The change, which goes through on Monday 24th January 2022, includes several additions to the Cyber Essentials question set.
Why is the price of Cyber Essentials increasing?
The world has changed dramatically since Cyber Essentials was launched seven years ago. Cloud services are now widely used, digital transformation has really taken hold and, of course, many of us are now doing some form of remote or hybrid working. So, to help businesses better tackle these challenges, IASME and the NCSC have updated the requirements of Cyber Essentials certification. The update includes new requirements for:
Cloud services
Multi-factor authentication
Password management
Security updates
Working from home
We’ve outlined all of the most important changes below.
These changes add an extra layer of complexity to certification, particularly for larger organisations. And the new pricing reflects the rigour involved in assessing bigger businesses.
What does this mean for you?
First, it’s important to state that Cyber Essentials remains one of the best-value things a business can do to improve its cybersecurity. In fact, with the inclusion of the new requirements, Cyber Essentials offers better protection to SMEs than ever before.
In other words, the new look Cyber Essentials gives you more for your money while still remaining affordable for any business.
How is CyberSmart approaching the changes?
Up until 7th March 2022, we will continue to offer Cyber Essentials to all our customers and partners for the same price as before.
In other news, after listening to feedback from our customers, we’re also launching our new CyberSmart bundles, containing the CyberSmart Dashboard, CyberSmart Active Protect and Cyber Essentials certification in one neat package.
These bundles contain everything your business needs to improve its cybersecurity and stay secure long after certification. To find out more, please get in touch at hello@cybersmart.co.uk or click here.
The cybersecurity industry has long had a reputation for impenetrable jargon, be it tools, threats or solutions. So, in this blog, we’re demystifying another confusing term. What are ‘DDoS attacks’? Why should you be worried about them? And, most importantly of all, what can you do to stop them?
How does a DDoS attack work?
DDoS stands for Distributed Denial of Service. And it’s a very simple but potentially very disruptive premise. Cybercriminals pick a target, then flood its network with so much malicious traffic that it can’t operate as it usually would. The result is that legitimate traffic (such as shoppers or readers) grinds to a halt.
DDoS attacks are more common than you might think and they’re on the rise. 2020 saw a 151% increase in the frequency of attacks in comparison to 2019. And, to make matters worse, cybercriminals are increasingly targeting small businesses with this kind of attack.
How much damage can a DDoS attack do?
A DDoS attack is highly disruptive for any business. But for big corporates, it’s usually something they can swallow. After all, for a multi-billion dollar business, a few days lost revenue and some disgruntled customers don’t have to spell disaster.
However, for a small business, a DDoS attack can have serious consequences. A successful DDoS attack can take down entire websites and systems. This could mean lost revenue, breached data, reputational damage, dissatisfied customers, and a massive cleanup effort to get systems back up and running. In other words, a potentially critical situation for a small business with limited resources.
What can you do to protect your business?
We’ve painted a pretty scary picture so far. But that doesn’t mean small businesses are defenceless in the face of DDoS attacks. There’s plenty you can do to help your business avoid the worst-case scenario.
Use a Web Application Firewall (WAF)
A WAF blocks suspicious traffic and prevents DDoS attacks from accessing your business’s servers. And, the best thing about a WAF is that it’s easy to customise for your business. For example, if you mostly do business in the UK, you could configure it to block all non-UK traffic. Or, you could take it a step further and blacklist traffic from markets renowned for attacks. Of course, like all software, you need to ensure you’re patching regularly for it to be most effective.
Learn to spot the signs
We’re always talking about the importance of security training for your staff and our advice is no different when it comes to preventing DDoS attacks. One of the key reasons that DDoS strikes are so hard to stop is so few people know how to recognise them – until it’s too late and business systems fail. To give an example of what we mean, did you know a sudden surge in traffic – even for just a few minutes – could signal the start of an attack? Even basic cybersecurity knowledge among staff about what the threats are, how to spot them, and what to do in the event of an attack, can help your business get a head start on cybercriminals. For more on security training, read this.
Be mindful of your supply chain
A huge proportion of cybersecurity attacks now begin in the supply chain. And, unfortunately, this includes DDoS attacks. Most SMEs are part of a supply chain and lack the security resources of larger partners, making them an enticing way for cybercriminals to attack more glittering prizes.
These ‘attacks through the back door’ are becoming increasingly common. US retail giant Target was fined $18.5 million after a breach at its air conditioning partner led to the leak of millions of credit card details.
So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. For those below you in the chain, this may mean asking for proof that their cybersecurity is in order. And for the bigger companies you service, this could mean agreeing to shared security practices and transparency in the event of a breach.
Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.
5 ways to protect your business from cyber threats this holiday season
Black Friday, Cyber Monday, the January and Boxing Day sales. The busiest retail period of the year is almost upon us. But while the holiday season often brings with it bumper sales figures for retailers and bargains for consumers, it also comes with a heightened risk of cyber threats.
For example, November 2020 saw an 80% increase in the number of common email phishing scams reported. Meanwhile, the UK’s National Cybersecurity Centre (NCSC) has been gearing up for the period by releasing updated guidance for consumers on how to shop online safely.
However, what’s often less widely discussed is the impact this can have on small businesses. Even if your business has nothing to do with retail, you’re still at risk. Here’s why and what to do about it.
What risks does the holiday season bring?
Before we look at the risks themselves, it’s important to note that the festive season doesn’t necessarily mean more targeted attacks on SMEs themselves.
However, who among us hasn’t done the odd bit of lunchtime shopping on company devices or personal devices used for work? And it’s this clandestine bargain hunting that poses the problem. It gives cybercriminals a route into your business.
Phishing scams
Phishing scams are a year-round problem. But during major retail events like Black Friday, the chances of a successful attack grow exponentially. With so many of us frantically shopping around for the best deals, our ability to spot the telltale signs of a scam often diminishes as quickly as our bank balances.
It’s a simple but potentially disastrous equation. If you’re in a bit of a rush, you’re not in the best frame of mind for considered judgements. And, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would.
Fake online retailers
Black Friday often comes with a deluge of fake websites claiming to sell this year’s must-have products at bargain prices. Unfortunately, most of these are simply fronts for cybercriminals to acquire consumers’ data or launch attacks. Like phishing scams, these can be hard to spot in the hurly-burly of major retail events, making a successful attack much more likely.
Outdated software
Again, this is a problem 365 days of the year. But the festive season provides the perfect cover for hackers to test out the vulnerabilities of popular software.
Firstly, because technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. Secondly, because many consumers will suddenly be using apps they haven’t used or updated in months, often on devices with access to your business data.
Public and home networks
You probably have decent network protection in your physical workplace, but do your staff working from home? And does the cafe around the corner with the free WiFi that everyone uses? Unsecure public and home networks don’t stop being a problem for the rest of the year, but during busy retail periods, when people are much more likely to shop online, the risk is heightened. It gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device.
Weak passwords
You’ll hear us talking about the importance of strong passwords a lot. It’s the simplest thing you can change to improve your cybersecurity. However, passwords become doubly important in busy retail periods due to the amount of traffic on popular sites. It’s the perfect setting for cybercriminals to try out large-scale brute-force attacks and find out whose passwords aren’t strong enough.
What can you do to protect your business?
1. Educate your team about the risks
A huge proportion of successful cyber attacks stem from human error (95% according to some) so helping your team understand the risks is crucial to avoiding them. You should approach this in two ways: immediate education and long-term training. In the short term, educate your people on the risks outlined in this piece. It doesn’t have to be more than a short email sent out before the festive season really kicks off. However, a quick nudge to your staff to be mindful of the risks is no substitute for long-term behavioural change. For this, you need security training. How you approach this will largely depend on your business and the cybersecurity knowledge within it but, to get you started, we’ve put together a short blog on the subject.
2. Patch your software
The importance of updating your software can’t be overstated. Without regular updates, you leave plenty of little holes in your software for cybercriminals to exploit. So, ensure everyone in your business is constantly installing updates and patches for the software on their devices – even if it’s an app or tool they rarely use.
It’s a simple thing and won’t take you more than a few minutes each month. But, it can also work wonders for improving your cybersecurity.
3. Provide staff with clear cybersecurity policies
We say this a lot but it never gets any less true. If your people don’t know what security behaviours are expected of them at work, they’ll keep getting it wrong. Clear, well-crafted company policies on cybersecurity and data protection can go a long way to removing confusion around the subject. And, most importantly, help diminish the risk of a successful attack.
A good cybersecurity policy should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. For more on how to build one, read this.
4. Practice good password hygiene
Like patching, this is a simple fix that can immediately improve your cybersecurity. So what does good password hygiene look like? Well, we recommend four steps:
Use complex passwords that make it difficult for cybercriminals to guess or brute force their way in. The NCSC’s ‘three random words’ is a great approach to this
Change passwords regularly
Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
Use two-factor authentication (2FA) wherever possible
And, once you’ve undertaken these four steps, roll it out to your business. Create a password policy and make sure everyone follows it.
5. Use a VPN
Last, use a Virtual Private Network (VPN) for all remote work, even those trips to the local coffee shop. If your employees are using public networks or their home router it’s likely to be far less secure than your office network. According to a report from BitSight, home office networks are 3.5 times more likely than corporate networks to be infected by malware.
A VPN can help you counter this by creating a secure connection to business systems and data, from wherever your staff choose to work.
Want to know more about how to switch to hybrid or remote working safely? Download our guide, Cyber Safety in a New Era of Work here.
We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware.
However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains. These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself?
What is social engineering?
The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.
Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under.
1. Phishing
You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.
Most phishing attacks seek to do three things:
Steal personal information such as names, addresses and banking details
Redirect victims to malicious websites that contain phishing landing pages or malware
Use threats, fear or a sense of urgency to manipulate the victim into acting quickly
A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed. For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password.
So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam.
2. Piggybacking
Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area.
Here’s an example of how it might work:
The attacker waits outside the company’s office, posing as a delivery driver or plumber.
An employee enters using their keycard or other security accreditation.
The attacker asks the employee to hold the door.
They do, and suddenly the attacker has access to the building.
Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems. This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.
3. Pretexting
Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims.
A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack.
To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.
Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff.
The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else.
4. Quid pro quo
Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service.
For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data.
The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services.
As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.
Create clear cybersecurity policies
If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive.
For more on why cybersecurity policies are so important and how CyberSmart can help, read this.
Foster a positive cybersecurity culture
If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes.
All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them.
Check your cybersecurity measures
Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies. By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
How Cyber Essentials certification can help you win new business
Cyber Essentials certification has numerous benefits. You probably know all about the headline ones, such as protection from 98.5% of cyber threats and peace of mind that your staff are working safely.
However, there’s another advantage to certification that’s discussed less frequently. Cyber Essentials certification can also help your company win new business. How? We’ve enlisted a few of our clients to explain in their own words.
Government tenders
Cyber Essentials (or Cyber Essentials Plus) certification is a mandatory requirement for funding in some parts of the NHS and education system (ESFA funding, for example).
But Cyber Essentials also has another role to play. Certification is fast becoming a requirement to bid for many UK government tenders. And, getting certified can not only unlock new opportunities for your business but also make the whole process easier, as Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile, explains:
“Certification has made the process of submitting tenders and business documentation much easier. The certification itself answers many of the questions we’re asked in potential business agreements.”
Building trust
In an online economy teeming with potential risks, trust is often a prerequisite for doing business. After all, how can you know whether a new partner or supplier is following the cybersecurity best practices they claim to be?
You need proof. And this is where Cyber Essentials comes in. Cyber Essentials is a simple, cost-effective way to demonstrate your security credentials to potential customers and partners:
“Our customers, partners and prospects have really appreciated the additional assurance that certification provides. What’s more, their trust in how we manage our business and the services we provide has also increased.
We find once we’ve submitted our Cyber Essentials Plus certificate to other businesses, they’re generally satisfied and don’t require any further proof of our commitment to security. The certificate provides all the proof they need.” –Kim-Lisa Gad, Governance, Risk and Compliance Manager at Vula Mobile
“FNA works with some of the most important financial institutions in the world and handles highly sensitive data. As such, it is critical to them that they take every precaution to meet a high standard of cybersecurity.
Sometimes, you actually need to see that you can trust someone to trust them. With the help of CyberSmart’s app, FNA’s leadership team were provided with an efficient means of verifying that all their employees have met the basic security checks. Rather than having to manually assess every individual device, the CyberSmart software helps FNA run automatic audits in the background and sends alerts when individuals drop below certain standards. In a way, removing any ambiguity surrounding what employees may or may not have done and offering peace of mind.”– Kimmo Soramaki, Founder and CEO of Financial Network Analytics
New business
Lastly, Cyber Essentials certification can mark you out as a trustworthy business that takes security and data protection seriously. In a world where proof of cybersecurity credentials is increasingly important, this makes you an attractive proposition to prospective customers and partners.
Ben Pook, Director of Play Verto, explains how getting certified has helped his business:
“The impact of not having the right security measures in place is massive. Our customers and partners rely on us to keep their data secure. CyberSmart offers an additional service that is critical in giving both ourselves, as well as our customers, peace of mind.
When we take on a new client, they want to understand how we collect data, how we store it, where it is stored, which servers we are using etc. With CyberSmart, all of that information is in one place and easily accessible. What’s more, the certificates themselves are a demonstration that we take security seriously in the eyes of our customers.”
So there you have it. Not only can Cyber Essentials dramatically improve your business’s cybersecurity, but it’s also a great way to gain an edge over competitors and open up new avenues of opportunity. And, at CyberSmart, we can get you certified in as little as 24 hours. Click here to find out more.
Why security training is the key to improving your cybersecurity
When you think about tools for improving your organisation’s cybersecurity, it’s likely things such as anti-virus software, firewalls and encryption that immediately spring to mind. And, if it appears at all, security training is probably some way down the list. However, security training is one of the most effective ways to protect your business against cyber threats. Here’s everything you need to know.
Why is training so important?
According to research, 90% of cyber breaches can be put down to human error. Or, in simpler terms, if your employees aren’t aware of what cyber threats look like, they’re much more likely to fall foul of them.
The best way to beat this is through training. Training can help your people better recognise and understand the threats they face. And, more importantly, learn how to counter them.
90% of cyber breaches can be put down to human error
What does effective security training look like?
Firstly, there’s no such thing as one-size-fits-all security training. Well, at least not if you want it to be effective. The sort of training your business requires will depend on your staff and their knowledge gaps.
For some businesses, this means starting with the basics. Meanwhile, in others, training addressing specific weak spots in employee knowledge will prove the best route. To read more on tailoring security training to your business, check out this excellent piece from our UX Researcher Anete. Whichever approach you choose, remember there’s such a thing as too much information. Learning about cybersecurity (especially for the first time) can feel overwhelming.
There is a multitude of different threats and concepts to learn. So keep it simple. Your employees don’t need to know everything or become cybersecurity experts overnight. They just need the information that’s most relevant to your industry or business.
Training should follow the little and often approach. Little, because no one learns best by bombardment. Often, so that your people get into the habit of thinking about cybersecurity regularly.
Think short, sharp exercises that fit into a lunch break or the time between meetings. It’s important that the training doesn’t impact staff’s core work or become a chore they quickly disengage from.
And, finally, make it engaging. Include a mix of text, videos and interactive tasks in your training. After all, few of us learn best when the method is boring or feels like a slog.
How do you get started?
By this point, you’re hopefully convinced by the merits of security training. You may even have a good idea of which knowledge gaps you need to address within your business. But where do you start?
At CyberSmart, we’ve noticed a gap in the market for engaging, jargon-free training to help build cybersecurity awareness within SMEs. So, we’ve created CyberSmart Academy. CyberSmart Academy is a simple, do-it-yourself approach to security training. And it’s available to anyone who uses CyberSmart Active Protect.
Through a series of bite-sized modules, CyberSmart Academy helps your people sharpen their knowledge of cyber threats and develop the skills needed to avoid them. Through videos, articles and interactive quizzes, your staff will quickly boost their knowledge. And, with each module designed to fit into a lunch break, it won’t impact their work or bore them to death.
We’ve even included a little healthy competition into the process. Once training is complete, staff enter into a company-wide league table, so they can see how they perform against their peers.
CyberSmart Academy is set to launch in just a few weeks, but if you’d like to know more get in touch, we’re happy to answer any questions.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
Press release: CyberSmart disrupts SME cybersecurity with $10 million Series A funding
CyberSmart, UK leader in simple and accessible automated cybersecurity technology for SMEs, has today announced the completion of a successful over-subscribed Series A funding round, bringing the total raised to over $10 million. Alongside deeptech fund IQ Capital and with the additional support of InsurTech specialist, Eos Venture Partners, and data science-focused Winton Ventures, CyberSmart is set to further disrupt the cybersecurity market. The funding will be used to enhance their product’s capabilities further, invest in channel partnerships as well as scale into the UK and beyond. In this way, playing a fundamental part in the company’s long-term goal to protect and empower SMEs globally.
The company drives value for customers and partners through its ‘golden triangle’ approach; supporting SMEs in protecting their data, assuring their security posture and providing tailored and affordable insurance coverage. CyberSmart’s intuitive online platform automatically and continuously assesses personal and company devices in real-time, alerting users when security and compliance standards have not been met. SMEs benefit from 24/7 monitoring and protection, government-grade assurance via Cyber Essentials certification and ongoing support with training, compliance, policies and procedures.
CyberSmart is collaborating with a number of insurance companies and strategic corporate partners across Europe, including Aviva and Starling, to ensure SMEs are protected and covered, whilst benefiting from reduced insurance premiums and policy excesses.
“The amount of support we have received thus far is humbling, and just goes to show the gap there is in the market for our offering. Cybersecurity solutions are often tailored to large enterprises with extensive teams and resources, whilst SMEs are left behind. With the help of our investors, we are challenging this mentality”- Jamie Akhtar, CEO and co-founder of CyberSmart
It is this comprehensive approach to cybersecurity and a focus on accessibility, both in terms of cost and functionality, that distinguishes CyberSmart from the crowd. This has driven an influx of capital and a wide variety of enthusiastic investors, with many current investors and angels doubling down on their commitment to the company.
“The amount of support we have received thus far is humbling, and just goes to show the gap there is in the market for our offering. Cybersecurity solutions are often tailored to large enterprises with extensive teams and resources, whilst SMEs are left behind. With the help of our investors, we are challenging this mentality,” said Jamie Akhtar, CEO and co-founder of CyberSmart. “Staying true to our mission of empowering SMEs to tackle cybersecurity is paramount. As such, despite the overwhelming interest we received from investors, we have been selective in determining who comes aboard as we define this new category for ourselves.”
“We are very excited to partner with Jamie and the brilliant team at CyberSmart. We’ve been impressed by the scalability of the technology, which is helping a fast-growing number of SMEs build their digital presence while staying secure”, said Antoine Pechin, Vice President of Winton Ventures. “We also think that CyberSmart can play a key role in developing the SME cyber insurance space.”
“We are very excited to partner with Jamie and the brilliant team at CyberSmart. We’ve been impressed by the scalability of the technology, which is helping a fast-growing number of SMEs build their digital presence while staying secure”- Antoine Pechin, Vice President of Winton Ventures
“Cyber risks, particularly ransomware and malware attacks, are an ever-increasing threat to small businesses globally, with many SMEs facing a protection gap and lacking the knowledge, expertise, insurance coverage, and access to tools and resources to help protect their organisations, ” said Carl Bauer-Schlichtegroll of Eos Venture Partners. “The CyberSmart platform is a complete solution to easily support and protect businesses, demonstrated by strong early traction with thousands of customers and large corporate partners already leveraging the platform. We are excited to partner with this exceptional team and co-investors, and look forward to working with the Company to build on their achievements to date, further cementing their position as a leader in the cybersecurity sector.”
“IQ Capital has supported CyberSmart since their seed round and we are tremendously proud of CyberSmart’s rapid growth within the underserved SME cyber protection market,” said Kerry Baldwin, Managing Partner at IQ Capital. “We are pleased to continue working closely and to support the team on their growth and international expansion alongside the new investors.”
Just about every business uses a server, but most of us only have a fuzzy idea of what they actually do. And it’s easy to assume that it’s too technical or complex for us non-techy types to understand.
In reality, servers are pretty simple, and, they’re a key part of your IT infrastructure as well as having a role to play in Cyber Essentials certification.
Here’s everything you need to know.
What is a server?
When most of us think of servers, we think of huge, thousand-acre data centres like this. However, most businesses have a server and they’re often of a much more modest scale.
Any computer using the right software can be a server. Essentially, all a server does is collect and distribute information across a network. The network could be local, say within your office, or a wider network across many locations, like the internet.
For more on the different types of networks and how they work, check out our recent blog on the subject.
How does a server work?
Whether it’s searching Google or pulling up a file at work, you probably access servers thousands of times each day. Taking the internet as an example, the process works something like this:
You enter a URL into your web browser
The browser requests the data for the site you’ve asked it to display
This information is sent to the server
The web server finds all the data needed to display the site and sends it back
The site you’ve requested appears on your browser
And that’s it. The whole process shouldn’t take more than a few seconds, depending on your internet speed.
What is a virtual server?
Servers are simple enough. But, things get a little more complicated when it comes to virtual servers. So, here’s the simplest explanation we could come up with. A virtual server is a server that shares its resources amongst multiple users, each of whom has some control over it. It’s usually located offsite from the organisation using it, typically in a data centre.
Think of it as a way of splitting a single, physical server into several smaller virtual servers, each of which can run its own operating system. The key advantage of this approach is cost saving.
A virtual server is usually much more energy-efficient to run than a dedicated physical server and doesn’t require any upkeep by the businesses using it. And, you only pay for the server capacity your business actually uses – far more cost-effective than running an entire server and only using a fraction of its capability.
Servers and Cyber Essentials
The Cyber Essentials certification questionnaire has several sections relating to servers, but what is it you need to do?
First, all servers whether virtual or physical need to be supported by the manufacturer. For example, Windows Server 2008 isn’t Cyber Essentials compliant because Microsoft stopped supporting it some time ago. This means its defences won’t have been updated to deal with new threats, making it vulnerable to attack. For more detail on the importance of updates, have a read of this.
For Cyber Essentials Plus, your servers only need to be tested by an auditor if they ‘touch’ the internet and a non-admin user can use it to browse. If you’re unsure of the difference between admin and non-admin users, never fear, we’ve put together a handy blog to help.
For both Cyber Essentials and Cyber Essentials Plus, you’ll also need to answer questions on who has access to your servers, the protections you have in place, and the software installed on your servers.
And that’s all there is to know about servers; a complex technology with a very simple job. Hopefully this blog has armed you with all the knowledge you need, but if you have any questions please get in touch, our team are always happy to help.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
What’s the difference between users and admin users?
User permissions aren’t normally something we associate with cybersecurity. In part because it isn’t quite as sexy as talking about the latest ransomware attack, but also because of simple confusion.
So, to help you understand how it can affect your cybersecurity, we’re delving into the world of user permissions. What are standard and admin users? What are the differences between them? And how are they relevant to Cyber Essentials certification?
What is a user?
A user account is an identity created for a person in a computer or computing system. When you sign up for an online groceries account, that’s creating a user. Likewise, when you first purchased the device your reading this from you likely set yourself up as a user.
But user accounts don’t have to be created for real, living breathing humans. It’s also possible to create accounts for machines. For example, service accounts for running programs, system accounts for storing system files and processes, and admin accounts for system administration.
What is an admin user?
Administrator accounts are created to carry out tasks that require special permissions. You wouldn’t want just anyone in your organisation to be able to install software or access certain confidential files, so setting up admin users allows you to control who can do what.
These administrator accounts should be regularly audited, including password changes and regular confirmation of the right people’s access.
What’s the difference between admin accounts and standard accounts?
Simply put, admin accounts are the most powerful type of user. They have the power to do just about anything on a device. For context, think about the guy or girl in IT who you need to ask to perform tasks like setting up new software. Every device or system will have at least one admin user somewhere.
Standard user accounts are much more limited. Just how limited often depends on the type of operating system you use. But, as a rule of thumb, standard accounts can’t typically install new software or access system-critical files. Usually, they can access the files they need for day-to-day work but are prohibited from making serious or permanent changes to their device.
It’s also important to note that standard accounts are much easier to control than admin users. With user controls, administrators can place much more severe restrictions on accounts – everything from blocking access to certain applications and websites to setting a daily time limit.
Although using a standard user account can appear limiting, it does provide security benefits that can protect you in the event of a breach.
Why are standard accounts more secure than admin accounts?
At first glance, the choice between a user and an admin account might seem like a simple one. After all, who doesn’t want the power to change anything they see fit? However, admin accounts do come with an added security risk. Due to the permissions granted to admin users, if malware is installed on your system an attacker has the power to do virtually anything they want to. In essence, the more permissions your account has, the more damage a cybercriminal can do should they gain access.
On the other hand, standard accounts offer much less flexibility but greater security. Malware installed under a standard user account is less likely to do serious damage. The hacker won’t be able to make system-level changes or access files other than the user’s own. So when it comes to cybersecurity, having a ‘lower level’ account can work in your favour.
Why is it important for administrators to have a standard account?
While it’s inevitable there will always be a need for admin accounts in your business, it matters what those accounts are used for. Using an admin account for day-to-day activities like checking your email or browsing the internet dramatically increases the risk of being breached.
When penetration testers are attempting to compromise a system, they are looking to “gain admin.” And the same principle applies to cybercriminals who also look to gain admin rights to a system or, better still, a network.
Allowing a systems administrator – especially one with domain administrator privileges – to access the internet via their admin account presents an easy target for hackers using phishing or impersonation attacks. To counter, consider giving your admin users safer standard accounts for their day-to-day duties.
How do user permissions relate to Cyber Essentials?
User accounts are covered in the Cyber Essentials questionnaire and there are two sections you’ll need to answer.
User accounts
The questions in this section deal with how user accounts are created, who approves the creation, and the processes you have in place for when people leave the organisation or switch roles. They apply to any servers, laptops, tablets or mobile phones used in your business. Cyber Essentials describes best practice for user accounts as:
It is important to only give users access to all the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with email whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.
Admin accounts
The questions in this part of the assessment tackle your processes for choosing and setting up admin users and how regularly access to privileged accounts is audited. Once again, this applies to all servers and devices used in your organisation.
How should you set up user permissions in your business?
Although every business has different requirements, there are some best practices we recommend you follow. 1. For SMEs, we recommend that no more than two people in your business have access to domain admin accounts for whatever software package you use – for example, Microsoft Office 365 or Google Suite. 2. You should regularly audit who has access to these accounts. In the hustle and bustle of daily business, it’s very easy for user permissions to slip and admin accounts to be used by unauthorised staff.
3. Put in place policies and, if necessary, training to ensure that administrators don’t access the internet or their emails using admin accounts.
Things do become slightly trickier in our current working environment, with many businesses working remotely. In many cases, staff working from home will need a local admin account for their device. It’s often more practical for employees to be able to install software or make changes to their machine, rather than asking your IT team to do it remotely.
Nevertheless, most of the recommendations above still apply. Your people still need to be educated on the importance of using standard accounts for daily work and using MFA.
That’s all there is to user permissions. Setting up user and admin accounts safely is a simple change, but one that can instantly improve your cybersecurity. Hopefully, this article has helped you better understand how they work and some best practices for keeping your business safe. But, if you have any questions, please get in touch, our team is always on hand to help.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
Firewalls can appear complicated at first glance. However, in reality, they’re easy to set up and offer an important defence against cyber threats. So, to help you better understand firewalls and how to protect your business, here’s everything you need to know.
What is a firewall?
A ‘firewall’ is a tool that protects your home or office systems from malicious traffic on the internet.
Think of it as a well-armed bouncer, checking anything that enters your network for threats. It creates a barrier between a ‘trusted network’ (such as your office) and an ‘untrusted network’, like the internet.
Firewalls keep your devices operating reliably. But they also protect you from a variety of threats, such as DoS (Denial of Service) and malicious packet attacks.
Most modern devices contain a firewall of some kind. You’ll find one built into your laptop and internet router, although, crucially not on most smartphones. Many businesses also set up a separate hardware firewall in addition to the one built into devices for an extra layer of security.
Where does the term ‘firewall’ come from?
The term ‘firewall’ has an interesting history (no, really). The term originally refers to a wall built to contain a fire between adjacent buildings. Later, it was used to describe the metal sheet that separates the engine compartment from passengers on an aeroplane.
It wasn’t until the 1980s that ‘firewall’ first became synonymous with the internet. The term appeared in the 1983 computer-hacking movie WarGames to describe the act of filtering data coming through routers and possibly inspired its later use.
How does a firewall work?
Firewalls analyse all incoming traffic based on a set of pre-set rules. The rules are then used to filter out anything malicious or suspicious and prevent attacks.
The slightly more technical explanation is that firewalls filter traffic at a computer’s entry points or ‘ports’. These ports are where information is exchanged with external devices. For example, a rule might look something like this: “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22.”
A great analogy for understanding this is to think of an IP address (the unique number that identifies your device) as a house and port numbers as rooms within the house. Only trusted people (IP addresses) are allowed to enter the house at all. Then, once in the house, trusted people are only allowed to access certain rooms (destination ports).
It’s much like hosting a party at your house, in that you’d probably keep some rooms off-limits. Perhaps there are some rooms that could pose a threat to children or maybe you just like your privacy, either way, the same basic principle applies to firewalls. Trusted devices are only allowed access to certain places.
Why are firewalls important?
Simply put firewalls are a vital first line of defence. To return to our bouncer analogy from earlier, without a doorman anyone can enter the building. Without a firewall, anyone can get into your business.
It’s not difficult for even a relatively unsophisticated cybercriminal to probe your organisation’s devices in an attempt to break into your systems. Without a properly configured firewall, they’re much more likely to succeed.
What’s more, the consequences can be disastrous. Not only will hackers gain access to your data and potentially leak it or use it maliciously, but the financial hit can also be severe. According to insurer Hiscox, the average cost of a breach for an SME is £11,000, and that’s before we even consider reputational damage or fines from regulators.
A properly configured, maintained and monitored firewall will go a long way towards protecting your business.
But what do we mean by ‘properly’ configured? Well, for your firewall to work optimally, you need to ensure it has the power to manage normal and encrypted internet traffic without slowing down your devices or compromising security. A good IT support partner can help you do this or, alternatively, automated tools like CyberSmart can guide you through the process yourself.
Firewalls and Cyber Essentials
You might be reading this article because you’ve come across the firewalls section of the Cyber Essentials questionnaire. Or perhaps you’re considering completing Cyber Essentials certification for your business.
Either way, the section of Cyber Essentials dealing with firewalls can appear confusing. But, in reality, it’s very simple. You’ll be asked about which firewalls you have in place, whether they are password protected and ‘accessible’ services. The first two elements are self-explanatory. All you need do is list the firewalls you use and set up password protection for them if you don’t already have it (the questionnaire or one of our team will provide guidance on how to do this). However, ‘accessible services’ is a little more complicated.
What does ‘accessible services’ mean?
‘Accessible services’ is the traffic that is approved to pass through the firewall. In an office environment, your firewalls will usually be configured so that IT support can access anything they need to. However, most of us aren’t working in an office at the moment and home routers are often set up to block all services as default.
Sadly, working from home doesn’t mean the end of all IT troubles, so your remote workers may wish to allow external access to their personal router. If this is the case, then it’s best practice to allow a single, static IP address through the firewall. That way, you can be sure your IT support team, and only the IT support team, has access.
And that’s all there is to firewalls. Hopefully, this has answered most of your questions but, if there’s anything else you’d like to know, please get in touch with one of our team.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
