level security policies, remote data management, and device location.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS, Linux.

10. Avast Business Antivirus Pro

Avast Business Antivirus Pro is a reliable antivirus product that comes with a range of malware protection features. The antivirus software provides advanced protection features including browser protection, firewall, anti-spam, remote control options, email protection, and basic antivirus. It provides protection against third-party software installation by providing sandboxing that enables you to run applications in a ‘secured’ environment.

Platforms it is available on: Android, iOS, Microsoft Windows, macOS.

Conclusion

Regardless of how small or large an organisation is, one of the key steps that it can take to protect itself against cyberattacks is to use an effective antivirus solution. This is a major requirement that organisations must meet in order to be compliant with Cyber Essentials.

CyberSmart is an automated compliance service that helps organisations simplify the process of getting certified with leading standards such as Cyber Essentials. If you have any questions about which antivirus product you should choose for your business, get in touch with our experts right away.

A Subject Access Request (SAR) is the Right of Access allowing an individual to obtain records to their personal information, held by an organisation. GDPR, which became applicable in May 2018, provides individuals with the right of access to information.

It is essential that your organisation is aware of the basics of SARs and can handle them effectively to avoid large fines. In this blog post, we provide a six-step practical guide on how you can deal with subject access requests under the GDPR in 2023.

1. Recognise the request

The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information. A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.

Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.

Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.

2. Understand the time limitations

The GDPR requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.

However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.

3. Dealing with fees and excessive requests

You cannot charge a fee for providing information to individuals in response to a subject access request. However, there is one exception to this rule. If you receive a SAR that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with the request or refuse to provide information at all.

There is still some speculation over what requests can be considered manifestly unfounded or excessive and therefore, it is advised that you take caution when refusing a SAR. Similarly, there is no certain threshold for the reasonable fee that you can charge. The ICO guidance suggests that it must be charged on the basis of the administrative costs associated with the retrieval of the requested information.

To be on a safer side, it is best not to charge a fee or refuse a SAR at all. But, if you choose to refuse to deal with a repetitive SAR then you should inform the individual within one month of the receipt of the request with the reasons for refusal.

4. Identify, search, and gather the requested data

The most time-consuming and labour-intensive part of responding to a subject access request is gathering the requested data. If an individual makes a broad request for access to all their personal data, then it can take weeks to identify and search for the information.

Personal data is defined as any information relating to an identifiable natural person under the GDPR. This broad definition makes it difficult to identify the information that you need to provide.

The ICO states that if an organisation processes a large amount of personal information, then it should ask individuals to clarify their request for information. Therefore, a good approach is to ask for additional parameters or specific pieces of information that individuals need from the SAR. However, it is important to understand that you will need to comply with the SAR even if the individual refuses to provide additional parameters.

It is advised that organisations should allocate someone to be in charge of coordinating the process of gathering requested personal data. Document management providers can help you carry out effective searches for data using the right date range and keywords. Even though these services can increase costs, it ensures that your organisation can comply with the information needs of a SAR in time and correctly.

5. Learn about what information to withhold

A challenging aspect of responding to a SAR is to decide what information to withhold from the requester. After you have gathered all the requested information, the next step is to filter out the information that you can legally hold back.

One particular concern is to ensure that when responding to a SAR, you should not disclose the personal data of other individuals. The Data Protection Act (DPA) 2018 states that you should not comply with a SAR if it would require you to disclose information about another identifiable individual.

The exceptions are when the other individual has given their consent to the disclosure, or the organisation finds it reasonable to comply with the request without the consent of the individual. When deciding whether you disclose the information about the third party, you should balance the GDPR’s right of access against the third party’s rights.

Other than this, Section 45(4) of the DPA 2018 specifies special cases when you can withhold personal data of an individual. These include cases when non-disclosure leads to obstruction in an official or legal enquiry, or protection of public or national security.

Therefore, you should be careful about the information that you provide when complying with a subject access request. It is important to understand what information you can withhold to prevent a breach of other’s privacy or to support the public or national interest.

6. Developing and sending a response

Once you have all everything you need for the subject access request, the last step is to develop and send a response to the individual. Organisations need to provide the following information to the requester:

• Legal basis for and purpose of processing the personal data of the individual.
• Third-parties to whom the personal data has been disclosed.
• Existence of the requester’s rights to the information including the erasure of the personal data and restriction of the processing of the personal data.
• Expected period for which the personal data will be stored.
• Categories of personal data.
• Information about the origin of the personal data.

Most organisations will have provided much of the information above in their privacy policy already and so can reuse it from there.

For sending out the response in 2023, the GDPR requires that you provide the information in a concise, intelligible, transparent, and easily accessible form that is understandable by the individual. Secure online portals or encrypted email are recommended ways to deliver the response securely and efficiently.

Conclusion

Understanding how to deal with a subject access request is an important part of complying with the GDPR in 2023. We have outlined a step-by-step process that you can use to comply with a GDPR subject access request from individuals.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

A major challenge for startups is figuring out how to invest in cybersecurity.

Despite the financial constraints, it is essential for startups to keep their online security in check, because the consequences are frightening. Statistics show that about 50% of all cyber attacks target small businesses and startups. Often, this is because of a lack of written internal policies.

Without a security policy, there is no reference for what needs to be done when a security threat arises within your startup. An information security policy can be complicated and often expensive to develop, but it is a fundamental component of cybersecurity.

In this article, we present a free information security policy guide for startups.

What should the information security policy cover?

There is no single approach to developing an information security policy that fits all organisations. Despite this, there are certain aspects that every security policy for startups should cover:

• The security requirements that are going to be met, compulsory ones like GDPR and then either Cyber Essentials, ISO 27001, or the IASME Governance framework.
• Who is responsible for information security tasks? It can be an internal security expert or a third-party supplier..
• The startup’s long-term commitment to cybersecurity including what they aim to achieve through the introduction of the policy.

What should be included in the information security policy?

Even though there is no fixed format for an information security policy, given below are some key questions that you should consider when framing your security policy.

• Who is responsible for your startup’s security?
• What are your security objectives?
• How are security incidents reported and managed? How can you learn from them?
• What type of information do you handle? Does it involve customer information?
• What ways can you use to protect different types of information?
• How do you measure risks?
• How should internet, email, and other communication channels be managed to minimise risks?
• What training and awareness do the employees need?
• What responsibilities should be given to employees for securing information?

Areas to cover in an information security policy

There are five general subject areas that should be addressed in an information security policy for startups:

1. Security measures: Guidelines for virus protection, passwords, confidentiality of data, and levels of access to information.
2. Disaster recovery: Instructions on how to recover from a disaster such as a data breach. Methods of data backup, including how often they should be made, should also be included.
3. Standards for technology: Details about the types of hardware, software, and other digital systems that can be purchased by the startup. This area will also cover a list of trusted partners or vendors from where systems are to be bought.
4. Acceptable use of technology: How should technology such as smartphones, desktop computers, email, and the Internet be used. What are the results of misuse and how can security be improved by limiting access to such technology.
5. IT services: Information about who will be responsible for providing technical support to employees. Often, this is a member of the IT team, but can be an external partner as well. Guidelines regarding planning, installation, and maintenance of computer systems should also be covered in this area.

Conclusion

Startups are at a constant risk of cyber threats, particularly because of a lack of an effective information security policy. It is important to not only have a security policy in place, but to make sure that it addresses the specific needs of your startup and employees. If you have not developed an information security policy yet, you should consider doing so right away to minimise loss.

CyberSmart recognises the budget and time constraints that most startups have when developing their information security policy. By subscribing to one of our plans you will get access to our free policy packs, sign up today for access. We look forward to assisting you in designing a cost-effective information security policy for fortifying your startup’s security.