There’s no doubt we live in a digital world, and most businesses realise the danger they face if they fail to get on board with the latest trends. After all, few companies, if any, lack an online presence. That means much of small businesses’ data is stored on hard drives in local computers and servers in the cloud. Therefore, it’s time you took measures to ascertain the integrity and security of your company’s data because as most organisations are starting to realise, cybersecurity is the key to fast business growth in the digital era. How? 

It helps you outsmart the competition 

Hackers are opportunists. The recent ransomware attacks we have seen plaguing national and international companies and institutions such as the NHS are a menace, with cybercriminals looking for any means possible to gain access to sensitive data. Considering that most companies have a digital presence, this means attacks are simply growing as hacking software becomes more sophisticated. As such, clients are increasingly looking for this reassurance from companies they do business with, meaning that offering robust cybersecurity is increasingly being used to outsmart the competition while safeguarding your data. 

It makes threats less likely 

Most companies are turning to cloud technology because it has been deemed the most secure, and it enables collaboration on a global scale. In the cloud, companies can access their data from anywhere in the world and share it with key stakeholders. However, to appreciate the power of cloud technology, it’s essential to plan carefully and invest in professionals who can optimise the technology for utmost security. Without these resources, your company stands to receive threats like denial of service, data breaches, management of remote identities, or insecure external applications, which can damage your company’s reputation and hamper its success. 

It demonstrates compliance 

Following best practice and industry standards for cybersecurity is essential if your company is to be trusted by current and prospective clients, and if you are to hold a commanding position in your market. Failure to comply with modern cybersecurity and data privacy standards like Cyber Essentials and IASME GDPR Readiness doesn’t just place your business and your client data at risk, it also means you could be landed with a heavy penalty for any breaches that could stunt your company’s development. These regulations have been established to protect and prolong the existence of SMEs like yours, as well as their stakeholders, so remaining compliant is critical. 

Investing in cybersecurity is essential to the growth of your business. By neglecting it, you not only hinder the development of your company but also place it at risk of irreparable damage. 

What’s more, investing in cybersecurity now can give your company the leverage it needs to innovate for the future. 

If you’re an SME looking to get Cyber Essentials accredited, a strong IT infrastructure, well-trained staff, and a thorough plan will help you to meet certification requirements.

Once you’ve met the requirements you’ll be:

• Protecting your digital assets against 98.5% of the most common cyberattacks
• Able to win new business by displaying your cybersecurity credentials
• Put on the public certification register

Before you start your application, it’s important to know exactly what’s expected of you and to prepare accordingly. In January this year, the Cyber Essentials requirements changed to better reflect current cybersecurity challenges. 

You can read the full documentation from NCSC, but this article covers what you need to know about the technical controls used to assess your application.

Cyber Essentials requirements for compliant IT infrastructure

There are five categories of criteria you need to meet. Working through each will help you on your way to safer, smarter, and more sustainable data management. 

The 5 Cyber Essentials categories are:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Security update management

1. Firewalls

Every device connecting to your network must have a boundary firewall. This will restrict the flow of network traffic and protect against cyber attacks. You must:

• Have a strong administrative password and change it regularly
• Have two-factor authentication or an IP whitelist to access admin controls
• Block unauthenticated connections by default
• Document and approve inbound connections
• Be able to enable/disable functions
• Use a software firewall to protect devices on untrusted networks like public Wi-Fi

Cut through the noise of cybersecurity certifications with our quick and easy guide. Learn how to choose the right certification for you, and how to get certified.

2. Secure configuration

You must configure all computer and network devices to reduce vulnerabilities and restrict functionality based on job role fulfilment. To comply with Cyber Essentials, secure configuration has to go beyond out-of-the-box solutions. You must be able to:

• Change passwords 
• Remove or deactivate user accounts
• Remove unused or unnecessary software and applications 
• Disable auto-run features that don’t need authorisation
• Authenticate users before they access sensitive data
• Introduce device locking controls for users on-site

The National Cyber Security Centre includes the following in their definition of a device. You’ll need to include all that apply to you in your preparation for the self-assessment.

• Hosts
• Networking equipment
• Servers
• Networks
• Desktop computers
• Laptop computers
• Thin clients
• Tablets
• Physical and digital mobile phones

3. User access control

Businesses must have controls in place to manage user access to applications, devices, and sensitive business data. Employees should only have access to what they need. Administrator-level users must manage and monitor access.   

You must be able to:

• Approve user account creation and remove or disable accounts
• Authenticate users before granting additional access
• Use multi-factor authentication for all cloud services and, where possible, for other services. 
• Restrict use of administrative accounts 
• Revoke or disable additional access privileges 

4. Malware protection

Anti-malware software protects against attacks on networks and users by restricting untrusted software from accessing sensitive data. 

Malware protection must allow you to:

• Keep all software up to date and safe
• Regularly scan to ensure the network is safe
• Automatically scan browsers and online applications
• Block and prevent connections to malicious websites
• Whitelist applications following a full approval process

5. Security update management

Security update management helps to keep existing software up to date and reduces the business risk of security flaws or gaps in protection. You must:

• Keep all software licensed and supported
• Remove unsupported software from devices 
• Enable automatic updates if possible
• Update within 14 days of release where automatic updates are not available

Improving your cybersecurity

You might feel ready to take the next step in your cybersecurity journey and complete the self-assessment to get certified. But if you’re just getting started or feel unsure, you’re not alone and support is available if you need it. You can partner with an expert who’ll show you how to prepare and help you pass first time.

When you’ve got a Cyber Essentials certification, you can strengthen your cybersecurity by applying for certifications like Cyber Essentials Plus or ISO 27001. The standards you should uphold all depend on the industry you operate in and what will protect and benefit your business and customers.

Discover which cybersecurity certification is right for your business in our certification guide.

When it comes to cybersecurity, MSSPs traditionally provide two standard services: proactive or reactive. Some businesses prefer the reactive approach and require a fix for security issues only when they arise. For other businesses, horizon scanning and taking a more proactive approach fits their risk appetite and lets them stay one step ahead.

Being an MSSP, you have a responsibility to guide clients to the best approach for their business and one that matches their risk appetite. In this blog post, we look at the reasons why proactive compliance is better for businesses than a reactive approach when assessing cybersecurity firefighting.

The Reactive vs. Proactive Approach

A reactive approach towards security embraces the philosophy of wait until the security perimeter is breached then acting to fix it. An MSSP is typically responsible for cleaning up the mess after the security incident using this approach; one that might work with other services, but with cybersecurity, may have business crippling impacts.

Once a security incident has occurred, the damage has already been done. The loss of data and extended downtime of any systems has already caused financial, reputational or other losses to the client. Add on the cost in time and effort to ‘fix’ and the potential impacts, coupled with the loss of productivity or revenue do not make happy reading.

A proactive approach, on the other hand, is about anticipatory prevention measures and rapid notification that drives responsiveness. In this approach, the MSSP is responsible for assisting the client address the potential security risks before they can become problems. 

Cyber attacks do not sleep, and the proactive approach to cybersecurity defensive measures is the best approach to leave little to no room for attackers to exploit the system. The earlier a problem area or attack vector is identified, the easier it is to fix or to close the door to a potential breach. A proactive approach is a great way to ensure clients’ infrastructure is protected 24/7. It requires continuous engagement with clients and involves the design and deployment of preemptive strategies, tools and techniques with an awareness of threat intelligence to prevent security issues from becoming a concern.   

Drawbacks of Reactive Cybersecurity

The reactive approach may save cost for clients initially, but in the long run, it increases the risks of:  

• Increased costs. Once a breach has occurred, the financial impacts can be severe. GDPR data-breach fines are not insignificant to any business and the reputational damage costs could be even higher. For SMEs, these costs could be the difference between staying in business or having to close. And that is bad for the client and bad for the MSSP.
• Inappropriate damage control tools. The reactive firefighting approach is not about protecting businesses for the future. Instead, it is about running a damage control campaign to counter the effects of an ongoing security incident. There is no clear direction to take and often no clear security baseline to revert to rapidly to regain business control. When the breach occurs, the business may well blame the MSSP for not taking care of security more adequately.
• No clear resolution method. Unlike compliance, you never know what to expect with a reactive call from a client. The best method to resolve the issue may well vary according to the type of incident, the extent of the damage, and the size of the business. This makes it difficult to position pre-defined expertise or resources necessary to deliver reactive services. This uncertainty adds cost to the MSSPs business model that can be difficult, to pass through to clients.

Proactive Cybersecurity Compliance

A proactive compliance approach has a number of benefits for MSSPs:

• Reduced costs and recurring revenue. A data breach or ransomware attack can lead to substantial losses for a business. The financial losses may include damaged infrastructure, lost data, fines imposed by regulatory bodies, reputational damage and the cost of lost productivity. The risk of realising these costs can be mitigated through a proactive compliance approach. For MSSPs, the benefit is in offering clients a subscription-based compliance model. Since compliance is an ongoing process, your business can focus on building a recurring revenue stream based on a predictable financial model.
• A well-defined approach. Compliance can be achieved through well-defined processes such as the one used by CyberSmart. A proactive compliance service can be effectively planned and priced by MSSPs. As a preemptive approach, you know exactly the resources and personnel will need to dedicate to each client.
• Avoid disruptions and build credibility. The ultimate goal of compliance is to prevent risks to clients that could disrupt their business. Offering proactive services to clients delivers ongoing protection against cyberattacks and offers longer-term client relationships built on trust.

Conclusion

Cyberattacks are evolving, the targets change frequently and the risks and threats are not going to go away if we pretend they do not exist. For businesses, they should not sit back and wait to be breached but they should be encouraged to keep on the front foot and lower their risks. 

MSSPs focusing on selling compliance that delivers lowered risk of cyber attack is a great opportunity in the ever-expanding, digitally connected marketplace. Being proactive has great commercial benefits for them and their clients. It can build recurring revenue streams and a sustainable reputation for the MSSPs. For businesses, the benefits or a reduced risk profile are clear.

CyberSmart Active Protect provides everything your clients need to protect their businesses around the clock.  If you would like to learn more about how we can help you sell proactive security, feel free to reach out to us.

If you’re a UK SME and part of a big supply chain or going for government tenders, you’re likely to be aware of the needs of Cyber Essentials. The original Cyber Essentials certification was designed to provide businesses with the basics of cyber safety and ethical business practices online; from managing firewalls and user accounts to appropriately protecting their business against malware and data theft. To remain compliant with modern UK business requirements, Cyber Essentials is – well, an essential.

But for businesses wanting to go beyond the basics and improve their safety and the security of their business online, Cyber Essentials Plus is the answer. As one of the services we offer our clients, we deliver the Cyber Essentials Plus certification through IASME and know just how important this higher compliance standard from achieving the ‘Plus’ certificate can be to your businesses.

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

So what exactly is the difference between the two certifications? It all comes down to the use of an independent auditor. Cyber Essentials Plus requires still requires businesses to comply with the same five factors as the non-plus model. Known as technical security controls, these include:

• Firewalls
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management

In addition to these basic requirements to be certified, Cyber Essentials Plus goes a step further than the self-certification of Cyber Essentials and requires an independent assessment of the business’s internal security controls to achieve this higher level full certification.

Why an independent assessment?

Robust credibility is the driving reason why Cyber Essentials plus uses independent assessment as this ensures companies are indeed compliant with the requirements of the Cyber Essentials scheme. The additional step ensures the safety of the business but further helps authenticate the certification. By verifying you are compliant, the resultant certification award is more trustworthy than an in-house DIY version of the Cyber Essentials certificate.

Which form of certification is best for your business? If at all possible, upgrading from Cyber Essentials to a higher-level certification is the ideal choice for any company. Each assessment includes a vulnerability scan to ensure your business data and information is well protected. If you are genuinely committed to safer online and network practices, for your business and your clients, then investing in Cyber Essentials PLUS certification could be your best move.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

One crucial area of legislation for any SME dealing with customers in the EU now is GDPR. This law came into effect on May 2018 which means businesses have now had a while to ensure ongoing compliance with it. With heavy fines imposed on any company that is found to be in breach of GDPR laws, it is certainly something that your business should pay close attention to. As businesses are now held responsible for keeping the sensitive personal information they may hold safe, you must ensure you do all you can to stay within GDPR rules. 

But what are the major things to think about here? 

Online security 

Top of the list for all businesses now is protecting themselves from online data breaches. This means that the cybersecurity measures your organisation has in place are key. If they are not robust enough and hackers breach your defences to steal sensitive data, you could well be held responsible. This makes investing in your cybersecurity arrangements essential so you have the required protection in place. It is also worth investing in training for staff around GDPR and online security. If they were to fall prey to an online scam which sees them hand over personal data to a hacker, this could also see your business held liable if you had not done enough to educate staff. 

Consent for data to be collected and stored 

Cybersecurity is one part of the GDPR regulations but what about the right your business has to collect and store data initially? This notion of consent is a huge factor within GDPR and something you must be able to show you have. Before any data is collected now, it is key to let people know what for and get their explicit consent to do so. The old days of gathering data to store without asking first or making people aware of why are long gone! 

The right of erasure 

Another major part of these laws is the right individuals have for their personal data to be removed from your systems or databases. This right to be forgotten is now open to EU citizens and must be actioned quickly by your company when they request it. This makes it essential to know where your data is stored so it can be accessed and deleted within the given timeframe. 

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

As our dependence on online resources and internet-enabled devices grows, cybersecurity has never been more important. In the past, cybersecurity was focused on threats. Say, someone accessing your bank account and stealing money. But that’s changing fast as we become more aware of threats to our data. And it’s these challenges that are the theme of this edition of European Cybersecurity Month. 

European Cybersecurity Month 

European Cybersecurity Month (ECSM) is an annual event held every October. The aim of ECSM is to promote cybersecurity and improve society’s awareness of threats. To do this, ECSM provides education and resources throughout the month to help individuals and companies to improve their cybersecurity. As part of ECSM, over 370 events are being held across 34 countries. Similar events are held in other parts of the world too. For instance, America has National Cybersecurity Awareness Month and Canada has Cyber Security Awareness Month. 

ECSM themes 

The theme of this year’s ECSM is the same as previous years: “Cybersecurity is a shared responsibility”. To put it more simply,  cybersecurity requires input from governments, businesses, and individuals. Businesses need to create products with built-in privacy and security measures. Individuals need to secure their data. And governments need to continually update and pass new legislation – take the EU’s GDPR for example. 

Sub-themes 

ECSM is split into two sub-themes. The first, ‘Cyber Hygiene’, is very close to our heart and focuses on developing daily routines for cybersecurity. Think of it like brushing your teeth or hitting the gym before work. 

The second is ‘Emerging `Technology’. This tackles how new technology can pose cybersecurity challenges. The aim is to educate individuals and businesses on the issue and, ultimately, suggest some ways to overcome it.

Should you get cybersecurity certification? 

All this talk about cybersecurity challenges has probably got you thinking. What about your own organisation? What can you do to improve cybersecurity, today? Well, a great place to start is Cyber Essentials certification. It’s a UK government scheme that covers all the essentials of cyber hygiene and provides a great base to work from.

The management of cybersecurity, especially in a growing business, can both be time-consuming and challenging. However, automating your cybersecurity requirements can effectively help your business handle threats, vulnerabilities and essential certifications. Let’s take a look at some of the benefits SMEs can derive from choosing cybersecurity software such as CyberSmart Active Protect.  

Cost savings 

Automating your cybersecurity requirements can reduce your IT costs, which are usually fixed and relatively high when done internally by an individual. The costs are fixed when you choose software like CyberSmart, and even better, you don’t need to train or hire in-house IT staff as the technology does it all for you. 

Step-by-step instructions 

Recruiting a qualified cybersecurity employee does not usually guarantee experience. However, with cybersecurity software from leading providers, your business is assured of how-to guides and step by step instructions, which make addressing unique cyber threats and mitigation strategies straightforward no matter your level of technical or compliance knowledge. 

Time-saving and fewer distractions 

Letting automated software handle your company’s cybersecurity requirements saves you time and other resources. CyberSmart Active Protect is probably the best way of ensuring that employees in a company focus their time, attention, and effort on core business issues. It also ensures that they are less distracted by activities involving complex cybersecurity problems and decisions. 

Competitive edge for SMEs 

Unlike large and well-established businesses, SMEs may not be able to afford in-house cybersecurity solutions and support. However, choosing to automate the search for weaknesses in your system can provide you with the same level of security as large firms. 

Remaining compliant 

Just like any other business investment, running an in-house cybersecurity solution is associated with a considerable amount of risk and regulation. However, with vast knowledge and expertise in compliance and security issues, software providers such as CyberSmart will ensure your company remains compliant throughout the year. 

Scalability with the latest technology 

Changes in market demand may necessitate the expansion of a business. Scaling up operations typically comes with its fair share of hurdles, especially from a technological perspective. Hackers have also found various ways of exploiting security measures put in place by businesses. However, with CyberSmart Active Protect, you’ll get weekly reports on the status of your business, with any issues you should be aware of brought to your attention as soon as possible.

Cybersecurity in your organisation goes beyond investment in the latest technology. It also requires dedication to inspiring and instilling a healthy culture. It has been established that poor and weak cultures can always open avenues for data breaches and the exploitation of unforeseen or hidden vulnerabilities. However, with a properly instilled culture, employees could as well become your most potent human firewall that protects your business network from cyber-attacks. Therefore, it is essential to weave the cybersecurity culture into the organisation’s policies and practices, which will place workers at the frontline in fighting cyber threats. How then can you foster such a culture and build a stronger front against hacking and other cyber threats? Here are four ways of creating a disruptive, engaging, rewarding, and fun cybersecurity culture with assured return on investment within your organisation. 

Involve everyone in the workplace 

Most organisations believe that cybersecurity is the sole responsibility of the IT department. However, having a sustainable cybersecurity culture requires instilling the perception that it is a shared responsibility. Such practices are vital because almost every employee uses the corporate network at some point, so it’s imperative to include them as a component of the company’s overall security culture and solution. 

Provide basic cybersecurity training 

Training your staff is a critical part of building an influential culture since it gets them talking about security issues and also helps in focusing on end-users, thus making it easier to cover the entire spectrum of cybersecurity. However, it is crucial to start with basic but relevant and engaging training before scaling your way up to more complex ones to weed out bad practices that may make your business vulnerable to cyber-attacks. The simple practices include policies related to passwords, mobile devices, data storage, remote network access, cyber vigilance, and response strategies. At the end of the training, implement a post-training assessment that will measure the effectiveness of the process based on some predetermined metrics. 

Streamline channels for threat reports 

Ensure that your security and IT department is approachable by other employees who may need to report incidences relating to cyber threats. The channels should be open for communication and interaction to promote honesty among employees, even when they’ve made mistakes without fear of being punished for human errors. Your security department should always be welcoming to encourage reporting of security breaches and at the same time, help in building a robust culture by helping employees gain a deeper understanding of what is expected of them. 

Reward good performance 

Always look for opportunities to celebrate your success by recognising and rewarding exemplary performance from employees. Simple rewards can go a long way in motivating employees to uphold cybersecurity standards and measures. You can even go a notch higher by making cybersecurity courses a choice within the company. Such programs offer the potential for the growth of your employees who are passionate about network security.

Cybersecurity is a growing concern for businesses. The cost of recovering from data breaches is simply crippling, especially with the new GDPR legislation. A recent report predicts that cybercrimes will cost the world about $6 trillion every year by 2021. 

Cyber-attacks have become more prevalent and sophisticated. Reports of online exploits, scammers and hackers are no longer top headline news. As technology evolves, cybercriminals come up with new ingenious methods of perpetrating their attacks. Every further advancement in technology provides new security loopholes and risks. Here are three trendy cybersecurity threats that have started to emerge. 

1) Internet of Things (IoT) attacks 

The inter-connectivity of smart devices via the Internet of Things infrastructure has been a growing trend in recent years. Devices such as security cameras, smart appliances, and sensors seamlessly link together to collect, analyse and act on data. IoT is an inexpensive and convenient way to automate and modernise business processes. 

However, most of these devices don’t have robust security features factored into their designs. This creates weak links that unsavoury hackers have quickly learned to exploit. The risk is much greater if the IoT devices link up to high profile networks. 

2) Cryptojacking 

Today, we have over a thousand cryptocurrencies in circulation over the internet. Mining of these currencies is a lucrative venture, although the processes are increasingly becoming harder, hence requiring more computing power. Cryptojacking is where a hacker uses personal or business computing resources such as servers and computers to carry out crypto-mining. 

The hacker may not necessarily be interested in data or vandalism, but piggybacking on enterprise systems causes some serious problems. Since crypto-mining draws a great deal of processing power, the systems slow down, consume a lot of energy, and suffer crashes and malfunctions. 

3) Intelligent hacking 

Artificial intelligence (AI) and machine learning (ML), which are a big part of advanced cybersecurity defence systems are also being used to model cyber-attacks. With these technologies, hackers can create adaptable malware that evades detection while controlling other software tools to their advantage. 

Intelligent malware poses serious threats to AI-based computer models, neural networks, and smart sensor systems. There have already been a few reports of sophisticated cyber-attacks that bare resemblance to AI manipulation. 

Bottom line 

These new cyber threats may seem scary, but cybersecurity systems are still on top of things when it comes to securing your data and resources. A lot of work goes into developing new defences against emerging threats. Your part is to keep up with security updates while exercising basic cautionary measures and good cyber-hygiene. 

Get in touch with us to learn more about cybersecurity and certification standards.

Cybercriminals now have more tools than ever before to launch more sophisticated and devastating attacks. From artificial intelligence to the dark web, companies need to rethink their security strategies as being reactive simply isn’t enough anymore. With the adoption of cloud infrastructure and the use of IoT devices increasing ten-fold each day, cyber attackers have moved inside our networks. With all this in mind, let’s take a closer look at how cybersecurity has evolved over time. 

Where did it all begin? 

Cybersecurity began with a simple research project. Having realised it was possible for a computer program to move across networks, Bob Thomas designed Creeper, a program which allowed him to travel between Tenex terminals on the early ARPANET. Ray Tomlinson, the person responsible for the creation of email, saw Thomas’ idea and began replicating it himself. However, he created antivirus software instead, which would chase Creeper and delete it. 

The types of attacks have changed 

We’ve come along way since Creeper, with some of the earliest forms of malicious cyber attacks focusing on PHI theft and credit/debit cards. Although these still occur today, we now have the threat of crypto and ransomware attacks to deal with. Phishing email attacks are still very common (phishing accounts for 90% of data breaches), but it’s fair to say they’ve become more sophisticated over time. Other examples include: 

• Denial-of-service (DoS) attacks 
• Distributed denial-of-service (DDoS) attacks 
• Password attacks 
• Malware 
• Man-in-the-Middle (MitM) attacks 
• SQL injections 

Who is responsible for cybersecurity now? 

In the past, it was assumed that the sole responsibility of a company’s cybersecurity lied with the IT team. However, thanks to an increase in awareness and understanding of cyber threats, it’s becoming a company-wide practice. Phishing attacks, in particular, should be understood by every member of your team, including the risks of opening malicious emails and how to identify or report them. 

What can you do? 

While cybercriminals look to the future for ways to compromise networks, they are also using old techniques which still work. With this in mind, how can you develop effective security measures? You’ll need native solutions and adaptive security deployments which can detect unexpected events and take action to rectify issues. However, while it’s important to nurture your existing talent in regards to cybersecurity, it might be time to consider recruiting IT security professionals too. 

To find out more about CyberSmart Active Protect which provides valuable insights into the status of all your devices, contact us on our live chat, 020 8059 2106 or email us on [email protected] today.