The current economic climate has seen better days, but how are the UK’s small businesses weathering the storm? At CyberSmart, we’re curious about how the cost of living crisis has impacted cybersecurity and people in small businesses.
We tasked Censuswide with surveying 1,000 UK SMEs to find out how they’re coping. What followed is our ‘SME cost of living crisis report’. It explores:
How confident businesses are about weathering the economic storm
The financial limitations impacting businesses
The impact on employees
The key impacts on cybersecurity
The state of cybersecurity investments
How SMEs can approach cybersecurity in the cost of living crisis
Despite economic conditions, cybersecurity in your business doesn’t need to be all doom and gloom. Our report gives you the knowledge and understanding of the current climate to proactively protect your business. To help you, here are our key takeaways from the report.
1. Cost-conscious businesses are looking for value
Small businesses must be cost-conscious. Careful budgeting and knowing when to invest is key to survival. And this means many small business leaders won’t invest in cybersecurity unless they know the payoff is worthwhile.
Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.
Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.
2. Economic uncertainty raises threat levels
Even though businesses are overlooking the importance of cybersecurity, nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost of living crisis.
Economic uncertainty has led to mistrust, too. 38% of leaders are worried about malicious insider threats from employees, while 32% blame higher rates of supply chain fraud. It seems that mistrust comes from inside and outside.
This is why increasing cybersecurity protocols and governance offers real business value. It provides much-needed reassurance that business data is safe, no matter where threats come from.
3. The employee skill gap is causing mistrust
Your employees are a line of defence when it comes to cybersecurity. But you must equip them with the tools and knowledge to counter potential attacks.
80% of respondents said that their employees do not fully understand why it is important to keep confidential information secure. And this lack of cybersecurity knowledge is the leading reason for mistrust.
The cybersecurity knowledge skills gap is a prominent factor for uncertainty. Of the 620 SME leaders who claimed to trust their employees, 25% still believe that staff pose the greatest security risk.
4. SMEs are missing important cybersecurity policies
We noticed that a lack of trust in employees, their cybersecurity knowledge, and no clear internal policies have an underlying impact on small businesses, so we did some digging.
Only 54% of SMEs have clear policies and procedures for sharing information and gaining access to confidential information. This means that just under half of SMEs don’t have important cybersecurity policies, at all.
It’s not surprising that leaders demonstrate a lack of trust in their employees, especially when there’s no guidance for the employees in the first place. Here, cybersecurity concerns appear as a vicious circle, and there’s an important gap in employee knowledge and a lack of policies.
5. Basic measures can help to protect businesses
The report reveals that fixing basic, underlying issues can help alleviate the cybersecurity concerns as a result of the cost of living crisis. These issues are:
Lack of employee cybersecurity training and resulting cyber confidence
Missing cybersecurity policies, or too few policies
Misunderstanding of the value of cybersecurity tools
Luckily, investing in cybersecurity doesn’t have to cost the earth. Instead, SMEs must be smart about their investments and increase cyber confidence for their employees.
Our report takes an in-depth look at these steps and how SMEs can implement them. These steps can help increase cyber confidence in your business and protect against cybersecurity threats.
Cyber confidence is key in the cost of living crisis
Uncertain economic conditions can make even the most stable business leaders feel on edge. Improving cybersecurity governance can help decision-makers protect their business and provide much-needed reassurance that their cybersecurity is under control.
Read our report today to learn more about the current concerns of SMEs in the cost of living crisis, and how to mitigate cybersecurity threats.
New: CyberSmart’s SME cost of living crisis report
At CyberSmart, we recognise that the cost of living crisis not only affects our personal lives, but the way small and medium businesses (SMEs) manage their priorities, too.
Uncertainty is never the best feeling for any business leader. A dampened economic outlook can result in SMEs becoming more cost-conscious and less growth-minded. And we’re concerned about the impact on cybersecurity.
That’s why our latest insight, the SME cost of living crisis report, explores its impact on SMEs, leadership, the workforce, and business cybersecurity.
What’s in the report?
We tasked Censuswide with surveying 1,000 UK SMEs to reveal the current state of the cybersecurity landscape for SMEs.
The report is full of helpful statistics, figures, and insights that reveal the behaviours of decision-makers during the cost of living crisis.
In the report, you’ll learn about:
What’s driving decision-making in the cost of living crisis?
The impact on cybersecurity investments
Leadership behaviours and mistrust of employees
Cybersecurity policy and governance factors
How should SMEs approach cybersecurity in the cost of living crisis?
Discover CyberSmart’s SME cost of living crisis report. Learn more about the impact on cybersecurity, people, and more. Read it today.
Discover key insights about the cybersecurity landscape
At CyberSmart, we work to make cybersecurity simple and accessible to everyone. We aim to provide every business, no matter how small, the tools to protect themselves against cybersecurity threats easily and effectively.
That’s why we’ve incorporated our expert insight into the report, too. We deep-dive into the reasoning behind the report’s findings to support the facts and figures. This provides you with a better understanding of the current SME cybersecurity landscape.
For example, the report reveals that nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost-of-living crisis. Why? External threats, insider threats, employee mistrust, and employee negligence are all driving this behaviour, and we explore this in the report. Read it for free today to get the latest insights into SME cybersecurity during the cost of living crisis.
Are you considering Cyber Essentials Plus, but unsure whether it’s right for your business? To help you decide, we’ve pulled together a quick summary of how the government-backed certification works, and why it could be the next step for your business. Read on to find out more.
What is Cyber Essentials Plus?
Cyber Essentials Plus follows the same simple approach and offers the same benefits as Cyber Essentials. However, it differs in one key aspect; Cyber Essentials Plus includes a technical audit of your system. The controls are the same, the audit just ensures they’re in place and properly configured.
The audit process takes a little more effort than the standard certification, but it’s worth it for the peace of mind that your security is up to standard.
When should you consider Cyber Essentials Plus?
The truth is, any business looking to improve its security could benefit from Cyber Essentials Plus. However, there are a few scenarios in which we’d recommend Cyber Essentials Plus.
1. You want a thorough assessment of your cybersecurity credentials
Cyber Essentialsis a great first step for any small business that wants to up its cybersecurity game. Nevertheless, the standard Cyber Essentials certification is self-assessed. This means that while you’ll have to comply with the security controls it lays out to pass, you won’t benefit from an independent assessment. Cyber Essentials Plus, on the other hand, features a visit (either in person or remotely) from an independent auditor. So you’ll gain the peace of mind that your security credentials are up to scratch.
2. You want to work with high-value customers
It’s a general rule of thumb that the more prestigious the clients you work with, the more stringent their security requirements. Cyber Essentials Plus can help demonstrate to potential customers with high expectations that you take data protection and cybersecurity seriously. And, it could help you steal a march on competitors.
3. You’re a public-facing business
Any business that directly interacts with the public should make cybersecurity a top priority. If your business stores personal data, whether that’s contact details or financial information, it’s part of your duty of care to protect it. Investing in Cyber Essentials Plus will not only help you put in place the measures needed to better protect your organisation, but it also demonstrates to customers that you take security – and their personal data – seriously.
4. You work in a sector that requires higher-than-standard security
Some industries are more at risk from cyberattacks than others. For example, manufacturing firms were the victims in almost a quarter (24.9%) of all breaches globally in 2022, closely followed by finance and insurance with nearly a fifth (18.9%).
If your business works in a high-risk sector, it’s natural that you need better protection. Again, the standard certification is a great stepping stone, but the extra assessment and validation provided by Cyber Essentials Plus is key if you’re more likely to be targeted.
What’s more, many businesses working in high-risk industries will require partners and suppliers to demonstrate better-than-basic credentials and Cyber Essentials Plus fulfils this function. 5. You want to access government funding or bid for tenders
Although Cyber Essentials Plus isn’t mandatory for all government funding and contracts yet, there are plenty of scenarios where you’ll need it. For instance, schools and colleges hoping to secure ESFA Education and Skills contracts are required to have passed Cyber Essentials and be working towards Cyber Essentials Plus. Likewise, many healthcare and defence tenders mandate that applicants have, at least, the standard certification in place, if not Cyber Essentials Plus. There’s even a case to be made for investing in Cyber Essentials Plus even if the contract doesn’t require it. In a competitive tendering process, being able to demonstrate you have better security bona fides than your rivals could help tip the balance in your favour.
Still unsure about which cybersecurity certification is right for your business? Check out our guide to UK certifications for everything you need to know.
The economy has taken a battering in recent times, and there’s much talk about the so-called ‘cost-of-living crisis’ we’re now experiencing. Whether there’s a full-blown recession ahead, or not, it looks like the economic outlook won’t improve any time soon. And experts agree this will spark a surge in cyberattacks. So, let’s take a look at why cybercrime increases with the looming threat of recession.
Why we can expect cybercrime to increase
The word among industry analysts is that the ongoing economic downturn will result in a significant rise in cyberattacks. Cybercriminals are already exploiting the financial situation, with an increase in social engineering attacks such as phishing emails offering rebates on energy bills to target vulnerable individuals and businesses. And, by all accounts, we can expect a great deal more of the same to come, as a distinct correlation exists between an uptick in cyberattacks and economic uncertainty.
Data shows that some types of cyberattacks are already rising considerably. According to Kaspersky Lab, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022. Phishing attacks also increased by 61% in 2022, according to the 2022 State of Phishingreport from SlashNext. And, the Anti-Phishing Working Group (APWG) reported that there were a total of three million phishing attacks in the third quarter of the year – amounting to the worst quarter it had ever seen.
There are many reasons why cybercrime is increasing amid the current economic uncertainty. But most importantly, businesses are having to make difficult decisions to rein in costs. This is completely understandable in the climate. After all, we’re all trying to keep our heads above water, but this could have a direct effect on businesses’ online safety.
Although it’s ill-advised to reduce cybersecurity budgets, many business leaders underestimate the value of cybersecurity. The situation isn’t helped by the perceptions of cybersecurity within organisations. IT leaders can often find it difficult to justify spending on cybersecurity, which doesn’t often deliver visible benefits in the way other OPEX spending does. Think about it; you’re unlikely to hear much about your business’s cybersecurity unless something goes wrong.
The result is often cuts in places they shouldn’t happen. Consequently, such companies are at higher risk of falling foul of cyberattacks.
Businesses may also decide to cut spending by letting staff go or not replacing those that leave. And this can also impact a company’s resilience to cybercrime. Cutting IT staff may mean you have fewer people to provide the necessary protection.
This also increases the pressure on your remaining staff which can lead to mistakes and oversights, which weaken your defences further. For example, if they receive a phishing email they’re more likely to make an error of judgement and click on a link that could download malware into your network.
Cybercriminals aren’t immune to economic instability
If you’re still wondering why cybercrime is increasing, well, a recession hits cybercriminals as well as their victims. So, this can be a strong motivating factor for the bad guys to redouble their efforts and make more money. The hard fact is that a recession, or economic downturn, incentivises cybercriminals to invent new types of threats. This was demonstrated during the recession of 2008 when the FBI reported a 22.3% increase in online crime.
More recently, a crisis of a different sort, the pandemic, sparked a similar surge in cybercrime. And there’s no reason to think the current hardships won’t create a similar spike. Companies will continue to lay off employees in the months ahead, and some may be tempted into cybercrime to make ends meet. Disgruntled employees who’ve been fired could also launch damaging attacks on businesses that have let them go, especially if they still have access to sensitive data.
Another repercussion of the recession is a possible rise in insider attacks from employees who are feeling the pinch. This is particularly likely in businesses that have been forced to freeze salaries. Cybercriminals can specifically target possible insiders to help with data breaches or cyberattacks, using social media and offering bribes.
Fighting back on a budget
Cybersecurity isn’t a nice to have, it’s business critical. And this is never truer than in times of economic crisis.
Small and medium-sized businesses often underestimate the danger they’re in. In part, due to the perception that only large corporates are targets. However, the truth is that cybercriminals don’t discriminate and the effects can be devastating. In fact, research has found that 43% of all data breaches involve small businesses.
However, you don’t need expensive tools, expert consultants, or an in-house technical team, to protect your business from cyber threats. It’s perfectly possible to build good defences on a sensible budget. Tools like CyberSmart Active Protect offer everything you need to get your cybersecurity in order, without huge investment.
Active Protect provides secures all employee devices that touch your company data. Just send a downloadable link to staff, and Active Protect will check around the clock for the most common cyber threats and vulnerabilities It also includes our training academy, which provides your employees with the basic cyber skills to better protect themselves and your business.
The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts. So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over? Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog.
1. Increased use of AI to launch and defend against attacks
First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”
How we did
We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.
88% of security professionals expect AI-driven attacks will soon become mainstream.
What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI.
While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly.
It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.
2. Spear phishing: phishing attacks get personal
Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware.
We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees.
How we did
While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier.
And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.
The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)
You can find out more about how to switch to remote working safely in our latest ebook.
3. Organisations are adopting more data encryption
At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year.
How we did
Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’. However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats. Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.
Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters? How we did
In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027. However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you.
5. The next wave of GDPR fines is on its way
2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same.
How we did
If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators. These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.
6. Greater threats to cloud security
The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities.
How we did
Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months.
This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.
7. 5G and IoT devices on the rise
Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?
How we did
Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing.
The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online. We thought that it would become one of the defining trends of 2020. Were we right?
How we did
The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged. However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.
10. Employee training for threat awareness
Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020.
How we did
Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously. Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.
All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
You’ve probably heard the phrase BYOD before. ‘Bring Your Own Device” has been the darling of business and technology journalists for much of the last decade. And BYOD really is more than just hot air and hyperbole. For SMEs, it has the potential to change the way we approach procurement and resourcing forever.
However, what you’re less likely to have read about, is its connection with the Cyber Essentials certification. So, if you’re considering taking the plunge and adopting a BYOD policy, read our short guide first.
What is BYOD?
BYOD, or Bring Your Own Device, is simply giving employees the option to use their own devices for work. And this can mean everything from their own smartphones through to tablets and laptops.
Why do businesses adopt BYOD?
Like most business decisions, the benefits of switching to BYOD are largely cost-based. As any SME founder will tell you between grimaces, procuring hardware for all your staff can be eye-wateringly expensive. So having employees use their own is an immediate boost to a businesses’ bottom line. A Cisco report into BYOD found that businesses using it saved on average $350 per person, per year.
But it’s not all about the money. BYOD also offers employees greater choice over the tools they use for work. Anyone who’s ever used an Apple laptop at home and Windows machine at work (or vice versa) knows how annoying it can be to keep switching between operating systems. So why not let your people choose?
On top of this, BYOD can provide productivity benefits. The same Cisco study revealed that workers save an average of 81 minutes per week by using their own devices, or nine working days every year. And it can even improve employee wellbeing. In a study produced by Samsung, 78% said it helped them achieve a better work-life balance.
What does it have to do with Cyber Essentials?
So BYOD has many benefits and is becoming ever-more popular in the UK – 45% of UK businesses in 2018 had some form of BYOD plan. But what does this have to do with Cyber Essentials?
Well, it’s actually very simple. Any device being used for work purposes is likely to connect business networks and access company data. This poses security risks.
As we discussed in our recent ebook on remote working, employees using their own devices to access company networks and data can present a host of problems. Personal devices will often have inferior security tools to business ones. Employees are less likely to follow strict security protocols on their own devices. And, there’s plenty of evidence to suggest that we all engage in riskier behaviour when using our personal laptops and phones. All of this can expose your business to unnecessary risks. But it doesn’t mean you need to scrap your plans for BYOD.
Does Cyber Essentials cover BYOD?
If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials. This includes doing some after-hours work on your home computer, accessing the company Google Drive, and even browsing work emails on your mobile.
If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials
It’s all too easy to fall into the trap of considering personal devices some separate entity, entirely disconnected from work. But that just isn’t the reality of many of our working lives. In our ‘always-on’ culture the personal and professional have a habit of bleeding into each other, particularly in an era when many of us are working remotely.
This means it’s vital you ensure that all devices used for work, whether personal or company-provided, follow the core tenets of Cyber Essentials. For example, ensuring security settings are switched on and up-to-date, anti-malware tools are installed, and apps are regularly updated.
What if you don’t have a formal BYOD policy?
Even if your business doesn’t have a formal BYOD policy, it’s still important you guard against the threat posed by personal devices. To illustrate, at CyberSmart we don’t have a formal BYOD policy, but we know many of our people use their phones to access emails and files.
So to ensure we’re not giving cybercriminals a backdoor into the business, we ask that every employee installs CyberSmart Active Protect on any device they might access work from. The CyberSmart app constantly checks any device that it’s installed on is compliant with Cyber Essentials and flags any problems to both us and the user. This means that however our staff choose to work, we can be sure they’re doing it safely.
BYOD has the potential to totally transform the way your business looks at procurement. But it also requires good cyber hygiene if it’s to be liberatory rather than a liability. So if you’re considering adopting BYOD, start by getting Cyber Essentials certified.
How to keep your business (and people) safe this Black Friday
Black Friday is nearly upon us. Cue endless headlines about e-commerce retailers recording their ‘best day ever’ (since last year) and photographs of monstrous queues outside department stores.
In amongst the frenzy of articles titled things like ‘10 of the best deals on electricals this Black Friday,’ you’re also bound to find a few on safety- how to stay physically safe during the hustle and bustle or how-to’s for shopping securely online.
However, what you won’t find is much guidance for small businesses. Black Friday brings with it a heightened risk of cyberattack, particularly in an environment when many SMEs are working remotely. So, to help you get your business through this year unscathed, we’ve put together a brief overview of the risks and some suggestions on how to avoid them.
What cybersecurity risks does Black Friday present?
Black Friday is a veritable all-you-can-eat buffet for cybercriminals. Millions of online shoppers, in a rush to grab that must-have deal, often means widespread carelessness on a scale that simply doesn’t happen any other day of the year – with the exception of China’s Single’s Day.
Hackers look to exploit consumers temporarily taking leave of their better instincts in a number of ways. Let’s take a look at some of them.
Phishing scams
Phishing scams are a year-round problem. We’ve all had a fake email from a major retailer that’s almost a carbon copy of the real thing but for the slightly misaligned logo, weird syntax or font that just doesn’t look quite right.
However, during a major retail event like Black Friday, the chances of a successful scam go up. If you’re desperately trying to get a killer deal for a new TV and an email comes through telling you that you’re billing information needs updating, you’re much less likely to spot a fake.
You’re probably in a bit of a rush, never the best frame of mind for considered judgements. What’s more, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would.
Old apps
Again, this is a problem 365 days of the year. But a major retail event provides the perfect cover for cybercriminals to test out the vulnerabilities of popular software and applications for two reasons. One, technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. And, two, because many consumers will suddenly be using apps they haven’t used or updated in months – giving cybercriminals an easy route in.
Much like phishing scams, Black Friday usually comes hand-in-hand with a glut of fake websites claiming to sell this years’ must-haves at bargain-basement rates. Most of these sites are simply fronts for hackers to acquire data or launch attacks on unsuspecting consumers.
Public networks
This is unlikely to be a problem at your workplace. But you’d be surprised how often people pop to the local coffee shop for lunch and log into an unsecured public WiFi network on a company device. And this is all the more likely on Black Friday as people check out the latest offers during their lunch hour.
The problem is this gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device.
Weak passwords
We’re often banging the drum about the importance of strong passwords. And although it’s vital all the time, it’s particularly so during an event like Black Friday. With so much traffic on popular sites, it’s the perfect time for cybercriminals to try out large-scale brute-force attacks.
How does this affect SMEs?
You could be forgiven for wondering what the risks we’ve outlined have to do with your business? After all, aren’t they all related to consumers?
Unfortunately, that’s just the problem. We’re all consumers. And your business is made up of them. Whether it’s on their lunch break or in a spare 15 mins before meetings, it’s highly probable that at least some of your people are going to spend time buying or browsing this Black Friday. This could open up your business to some of the risks we’ve run through so far.
If, like most companies, your staff are working from home the risks are even higher. As research from ZDNET reveals, 52% of employees believe they can get away with riskier behaviour when working from home.This includes activities like browsing suspect websites and using public networks.
How can you protect your business?
So what can you do about it? With Black Friday just a few days away, here are a few quick tips for keeping your business safe.
Educate your people
Most risky cyber behaviour stems more often from ignorance or carelessness than malicious intent. So educate your people about the risks we’ve covered in this piece. It doesn’t have to be more than a quick all-company email later this week.
Ensure everyone has the right security
Check that all corporate-owned or managed devices have the latest security capabilities correctly set up. With many people working from home, ensure the same practices you’d insist on in the office are being used everywhere.
Practice good password hygiene
All your employees should be using complex passwords and two-factor authentication, as well as changing passwords regularly. So, set up a password policy with these requirements and ensure everyone follows it.
Run the latest versions of all software
Ensure everyone is regularly installing updates and patches for the software on their devices. You can read more about the importance of patching and updates here.
Encourage staff to shop on personal devices
It might not sound like much, but limiting the number of sites your people visit using company devices can minimise the risk of attack. So by all means let your employees shop ‘til they drop, but keep it to personal devices.
Secure your network gateways
It’s easy to forget about WiFi itself when thinking about cybersecurity, but it’s a crucial part of good cyber hygiene. Changing the default settings and passwords on home routers can help reduce the likelihood of staff being attacked and, in turn, reduce the risk of a breach for your business.
‘Black Friday’ always sounds a bit like an economic disaster or tragedy. And, in cybersecurity terms, it certainly has the potential to cause problems. However, by following the guidance we’ve provided, you should have everything you need to ensure this year passes without a hitch.
Want to know more about how to reduce the risks involved with remote working? Then download our new guide, Cyber Safety in a New Era of Work.
If you’re like most businesses, you’ve probably spent most of 2020 in a convoluted game of musical workspaces. January to March in the office. March to August at home. Back in the office for September and October. Then back home again for November.
Fortunately, it looks like the end is in sight. Several pharmaceutical companies are on the verge of creating an effective COVID-19 vaccine. However, even with the discovery of a vaccine, it’s unlikely our working environments will ever return completely to their pre-pandemic state.
Many businesses, as well as their employees, have noted the benefits remote working can bring. And this is leading to an increasing number considering making the switch for good. However, if your business is thinking about adopting remote working full-time, or even just cutting the hours you spend in the office, there are a few things you need to know. To help, our team of cybersecurity and compliance experts has created a new guide, Cyber Safety in a New Era of Work. In it, we tackle a few of the questions on everybody’s minds and show you how to make the transition to remote working safely.
What’s in the guide?
Our guide is broken down into three parts. First, we look at how we got here and what’s driving changes in the way we work, including the benefits of remote working. Then we look at the cybersecurity risks working from home presents for a small business. Finally, we look at ways to overcome the challenges remote working brings. No CyberSmart guide would be complete without some simple steps small businesses can take to protect themselves.
Download our new guide here or follow the link below.
Three really is the magic number for CyberSmart. We’re delighted to announce we’ve been nominated for three awards at the upcoming Network Group Awards 2020.
Who is Network Group?
Network Group is a member-owned organisation committed to transforming the customer experience and driving customer-led growth in the tech sector. It aims to do this by providing tech business leaders access to peer group support, development tools and new opportunities.
What are the awards for?
We’ve been nominated in three categories at this year’s awards:
Specialist Vendor of the Year
Business Product of the Year
Biggest Impact New Partner
We’re especially pleased to have been nominated in the ‘Biggest Impact New Partner’ category. Firstly, because we’re up against some truly innovative businesses. And, secondly, because our goal is to make an impact globally.
Cybercrime is projected to cost the world $6 trillion annually by 2021, and 58% of it targets small businesses. Meanwhile, businesses with the resources to weather continuous cyberattacks are gaining an unfair advantage over small businesses who don’t. We call this the ‘cybersecurity gap’.
Our aim is to help SMEs all over the world bridge this gap, by improving their understanding of cybersecurity and giving them the tools to better protect themselves. So, to be recognised as making an impact, even at this early stage, is real motivation for 2021 and beyond.
Are you a small business looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
‘Patching’ is one of those cybersecurity terms that sounds simple and homespun while somehow also appearing technical and complex. But in reality, patching is one of the easiest ways to protect your business against cyber threats. Here’s everything you need to know about it: the what, the why and the how.
What is patching?
Remember how your mum would fix your school uniform with a patch of similarly coloured fabric when you ripped it falling over in the playground for the hundredth time? Well, the same principle applies to patching in cybersecurity.
Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged. Whatever the reason, software developers get around the problem with security patches.
Just like the million little fixes to your school trousers, security patches are small adjustments. They don’t change the fundamental function of the software, but they do get rid of ‘holes’ a cybercriminal might exploit to access your data or systems.
Why is patching important?
The best way to illustrate why patching is so important is to give an example of what happens when it isn’t used. Remember the Wannacry ransomware attack back in 2017?
The crisis began when the USA’s National Security Agency (NSA) discovered a vulnerability within Microsoft Windows. However, rather than report this immediately to Microsoft, the NSA used its knowledge of the vulnerability to create software capable of exploiting it. Unfortunately, cybercriminals then stole this tool from the NSA and used it to launch the Wannacry attack.
The result of this unpatched vulnerability was an onslaught of ransomware that cost organisations across the globe $53 billion, including a £92 million bill for the NHS.
Why is this relevant to SMEs?
Of course, as an SME, it’s unlikely you’re sitting on software vulnerabilities that could put an almighty dent in the global economy. But that doesn’t mean patching isn’t important.
If the tools you’re using – say, your operating system or anti-virus software – have vulnerabilities, it gives the bad guys an easy route into your systems. Once they’re in, confidential employee information, financial data, and everything else your business guards closely, is at their fingertips.
And it’s not just your business. As Wannacry proved, a weak link anywhere in a supply chain puts everyone in at risk.
How do you make sure your business is protected?
The best thing about patching is that it’s the simplest thing you can do to improve your business’s cybersecurity. All it requires is that you continually update the software and tools you use. This could mean checking for updates every few days or just simply switching on the auto-update setting for all company devices. This is very easy to do on a personal level. But what about if you scale this practice up company-wide? Surely keeping track of several or even tens of employees’ devices is tricky, to say the least? There are two relatively simple routes around the problem.
Clear security policies
The first is clear company security policies. Make it clear to your people that everyone needs to update software as soon as a new version or patch is released and explain why. Most of us are more likely to adhere to a policy if we know why it’s there and what we risk if we don’t follow it. And don’t squirrel it away on some long-forgotten corner of your company server. Ensure everyone has access and knows where to find it.
Use an active protection tool
The second approach is to use an active protection tool like CyberSmart Active Protect. Active Protect scans all of your company devices every 15 mins, checking everyone is using the latest versions of software and security settings are configured properly. If anyone in your business has missed something, you’ll know about it through the CyberSmart Dashboard. Our products can even help with creating clear policies. CyberSmart Policy Manager allows you to host your security policies in-app and distribute them to all company devices. So you can be sure everyone has access to and reads your organisation’s policies.
Although it doesn’t sound like much, ensuring every tool your business uses is running the latest version really is the first step to a safer working environment. So why not start making it part of your routine today?
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
4. SMEs are missing important cybersecurity policies 
5. Basic measures can help to protect businesses
