Key takeaways from the CyberSmart SME cost of living crisis report

Key takeaways cost of living crisis report

The current economic climate has seen better days, but how are the UK’s small businesses weathering the storm? At CyberSmart, we’re curious about how the cost of living crisis has impacted cybersecurity and people in small businesses.

We tasked Censuswide with surveying 1,000 UK SMEs to find out how they’re coping. What followed is our  ‘SME cost of living crisis report’. It explores:

  • How confident businesses are about weathering the economic storm
  • The financial limitations impacting businesses
  • The impact on employees
  • The key impacts on cybersecurity
  • The state of cybersecurity investments 
  • How SMEs can approach cybersecurity in the cost of living crisis

Despite economic conditions, cybersecurity in your business doesn’t need to be all doom and gloom. Our report gives you the knowledge and understanding of the current climate to proactively protect your business. To help you, here are our key takeaways from the report. 

Want to read the report in full? Get your copy here.

1. Cost-conscious businesses are looking for value

Small businesses must be cost-conscious. Careful budgeting and knowing when to invest is key to survival. And this means many small business leaders won’t invest in cybersecurity unless they know the payoff is worthwhile. 

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

Key takeaways from cost of living report

Understanding the benefits of strong cybersecurity is key in these conditions. Without a good level of understanding, decision-makers will overlook its importance.

2. Economic uncertainty raises threat levels 

Even though businesses are overlooking the importance of cybersecurity, nearly half of UK SMEs (47%) believe they’re at greater risk of a cyberattack since the onset of the cost of living crisis. 

Economic uncertainty has led to mistrust, too. 38% of leaders are worried about malicious insider threats from employees, while 32% blame higher rates of supply chain fraud. It seems that mistrust comes from inside and outside.

This is why increasing cybersecurity protocols and governance offers real business value. It provides much-needed reassurance that business data is safe, no matter where threats come from.

Key takeaways from cost of living report

3. The employee skill gap is causing mistrust

Your employees are a line of defence when it comes to cybersecurity. But you must equip them with the tools and knowledge to counter potential attacks. 

80% of respondents said that their employees do not fully understand why it is important to keep confidential information secure. And this lack of cybersecurity knowledge is the leading reason for mistrust.

The cybersecurity knowledge skills gap is a prominent factor for uncertainty. Of the 620 SME leaders who claimed to trust their employees, 25% still believe that staff pose the greatest security risk.Key takeaways from cost of living report

4. SMEs are missing important cybersecurity policies 

We noticed that a lack of trust in employees, their cybersecurity knowledge, and no clear internal policies have an underlying impact on small businesses, so we did some digging.

Only 54% of SMEs have clear policies and procedures for sharing information and gaining access to confidential information. This means that just under half of SMEs don’t have important cybersecurity policies, at all. 

Key takeaways from cost of living report

It’s not surprising that leaders demonstrate a lack of trust in their employees, especially when there’s no guidance for the employees in the first place. Here, cybersecurity concerns appear as a vicious circle, and there’s an important gap in employee knowledge and a lack of policies. Key takeaways from cost of living report

5. Basic measures can help to protect businesses

The report reveals that fixing basic, underlying issues can help alleviate the cybersecurity concerns as a result of the cost of living crisis. These issues are:

  • Lack of employee cybersecurity training and resulting cyber confidence 
  • Missing cybersecurity policies, or too few policies 
  • Misunderstanding of the value of cybersecurity tools 

Luckily, investing in cybersecurity doesn’t have to cost the earth. Instead, SMEs must be smart about their investments and increase cyber confidence for their employees.

Key takeaways from cost of living crisis report

Our report takes an in-depth look at these steps and how SMEs can implement them. These steps can help increase cyber confidence in your business and protect against cybersecurity threats.

Cyber confidence is key in the cost of living crisis

Uncertain economic conditions can make even the most stable business leaders feel on edge. Improving cybersecurity governance can help decision-makers protect their business and provide much-needed reassurance that their cybersecurity is under control. 

Read our report today to learn more about the current concerns of SMEs in the cost of living crisis, and how to mitigate cybersecurity threats.

SME cost of living crisis

5 steps to better supply chain security

Supply chain

It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million. 

It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences? 

To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.

Supply chain

1. Protect your own business first 

This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?

If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.

2. Talk to your suppliers 

Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats. 

This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.

3. Make cybersecurity part of your contractual agreements 

Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts. 

How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification

The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business. 

4. Keep improving

Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.

 Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.

5. Follow the NCSC’s new guidance 

Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.

The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):

  1. Understand why your organisation should care about supply chain cybersecurity
  2. Develop an approach to assess supply chain cybersecurity
  3. Apply the approach to new supplier relationships
  4. Integrate the approach into existing supplier contracts
  5. Continuously improve

It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.

It’s a journey, not a destination

And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.

Supply chain CTA 2

Press release: Over 1.1 million UK SMEs at risk of collapse during current economic uncertainty

SME collapse

Over 1 in five UK SMEs (21%) are worried that their business will not survive the current economic uncertainty or expect they will have to make a significant business pivot. This is according to a survey of a thousand SME senior leaders and decision-makers across the UK, commissioned by CyberSmart (and conducted by Censuswide).

The UK government estimates that the country is home to at least 5.5 million SMEs. If we were to extrapolate the findings, it could mean 1.155 million businesses are in a precarious position and risk collapse.

Remarkably, the survey also revealed that some SME senior leaders would go to great lengths to ensure the business’s survival. These behaviours range from engaging in cybercriminal activity and committing accounting fraud to neglecting compliance requirements.

Activities that SME senior leaders would consider engaging in include:

  • 15% would commit accounting fraud and lie to bankers/investors to secure funding or commit tax fraud/evasion (potentially equivalent to 825,000 SMEs)
  • 14% would cut employee salaries or benefits (potentially equivalent to 770,000 SMEs)
  • 11% would leverage proprietary information from partners/clients such as selling off the data (potentially equivalent to 605,000 SMEs)
  • 11% would neglect compliance requirements due to the additional costs they incur (potentially equivalent to 605,000 SMEs)
  • 10% would engage in cybercriminal activity such as hitting a rival company with a cyberattack (potentially equivalent to 550,000 SMEs)
  • 9% would mortgage their house (potentially equivalent to 495,000 SMEs)

SMEs decrease cybersecurity spending

Additionally, a third of SMEs have decreased cybersecurity spending due to the economic uncertainty. Or, more worryingly, admitted to never really investing in it.

In fact, as many as 42% of SME senior leaders do not believe it is worth investing in cybersecurity, with over 1 in 5 (21%) believing they are not a target. A further 16% claim it is not worth it because they have cyber insurance and 10% assert it is not a priority. Only 25% realised it was worth investing in cybersecurity because they could not afford to be breached.

CyberSmart CEO, Jamie Akhtar reacted with the following:

“As a business owner myself, I can understand the pressure many SME decision-makers are currently facing to keep their companies running and ensure their employees are taken care of, all while budgets tighten. It is during these times that emotions run high, and people might make irrational decisions that go against their own, and their company’s, best interest. It goes without saying that we would never condone criminal behaviour. Moreover, we would strongly recommend that businesses invest in cybersecurity and compliance.”

 “The business ecosystem has become highly intertwined, so no business is immune from cyberattacks. In fact, SMEs could prove to be an easy entry point for cybercriminals looking to hit others within their supply chain, if they have weak cybersecurity postures. While cyber insurance is important for risk transfer, it should not be relied on either. A comprehensive and continuous cybersecurity and compliance strategy is needed to avoid a breach’s financial, reputational and even physical repercussions. Fortunately, there are solutions today that can help in doing so, without breaking the bank.”

Want to know more? Read the report in full here.

SME cost of living crisis

6 key takeaways from the DCMS Cyber Security Breaches Survey 2023

DCMS cyber security breaches survey

Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.

But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know. 

1. Assessing supply chain risk is rare for small businesses

We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.

However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.

Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need. 

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

2. A small number of businesses are taking cyber accreditations

The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation

According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).

Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.

Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.

3. Formal incident response plans aren’t widespread

The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.

Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.

4. The number of identified breaches has declined 

At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.

What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.

This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.

5. Cybersecurity is less of a priority for smaller businesses

It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.

In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.

6. Is cyber hygiene going backwards? 

Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability. 

This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.

The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example: 

  • use of password policies (79% in 2021, vs. 70% in 2023)
  • use of network firewalls (78% in 2021 vs. 66% in 2023)
  • restricting admin rights (75% in 2021, vs. 67% in 2023)
  • policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.

What have we learned from the DCMS Cyber Security Breaches Survey 2023?

Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.

Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.

Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.

Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.

Cost of living CTA 2

Press release: Heightened risk of insider threats during cost-of-living crisis, according to SME study

insider threats

Our latest research (to be released as a report) reveals fear among UK SMEs about insider threats. Some key findings include:

  • Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the cost-of-living crisis.
  • 38% believe this is due to increased malicious insider threats, and 35% believe it is due to negligent insider threats.
  • 1 in 4 believe staff are overwhelmed or concerned about meeting their financial commitments.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm the company’s reputation due to resentment over salary cuts/stagnation and/or layoffs.

London, UK (15th June 2023) – Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the onset of the cost-of-living crisis. Of these respondents, 38% believe this is due to increased malicious insider threats (i.e., disgruntled employees making decisions that are not in the best interest of the company) and 35% believe it is due to negligent insider threats (i.e., overworked or distracted employees making mistakes). This is according to a survey of a thousand SME senior leaders across the UK, commissioned by CyberSmart, the category leader in simple and accessible automated cybersecurity technology for small and medium-sized enterprises (SMEs), and conducted by Censuswide.

In light of the economic uncertainty, almost 1 in 3 employers (29%) admit that employee salaries have stayed the same: in effect, resulting in a decline of real wages to accommodate for inflation. A further 11% have even gone so far as to reduce salaries. What’s more, nearly a quarter (24%) of SMEs have hit pause on recruitment, while 16% have laid off employees for budgetary reasons.

It is no coincidence then that 1 in 4 employers (24%) are finding that their staff are overwhelmed or concerned about meeting their financial commitments, while nearly a fifth (18%) find they are feeling overworked. Moreover, 16% believe their staff are less engaged or productive due to the stress, 14% think they are more disgruntled and 11% have noticed an increased rift between senior leadership and employees.

Remarkably, employers expect their employees might engage in the following activities whilst in this unhappy state.

  • 22% believe employees will take on a second or third job during contractual hours.
  • 22% believe employees will be more likely to make mistakes such as clicking on a phishing link.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm company reputation due to resentment over salary cuts/stagnation and/or layoffs.
  • 14% believe employees will use AI such as ChatGPT to do their job for them.
  • 14% believe employees will steal money from the company or commit financial fraud.

“Not all businesses are experiencing a negative company culture as a result of the crisis. In fact, 20% believe the cost-of-living crisis has brought the company closer together and 16% of employees are becoming more motivated to impress senior leaders. Nevertheless, in times like these, it is crucial that employers are mindful of how their staff are coping,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “It only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk. This research highlights the importance of conducting regular security awareness training, but also the need to show up for employees with empathy and support.”

It should be noted that SME business leaders also consider external forces to be responsible for the growing risk of cyberattacks, with 32% attributing it to higher rates of supply chain fraud and 31% expressing concern about nation-state interference from hostile countries such as Russia and China.

Want to know more? Read the report in full here.

SME cost of living crisis

The 7 biggest challenges of ISO 27001 certification

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

  • Protect your business and customers from cybersecurity threats
  • Reassure customers
  • Enhance your reputation
  • Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

  1. It’s difficult to see where you should focus your efforts
  2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

  • Split the project into smaller, more manageable steps
  • Provide clear timelines for delivery
  • Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

Cybersecurity certifications

What is smishing?

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity

The State of UK SME cybersecurity

UK SMEs have faced a turbulent few years. The COVID-19 pandemic altered the way many of us work forever. The conflict between Russia and the international community has raised the spectre of cyber attacks on UK businesses. And cyber threats for SMEs continue to rise.

So with all these factors in play, how are the UK’s SMEs managing? Has the rise in remote working led to a change in cybersecurity practices? How often are SMEs facing cyber threats? Most importantly, what can they do to better protect themselves?

To answer some of these questions, Gartner-owned Software Advice – a company that provides advisory services, research, and user reviews on software applications – surveyed 500 managers at UK SMEs.

And we’ve teamed up with Software Advice to bring you the results. 

What’s in the guide?

Using the data provided by Software Advice, we tackle:

  • How often SMEs are being attacked
  • The impact of COVID-19 on SME cybersecurity
  • The biggest threats facing SMEs
  • The consequences of a breach on SMEs
  • What SMEs are most worried about
  • How effective SMEs’ defences are
  • What SMEs can do to better protect themselves

And much, much more.

Where can you get a copy?

As this is such important data for the entire cybersecurity industry, we’re offering our guide free to anyone who finds it useful. All you need to do to get your copy is download it here or hit the button below.

State of SME cybersecurity

What is a zero-day attack?

zero-day attack

Provided you’ve read any cybersecurity story in the media recently, you’ve probably come across the phrase ‘zero-day attack’ before. It’s often dropped into reports by journalists with little explanation of what it means or why you should worry about it. So, in the interest of clearing up some confusion, here’s everything you need to know. 

What does ‘zero-day’ mean?

Usually, software companies and developers will periodically fix flaws in their products. However, there are some rare instances where this doesn’t happen and a flaw goes unnoticed.

The term ‘zero-day’ refers to those security vulnerabilities that fall through the cracks. It’s neat shorthand for developers having only just discovered the flaw and limited time (zero days) to fix it.

A zero-day attack happens when the bad guys get there first and hackers exploit the flaw before the developers discover it. 

How do zero-day attacks work? 

All software, no matter how robust initially, develops vulnerabilities over time. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged since it was created.

Whatever the reason, the fix is usually simple. Developers create a patch, release it in an update to users, and the vulnerability is dealt with. Think of it as being a bit like your mum fixing your school trousers after you fell over in the playground for the umpteenth time.

Unfortunately, this doesn’t always happen and hackers get there first. And, as long as the vulnerability goes undetected, cybercriminals can write and implement code to exploit it. This could allow them to steal confidential data, launch social engineering attacks, or even release malware onto users computers. 

This can go on for as long as the vulnerability remains undetected; sometimes days or even months. What’s more, even when the flaw has been fixed and an update released, it may take some time before every user updates their device. After all, an update is only as good as the number of users who download it. 

How do you know when a zero-day attack has happened?

A zero-day attack is particularly dangerous because the only people who know about it are the cybercriminals themselves. This allows them to pick their moment, either attacking instantly or biding their time.

Because vulnerabilities come in many shapes and sizes from problems with password security to broken algorithms, they can be very hard to detect. Often, a business won’t know there’s anything wrong until the vulnerability has been identified.

Nevertheless, there are some telltale signs. You might see sudden surges in unexpected traffic, odd behaviour from software you’re using, or suspicious scanning activity. 

Are there any famous examples?

Incidents involving zero-day vulnerabilities are more common than you might think. Only days ago (early Feb 2022), it was revealed that three critical flaws in the code for a WordPress plugin threatened 30,000 websites worldwide. Fortunately, on this occasion, WordPress appear to have got there before the bad guys, but there are plenty of examples when businesses weren’t so lucky.

Zoom, 2020

In this instance, hackers found a vulnerability in the popular video conferencing platform Zoom. It allowed cybercriminals to remotely take over the computer of anyone using Zoom and running an older version of Windows.

Microsoft Word, 2017

In a horribly alarming twist, this attack used a vulnerability in Microsoft Word to steal users banking login data.  Users who opened seemingly normal Microsoft Word documents unwittingly installed malware on their device that was able to collect banking login credentials. 

Apple iOS, 2020

Apple is generally famous for its impregnable security (remember the old myth that Apple Macs couldn’t get viruses?). However, in 2020, hackers did discover a vulnerability in its iOS mobile operating system. This flaw allowed cybercriminals to remotely access and control unlucky users iPhones.

What can you do to protect your business?

Update your software regularly

The easiest way to protect your business against zero-day attacks is to regularly patch your software and operating systems. It shouldn’t take you more than a couple of minutes each month. All it requires is that you check now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

Use a firewall and anti-malware

Firewalls and anti-malware tools are the first line of defence for most cybersecurity threats and zero-day attacks are no different. Good firewalls and anti-malware can thwart some zero-day attacks the minute they enter your system. 

Limit the number of applications you use

Most businesses already do this to some extent, software costs money after all. However, when it comes to protecting your business against zero-day threats a simple maxim applies: the less software you have, the smaller the number of potential vulnerabilities. So try to use only the software and tools your business really needs. 

Educate your team 

Most zero-day attacks capitalise on human error in some way. So educating your employees on good security practices and habits can help reduce the risk of a successful zero-day attack. For more on how to go about this, check out our blog on security training

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Active Protect CTA

What is multi-factor authentication?

What is multi-factor authentication

When you sign in to an online account, you’re asked to prove your identity (a process we call authentication in the cyber world). Usually, you’ll do so via a username and password. The trouble is, it’s not a very safe way to do it. Usernames can be guessed and many of us use the same, simple passwords for everything.  

So it’s been clear for some time we need something better. Enter Multi-factor authentication (MFA). But what is it? And why should you use it?

What is multi-factor authentication?

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

You’ve probably already experienced this if you used online or signed into a Google account recently. In fact, it’s well on the way to being commonplace for most applications.

The idea behind MFA is very simple. The more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and maybe some cameras for good measure to keep the bad guys out. 

Why does your business need it?

Again, the why is delightfully simple. Using MFA can dramatically reduce the chances of a successful cyberattack on your business. 

Passwords and user credentials are important, but they’re vulnerable to brute-force attacks and can be stolen by hackers. In contrast, an MFA method like a thumbprint or one-time PIN is very difficult for even the most dedicated cybercriminal to crack. 

On top of the obvious security benefits, you’ll also need some form of MFA to complete Cyber Essentials certification. Under the new requirements, MFA should always be used for accounts that connect to cloud services. 

What types of multi-factor authentication are there? 

Broadly speaking, there are three neat categories of MFA:

  • Information you know, such as a password, security question, or PIN
  • Objects you possess, such as a smartphone – this is where one-time PINs come in
  • Things you are, think biometrics like thumbprints or voice recognition

2FA or MFA? 

At this point, you could be forgiven for wondering whether using MFA is overkill. After all, you probably already use two-factor authentication (2FA) for things like your business banking or office suite (Microsoft 365 or Google Workspace). Do you need the extra authentication factors? 

Remember the old maxim, beloved by school teachers and parents, ‘it’s better to be safe than sorry’? Well, it really does apply when it comes to cybersecurity. 2FA is hard for cybercriminals to crack and it’s far safer than using just a password. However, it’s a no-brainer to make the risk even smaller by adding extra layers of authentication. The harder it is for cybercriminals to breach your business, the less likely they are to succeed. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Active Protect CTA