At CyberSmart, we recognise that the cost of living crisis not only affects our personal lives, but the way small and medium businesses (SMEs) manage their priorities, too. 

Uncertainty is never the best feeling for any business leader. A dampened economic outlook can result in SMEs becoming more cost-conscious and less growth-minded. And we’re concerned about the impact on cybersecurity. 

That’s why our latest insight, the SME cost of living crisis report, explores its impact on SMEs, leadership, the workforce, and business cybersecurity.

What’s in the report?

We tasked Censuswide with surveying 1,000 UK SMEs to reveal the current state of the cybersecurity landscape for SMEs. 

The report is full of helpful statistics, figures, and insights that reveal the behaviours of decision-makers during the cost of living crisis.

In the report, you’ll learn about:

• What’s driving decision-making in the cost of living crisis?
• The impact on cybersecurity investments 
• Leadership behaviours and mistrust of employees
• Cybersecurity policy and governance factors
• How should SMEs approach cybersecurity in the cost of living crisis?

Discover CyberSmart’s SME cost of living crisis report. Learn more about the impact on cybersecurity, people, and more. Read it today.

Discover key insights about the cybersecurity landscape

At CyberSmart, we work to make cybersecurity simple and accessible to everyone. We aim to provide every business, no matter how small, the tools to protect themselves against cybersecurity threats easily and effectively.

That’s why we’ve incorporated our expert insight into the report, too. We deep-dive into the reasoning behind the report’s findings to support the facts and figures. This provides you with a better understanding of the current SME cybersecurity landscape. 

For example, the report reveals that nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost-of-living crisis. Why? External threats, insider threats, employee mistrust, and employee negligence are all driving this behaviour, and we explore this in the report. Read it for free today to get the latest insights into SME cybersecurity during the cost of living crisis. 

Are you considering Cyber Essentials Plus, but unsure whether it’s right for your business? To help you decide, we’ve pulled together a quick summary of how the government-backed certification works, and why it could be the next step for your business. Read on to find out more.

What is Cyber Essentials Plus?

Cyber Essentials Plus follows the same simple approach and offers the same benefits as Cyber Essentials. However, it differs in one key aspect; Cyber Essentials Plus includes a technical audit of your system. The controls are the same, the audit just ensures they’re in place and properly configured.  

The audit process takes a little more effort than the standard certification, but it’s worth it for the peace of mind that your security is up to standard.

When should you consider Cyber Essentials Plus?

The truth is, any business looking to improve its security could benefit from Cyber Essentials Plus. However, there are a few scenarios in which we’d recommend Cyber Essentials Plus.

Confused about certification? Read our free guide for everything you need to know.

1. You want a thorough assessment of your cybersecurity credentials 

Cyber Essentials is a great first step for any small business that wants to up its cybersecurity game. Nevertheless, the standard Cyber Essentials certification is self-assessed. This means that while you’ll have to comply with the security controls it lays out to pass, you won’t benefit from an independent assessment.

Cyber Essentials Plus, on the other hand, features a visit (either in person or remotely) from an independent auditor. So you’ll gain the peace of mind that your security credentials are up to scratch.

2. You want to work with high-value customers 

It’s a general rule of thumb that the more prestigious the clients you work with, the more stringent their security requirements. Cyber Essentials Plus can help demonstrate to potential customers with high expectations that you take data protection and cybersecurity seriously. And, it could help you steal a march on competitors.

3. You’re a public-facing business 

Any business that directly interacts with the public should make cybersecurity a top priority. If your business stores personal data, whether that’s contact details or financial information, it’s part of your duty of care to protect it.

Investing in Cyber Essentials Plus will not only help you put in place the measures needed to better protect your organisation, but it also demonstrates to customers that you take security – and their personal data – seriously. 

4. You work in a sector that requires higher-than-standard security

Some industries are more at risk from cyberattacks than others. For example, manufacturing firms were the victims in almost a quarter (24.9%) of all breaches globally in 2022, closely followed by finance and insurance with nearly a fifth (18.9%).

If your business works in a high-risk sector, it’s natural that you need better protection. Again, the standard certification is a great stepping stone, but the extra assessment and validation provided by Cyber Essentials Plus is key if you’re more likely to be targeted. 

What’s more, many businesses working in high-risk industries will require partners and suppliers to demonstrate better-than-basic credentials and Cyber Essentials Plus fulfils this function.

5. You want to access government funding or bid for tenders

Although Cyber Essentials Plus isn’t mandatory for all government funding and contracts yet, there are plenty of scenarios where you’ll need it. For instance, schools and colleges hoping to secure ESFA Education and Skills contracts are required to have passed Cyber Essentials and be working towards Cyber Essentials Plus.

Likewise, many healthcare and defence tenders mandate that applicants have, at least, the standard certification in place, if not Cyber Essentials Plus. There’s even a case to be made for investing in Cyber Essentials Plus even if the contract doesn’t require it. In a competitive tendering process, being able to demonstrate you have better security bona fides than your rivals could help tip the balance in your favour. 

Still unsure about which cybersecurity certification is right for your business? Check out our guide to UK certifications for everything you need to know. 

In 2015, a research team at Lancaster University concluded that 99% of cyber risks could be avoided through following a set of surprisingly simple security measures. These measures, or controls, make up the basis of the government’s standard for security certification, Cyber Essentials, which is what we help businesses achieve here at CyberSmart.

However, there’s a lot you can do on your own to prepare yourself for the Cyber Essentials assessment or just to improve your general cyber hygiene around its guidelines. We’re going to walk you through some of the processes you will need to have in place when you complete the self-assessment for Cyber Essentials before it is reviewed by an assessor.

Keep in mind that the Cyber Essentials questionnaire is asking you to evaluate every device in your company (laptops, personal computers used for work, phones, the works) and whether it complies with the rules. If it is being used for work, it should be included.

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the settings of your device and try to turn off a function that you don’t need

☐ Find the settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges to your data and on which machines

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

If you can follow this guidance now, you can pass certification quickly and with flying colours. If you struggle with any of them, CyberSmart has helped guide hundreds of SMEs of all sizes and experience through the same process, so feel free to get in touch. We offer a quick and simple step by step process so you can get Cyber Essentials certified today.

As the span of regulations, risks, and budget evolves and your business grows, the maintenance of cyber security shouldn’t just be an afterthought – it should be part of the bedrock of your organisation.

The Cisco 2020 CISO study demonstrated that cyber security remains a high priority among executive business leaders, with an increase in investment for security automation technologies as the scale of complexity increases. 

While it’s helpful to have an automated security team in place to combat cyber attacks, there are several steps you can take as a business to protect yourself:

Strict access control (Zero Trust)

Zero Trust is a holistic information security framework and an essential component of cyber security. Rather than assuming all people and systems operating within a secure setting should be trusted, it relies on constant verification before granting access. 

This can be implemented through a series of steps. Firstly, data access should be managed by a multi-factor authentication (MFA) system. Only 27% of businesses are making use of an MFA system. 

Secondly, employees should be prompted to update devices to combat existing vulnerabilities, and user access to data management applications should be managed through central policies.

The Cisco report demonstrated that more than half of respondents noted that mobile devices are becoming an increasing challenge to defend. It suggests a zero-trust strategy as the best way to remedy this.

Updating regularly

This report showed that 46% of organisations were faced with incidents as a result of unpatched vulnerabilities. This means that a software provider issued an update in response to an issue but an employee failed to run the update.

Breaches to data management environments can cause hefty losses of data, and when patches are rolled out it is crucial to apply them immediately to limit the timeframe in which the vulnerabilities can be exploited.

Monitoring implementations

When cyber security practices are being continually developed and regulated, it becomes important to regularly monitor connectivity on the network or data applications to review how well the security measures are faring. 

Detection utilities should always be managed and routinely updated so that when incidents do arise, they can be properly investigated. Many small and medium-sized businesses have found CyberSmart’s monitoring app helpful for this purpose. It can be installed on any device and up-to-date information on every device’s security status is available through a centralised dashboard.

Centralise security essentials

The biggest factor in the growing challenge of propagating adequate cyber security is the level of complexity as a business scales. When an organisation utilises multiple security solutions, centralising them in an integrated platform reduces the complexity which makes it easier to manage, update and review security essentials. The benchmark found that 42% of respondents were more inclined to give up on maintaining adequate cyber security due to its complexity.

CyberSmart offers several ways for the cyber security of even smaller businesses to thrive, and our Cyber Essentials and Cyber Essentials Plus certification takes complexity into consideration and simplifies the process.

The information age has given businesses a new set of responsibilities for customer data that just didn’t exist before, including anything from basic name and address details all the way through to legally sensitive details, medical records and serious financial data. This has enabled major advances in everything from logistics to advertising and healthcare, but it’s also a major burden for companies – so how can you make sure you’re doing your best?

Change behaviours

While the tricks and tools that hackers use to get at your data are genuinely becoming ever more sophisticated, by far the most popular way to steal from you is with the good old fashioned confidence trick. Fake email solicitations, clones or mirrored websites and even the impersonation of trusted contacts can get your staff to hand over data voluntarily – so make sure a culture of suspicion is built into your workforce. Set up a secure inbox that staff can forward suspicious emails to, so IT can safely dispose of them, and make sure to train staff regularly to spot fraud.

Layer your defences

The holy grail of any hacker’s attacks is to get at not only the target of their crime but all your other data as well. While one file may not be enough to cause harm, it can be linked to other files that can be used cumulatively to carry out more serious attacks on people like identity fraud, so make sure you have several layers between other areas of your systems so one breach doesn’t cascade into several. It can also help to restrict access on a need to know basis, so accidental breaches simply can’t happen or ban things like portable disk drives just in case.

Trust the experts

While it’s totally possible to fashion your own defences, it’s hard to give your customer true peace of mind without some official credentials to back it up. Using software with IASME backed certification like Cyber Essentials or Cyber Essentials Plus ensures that you have the industry’s gold standard protection in place, and with the GDPR Readiness standard you can become GDPR compliant and showcase your efforts to world-class customer data security, which in turn can open doors to new contracts with companies who insist on only working with the most secure firms.

Keep your patches up to date

Another sadly common way that hackers access your systems is through known back doors in software that has been fixed but isn’t the latest version with repairs included. These obvious flaws are like gold dust to hackers who can just stroll right in, so it’s a good idea to get software like CyberSmart Active Protect that automatically detects old versions of operating systems as well as software vulnerabilities. Find out more.

Practicing good cyber hygiene has never been more important for SMEs. In the last two years alone, small firms were subject to 10,000 cyberattacks daily and one in five reported suffering a breach. Regardless of their size or industry, all SMEs face similar risks. So, to counter, the UK government has developed various standards to ensure we all have access to the same resources and knowledge. 

But it’s easy to get confused between the various standards for information security. Which one should you get certified for? To help you make a decision, let’s look at the differences between Cyber Essentials, ISO 27001, and PCI DSS.

Cyber Essentials

Cyber Essentials (CE) is a UK government program for protecting information, launched in 2014. CE is the minimum certification required for any government supplier responsible for handling personal information in the UK.

For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators. 

The Five Requirements of Cyber Essentials

The key requirements of Cyber Essentials certification are as follows:

1. Configure and deploy a firewall

A firewall is a secure buffer zone between your organisation’s internal network and the Internet. Using a firewall ensures that malicious traffic is not allowed to enter your network.

The certification requires you to configure and deploy a firewall that protects all devices, especially those connected to a public or untrustworthy network.

2. Use secure configurations for devices and software

Most devices and software come with the manufacturer’s default settings. And these aim to make the device as open and available as possible. However, these aren’t usually the most secure settings, leaving you open to cyber attacks. 

CE asks you to reconfigure these settings to maximise security. This includes using strong (and not default) passwords and introducing extra layers of security such as two-factor authentication.

3. Make use of access control to prevent unauthorized access to data and services

Your employees should only have the minimum access needed to perform their role. Providing extra permissions to settings, software, or online services can be a potential threat to your business if the account gets stolen or misused.

Standard accounts vs. administrative accounts

Standard accounts are made for general work purposes and have limited access. On the other hand, administrative accounts have greater privileges and are used for administrative tasks such as installing software.

In the case of a breach, unauthorised access to an administrative account can cause much more damage than access to a standard one. So it’s important to provide administrative accounts to only qualified and authorised staff. 

To get certified, you have to control access to company data. In practice, this means making administrative accounts only available to those that need them. What’s more, the actions an administrator can take should also be tightly controlled.

4. Protect yourself against malware such as viruses

Malware, an acronym for malicious software, is any computer program that causes harm to a device or its user. Perhaps the most well known type of malware is viruses. Simply put, a virus infects the software on your device to corrupt files and data. Malware can come from anywhere, but the most common sources are email attachments, malicious websites, and files from a removable device such as a USB.

Defending your business against malware

CE requests that you implement at least one of the following approaches to malware protection:

• Anti-malware measures: For desktops and laptops, this means enabling anti-virus solutions such as Windows Defender or Mac OS XProtect. Meanwhile, for smartphones, you’ll need to keep software up to date, enable features to track and erase devices when lost, and password protection
• Sandboxing: A sandbox is an environment that has very restricted access to the rest of your files and network. Whenever possible, you should make use of applications that support sandboxing to keep your data far from malware
• Whitelisting: A whitelist is a list of software that is allowed to be installed and run on a device. This prevents users from running software that can be potentially harmful. Administrators create whitelists and implement them on devices including laptops, desktops, and smartphones

5. Keep devices and software updated

All devices, software, and operating systems you use should be kept updated. Alongside adding new features, device manufacturers and software developers also release updates (or patches). These are key to fixing known vulnerabilities in the software. 

CE builds on this requirement. All devices, software, and operating systems must be kept up to date and upgraded once they are no longer supported by the manufacturer or developer.

ISO 27001

ISO 27001 is an international standard for information security that was first introduced in 2005. The standard defines what is required for establishing, implementing, maintaining, and improving an information security system.

ISO 27001 is much more comprehensive than CE. However, unlike CE, it’s not yet a requirement for SMEs operating in the UK.

The 14 Controls of ISO 27001

Contrasting with CE and PCI DSS, ISO 27001 doesn’t have specific requirements for compliance. Instead, ISO 27001 provides guidelines through a set of ‘controls’. Let’s run through them. 

1. Develop an information security policy

An information security policy provides direction and support your people. It should clearly lay out how to manage information in accordance with laws, regulations and business requirements. It should also be an ever-changing document, with regular reviews to check it’s effective and everything in it is suitable.

The information security policy document should be approved by your management team and communicated to all employees and external parties.

2. Implement and manage information security within your organisation

This control’s primary goal is to provide a mechanism for managing information security within a business. This includes coordinating responsibilities to employees and maintaining appropriate contact with authorities, third-parties, and security providers.

The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example,  teleworking or project management.

3. Provide training and awareness to HR

You need to ensure that employees are aware of their responsibilities towards information security. Employees that can control or affect information security should be trained for their roles. And any changes in the employment conditions of employees should not affect your business’s security standards. 

4. Ensure organisational assets are secure

‘Information security assets’ are best defined as the devices used for information storage and processing. According to ISO 27001, you should be able to identify and classify information security assets based on the sensitivity of the information they handle. On top of this, you’ll also need to assign staff responsibility for keeping each of these devices secure. 

5. Make use of access control to protect information

Employees and third-parties should have restricted access to your information. ISO 27001 shows you how to use formal processes to grant and revoke user rights. 

6. Protect the confidentiality and integrity of information through cryptography

Use cryptography tools such as encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to get in. 

7. Prevent unauthorised physical access to your workplace

The physical areas where your information security assets are kept should be protected from unauthorised access and natural disasters. If these areas are breached, say by a break in or winter storm, it could stop your business functioning properly or expose your data. 

8. Deploy secure configurations for operational infrastructure

‘Operational infrastructure’ is the devices, software, and operating systems that manage your information security. According to the ISO 27001, secure configurations for this infrastructure include:

• Protection against malware and loss of data through measures such as antivirus software
• Ensuring that default settings and passwords from manufacturers are changed according business requirements
• Gathering and recording evidence of any security vulnerabilities you have 

9. Secure configurations for network infrastructure

‘Network infrastructure’ is the devices such as routers and switches, services, and software that make up your network. ISO 27001 asks your business to: 

• Monitor and control network traffic.
• Ensure applications and systems using your network are secure (using measures like firewalls)
• Produce a network services agreement that identifies security features and management requirements for the network

10. Prioritise security when acquiring, developing, and maintaining information systems

ISO 27001 states that security should be considered at every level of an information system. From the moment you set up a new system,  your business requirements should include security controls to prevent the loss or misuse of information.

11. Ensure information security for activities by suppliers

Under ISO 27001,  all outsourced activities must be monitored for information security controls. For instance, your suppliers are required to comply with the same security requirements you’ve laid out for your own organisation. 

12. Develop an effective approach for managing information security incidents

If an accident occurs or your systems are breached, you need to do the following:

• Properly communicate the details of the security incident and event quickly
• Gather and preserve evidence for further analysis of the security incident
• Develop processes for improving information security and preventing the incident happening again

13. Prevent information security failures from interrupting business continuity 

‘Business continuity’ is the ability of your business to keep running even after something’s gone wrong. ISO 27001 provides a step-by-step process for ensuring your business can continue operating after a breach. A key aspect of this is making sure information systems can still be accessed even during and after an incident. 

14. Ensure compliance with information security policies and standards

Lastly, your organisation should never be in breach of any law or security standard. ISO 27001 guides you through getting compliant and staying that way.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) is an international information security standard launched in 2004. This standard affects anyone who handles credit cards from leading card companies such Visa, MasterCard, American Express, Discover, and JCB.

Which organisations need to comply with PCI DSS?

Any organization that accepts, stores, or transmits cardholder information must comply with PCI DSS. Cardholder information includes the Primary Account Number (PAN), cardholder name, service code, and expiration date.

The Four Levels of PCI DSS:

Each organisation falls into one of four levels of PCI DSS. These levels are determined by the number of VISA transactions performed by your business annually. 

The four levels:

• One: organisations that process over 6 million transactions per annum
• Two: businesses that process between 1 million to 6 million transactions per annum
• Three: organisations that process between 20,000 to 1 million e-commerce transactions per annum
• Four:  those that process less than 20,000 e-commerce transactions or up to 1 million transactions per annum

With the exception of level 3, these categories apply regardless of the transaction channel.

The Six Goals of PCI DSS:

PCI DSS has six key goals.

1. Build and maintain a secure network 

To comply with the PCI DSS, you need a secure system and network. To achieve this, you’ll need to:

• Install and configure a firewall for protecting your network
• Make use of secure configurations for devices and software instead of manufacturers’ default settings

2. Protect carholders’ information 

Protecting cardholder information isn’t just about preventing breaches of your network. It’s also important that you stop any stolen records from being used. 

PCI DSS requires the use of encryption when transmitting cardholder information across public networks. Encrypting the information guarantees that it is inaccessible and unreadable, even if a breach occurs.

3. Maintain a vulnerability management program

A ‘vulnerability management program’ ensures that malware and other security vulnerabilities are adequately taken care of.

Protection against malware

Anti-malware tools, whitelisting, and sandboxing should all be used to protect your business against malware. And these tools should be updated and monitored regularly. To comply with PCI DSS, you’ll need to protect all company devices against any type of malware. 

Secure systems and applications

PCI DSS instructs you to ensure the following when securing your systems: 

• Keep all devices and software updated by installing the latest manufacturer-provided security patches
• Establish a process for identifying and reporting newly discovered security vulnerabilities
• Use industry best practices when developing or changing software applications and system components

4. Implement strong access controls

Access control is all about restricting users on a ‘need-to-know’ basis. Cardholder information is highly sensitive and access to it should be restricted, even for your employees. 

PCI DSS requires businesses to ensure access to system components is authorised and authenticated through user accounts. What’s more, physical access to cardholder information should be tightly controlled. This means all your system components should be stored in an inaccessible location – far away from anyone unauthorised.

5. Monitor and test networks regularly

To check for vulnerabilities in your networks, you’ll need to monitor and test them regularly. Any access to network resources, particularly cardholder data, should be tracked and monitored. This will tell you know the who’s accessing your cardholder data, when they’re doing it, and how.

PCI DSS also requires you to monitor network traffic, run scans for detecting internal and external network vulnerabilities, and set up a detection system for intruders. 

6. Maintain a policy for information security

Any organisation looking to comply with PCI DSS needs comprehensive guidelines for staff on how to handle information security. The policy should include a risk-assessment process, usage policies for technologies, information security requirements for personnel, and a formal awareness program.

A short summary

 If you’ve made it this far, you’re now well-versed in the differences between government certifications. But here’s a quick summary of the key differences between them. 

So which should you pick?

Cyber Essentials, ISO 27001, and PCI DSS are very different standards. However, they share a common goal: information security. 

The ISO 27001 looks like the most comprehensive standard, but it isn’t the silver bullet it appears to be. Government departments in the UK often prefer (and even require) CE over both ISO 27001 and PCI DSS. So best certification for your business depends on your requirements, size and infrastructure. 

This might seem like a bit of a minefield, but that’s where we come in. At CyberSmart, we understand cybersecurity can be confusing. But we don’t believe it has to be.

So if you’re looking to improve cybersecurity but aren’t sure where to begin, talk to us. We can help you navigate tricky government standards and choose the right option for your business.