According to research from popular exercise app Strava, the second Friday of January is “quitters’ day”– the day when people are most likely to give up on New Year’s resolutions. 

It’s the day when all those promises made in good faith back in December go up in smoke. Running shoes across the land are hurled to the back of the nearest cupboard, never to see the light of day again. Gym memberships are forgotten about. And new hobbies fall by the wayside.

The biggest problem with most New Year’s resolutions is their difficulty. Sure, the long-term gains might be amazing, but what about the months of pain and effort to get there?

But not all resolutions have to be difficult or doomed to failure. Take, for example, our list of easy cybersecurity New Year’s resolutions. 

Unlike attempting a couch to 5k or taking up a new hobby, they don’t require hours of your time to see results. Nor do you need to go out and buy expensive new tools or overhaul existing processes. All it takes is a few tweaks here and there to get your business’s cybersecurity fighting fit for the year ahead.

And the best part? Once you’re in the habit, you’re unlikely to break them. 

1. Start patching and updating software regularly 

We bang the patching drum a lot at CyberSmart. Regular readers of our blog will have noticed we mention it at every possible opportunity. But, as repetitive as it might be, there’s a very good reason behind our love affair with patching.

Regularly updating your software and operating systems is the easiest, most time-efficient way to improve your cybersecurity. Even, the best software becomes outdated or develops gaps and, when it does, cybercriminals suddenly have an easy route into your business. 

Fortunately, avoiding the worst is incredibly easy and it shouldn’t take you more than a couple of minutes each month. All it requires is that you check every now and then for any new updates to tools and software you use. Or, if you want an even easier solution, simply turn on auto-updates in your device’s settings, and you won’t even have to think about it.

To learn more about patching, check out our recent blog on the subject. 

2. Create a password policy

Of all the resolutions on this list, creating a secure password policy is by far the simplest. Most of us know the importance of strong passwords, but that doesn’t stop us using the same easily-guessable phrase we’ve been using since 2001 for everything. We’re only human after all. 

The problem is this poses a huge security risk. It only takes a cybercriminal to crack one insecure password in your business for disaster to strike. But the good news is fixing it is simple.

Set up a password policy and ensure everyone in the business follows it. Often, it doesn’t take much more than a well-worded email and a few friendly nudges to get everyone on board.

What should go in the policy? Well, a strong password policy should have four key points:

• Use complex passwords that are a combination of letters, numbers and symbols. In-built browser tools like Google Chrome’s password generator are great for this
• Change passwords regularly
• Set up different passwords for different accounts, tools and software. If you struggle with remembering them, consider using a secure password manager tool like LastPass or 1password
• Use two-factor authentication (2FA) wherever possible 

3. Use encryption 

Encryption is one of those technologies that everyone has a vague notion they should be using. However, many of us get put off by misconception that it’s difficult to set up or hard to understand if you’re not a techy type.

In reality, this couldn’t be further from the truth. You probably already use encryption a lot in your daily life, you just don’t know it. Ever sent a message using WhatsApp? That’s encryption. Bought something from a web store? Encryption.

We won’t go into exactly how it works (if you’d like to know more we have a whole blog on the subject) but, essentially, encryption randomises data so that only an authorised recipient with a key can see it. 

Due to the complexity of the randomisation process, encryption is near impossible to break so it offers a level of security passwords alone can’t match. Better still, once you’ve set it up and are used to using it, it’s unlikely you’ll ever have to think about it again.

4. Make cybersecurity part this year’s budget

Attacks on SMEs now account for 58% of all cybercrime. What’s more, small businesses’ ability to absorb an attack is limited. Research from insurance and risk consultancy firm, Gallagher, found that over 50,000 UK SMEs would collapse if hit by a cyberattack.

Given the risks, you would expect cybersecurity to be top of most businesses’ budgeting lists. However, that’s often not the case. It’s not hard to see why; if you’re an SME performing financial wizardry each year just to keep things ticking over, cybersecurity can feel like a ‘nice to have’ rather than a priority. It’s this that leads to many smaller businesses making do with anti-virus and little else.

Unfortunately, firms who do this are playing Russian roulette without being conscious of it. Sooner or later, an enterprising cybercriminal will take advantage of weak defences, no matter how small your business. It’s a simple thing, but make 2021 the year cybersecurity features in your annual budget.

5. Get Cyber Essentials certified 

If you’ve heard of Cyber Essentials, you’re likely questioning this suggestion. Isn’t Cyber Essentials certification a long, drawn-out process that takes weeks to complete? It’s hardly fitting for a list of ‘easy’ resolutions.

Well, the truth is that getting Cyber Essentials certified can be like that. However, it doesn’t have to be. At CyberSmart we offer a Cyber Essentials certification process that can take as little as 24 hours, with no need for constant back and forth. We’ll tell you whether you’re going to pass before you submit and help you address any problems, so you only need to do it once.

Getting Cyber Essentials certified is a requirement for many government tenders and can protect your business from 98.5% of cybersecurity threats. But the benefits don’t end there. It’s also a great indicator of your business’s commitment to security, marking you out as trustworthy and safe to potential partners and customers.

So concludes our 2021 cybersecurity New Year’s resolutions. Although we’d recommend doing everything we’ve suggested, even adopting just one will noticeably improve your business’s cybersecurity. So why not kick the year off with a resolution you’ll keep? 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Technology has shaped our lives in ways never have imagined before. And it’s become especially visible now many of us made the shift to working remotely. Technological developments have provided us with many opportunities, from new forms of communication to the ability to access and share resources from anywhere on the planet. 

Sadly, that’s not the whole story.

Technology also provides cybercriminals with endless new methods for exploitation. It’s no longer enough to manage the struggles of our offline lives. There’s also the added pressure of maintaining our digital selves and online behaviour. 

But why do so many of us behave differently online and take risks that we wouldn’t in our everyday lives? It’s exactly these questions that cyberpsychology seeks to answer. 

What is cyberpsychology?

Cyberpsychology is a relatively young branch of psychology. It got its start back in the 1990s, but it really began to gain relevance during the 2000s with the rise of social media. The explosion in online communication made it suddenly very important to understand online behaviours.

Cyberpsychology looks at how we behave in cyberspace, how we interact with and through different devices, as well as how our offline behaviours have been affected by the use of technology and the internet. 

Experts have been warning about the perils of social media for some time. But, for most of us, the recent  Netflix documentary, “The Social Dilemma” has been a wake-up call in understanding how specific sites, apps and design functionality in cyberspace can be used to target our weaknesses. 

Beyond the obvious problems with manipulative design, technology and the internet are also affecting us in a subtler way. With the advent of the internet of things (IoT), our daily lives are carried with us wherever we go. This mobility comes with advantages; constant connectivity and near-endless information at our fingertips. However, it can also lead to us feeling overwhelmed, saturated with information and obligated to constantly ‘keep up’ with whatever is happening in the news cycle or on social media. 

For many of us, cyberspace is not as tangible as physical space. In the ‘real’ world we can clearly identify hazards and avoid them. Online, this becomes trickier. This can lead us to have an imaginary sense of security, despite the countless risks we are exposed to online daily. But, being aware of the psychology behind our actions can help us better manage our digital existence and approach it more mindfully. 

What are the psychological features of technology?

Recordability

One of the key features to watch out for in cyberspace is ‘recordability’. Everything we do online, from the content we share publicly or not so publicly to private conversations and our location, is documented and recorded. Our digital experiences can be analysed, revisited and even re-experienced. This can have many positive effects, but can also backfire and be used against us if it’s accessed by someone with malicious intent. So it’s important to always consider not only what we are sharing, but who might have the access to our digital traces. 

Flexible identity

Another feature of online life is the ability to manage our impressions and identity. The lack of physical characteristics in communication, such as appearance, body language and emotional expressions can be a limitation to understanding each other. But they can also give us the flexibility to tailor our digital selves to different audiences. 

However, it can also be used for behaviours of misleading, malicious and even criminal natures. For example,
identity fraud or phishing scams. In combination with records of your digital activities, the offender could use available personal information to build a closer and, seemingly, more trustworthy relationship with you. 

The Disinhibition effect

The last key cyberpsychology theory for analysing our behaviour is the disinhibition effect. It explains how the ways we act change in digital environments. In short, we’re less inhibited and composed and more open and confident. So much so, that researchers often compare this effect to being drunk. 

This might sound like a good thing; a society-wide ‘coming out of our shells’. However, it has a darker side. Many of us have
have poorer judgement online and are more prone to making bad decisions.

For example, we are more open to sharing our whereabouts or discussing intimate and private details. This can be influenced by the idea of us as being invisible, anonymous and a belief that offline interactions are ‘real’ and online as ‘not or less real’. And this can often lead to us behaving more irresponsible online and failing to consider the consequences of our actions. 

Why is cyberpsychology important?

It’s clear that the internet and technology have given us greater freedom, convenience, and connectivity. But, at the same time, it’s important to be cautious of its possible negative effects. By better understanding our psychological weaknesses as humans interacting with technology we can become more aware, responsible and secure online. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

Late last year, we published a guide to everything you need to know about GDPR after Brexit. A few things have changed since then, not least, the UK finally agreeing on a deal on 24th December 2020. So, with the terms of the UK’s exit decided, do we know anything more about what GDPR looks like post-Brexit?

What’s happened since a deal was agreed?

You may remember from our previous piece that the UK was awaiting an ‘adequacy’ decision from the European Commission (EC). In simple terms, the EC must decide whether the UK has adequate data protection measures in place for EU countries to work with it.

In the time-honoured fashion of all negotiations between Britain and EU organisations, we’re still waiting on that decision. However, as a temporary fix, the two sides have set out the ‘Trade and Cooperation Agreement’, which contains a provision for data flows. 

What does this mean for GDPR? 

The ‘Trade and Cooperation Agreement’ contains a provision allowing data flows between the EU and UK to continue as they were pre-Brexit for a maximum of six months. In other words, data can still be transferred in the way it was pre-January 2021 until June this year.

There are two ways this ‘bridging period’ could come to an end. The first is that the UK makes changes to data protection law during the period. If this happens, the UK would be outside the terms of the agreement and data transfers will immediately stop.

The second is that the EC makes a decision on the UK’s adequacy status. If this hasn’t happened by 1st April then the period will be extended to its full six-month maximum. 

Still with us? It’s also important to note that the UK has already deemed the EU’s data protection as adequate, meaning data is free to flow in the other direction too. GDPR has now been made part of UK law and renamed the ‘UK GDPR’. And, the Trade and Cooperation Agreement includes a commitment that the UK and EU will continue to cooperate on digital trade in future. 

What does your business need to do? 

If it’s business as usual until April, does your business need to do anything to ensure compliance with GDPR?

Unfortunately, the answer is yes. While data flows can continue as they are, for now, predicting the future is tricky. Some commentators are cautiously optimistic about the likelihood of a favourable adequacy decision for the UK. However, many others cite the long-standing differences in surveillance practices between the EU and UK as a potential blocker to any positive outcome.

This means that the smart thing to do, for businesses of any size, is to put in place alternative arrangements. The Information Commissioners Office (ICO) has already issued a statement urging businesses that depend on data received from EU/EEA countries to do exactly that. 

In practice, this means setting out binding corporate rules (BCRs) or standard contractual clauses (SSCs) on data protection for an EU organisation you exchange information with. This is essentially a commitment to comply with EU data rules as an individual organisation in the event that something changes at the state level.

You can find more advice on the ICO’s Brexit hub and we’ll keep bringing you further updates as we get them. 

The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts.

So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over?

Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog. 

1. Increased use of AI to launch and defend against attacks

First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”

How we did

We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.

88% of security professionals expect AI-driven attacks will soon become mainstream. 

What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI. 

While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly. 

It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.

2. Spear phishing: phishing attacks get personal

Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware. 

We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees. 

How we did 

While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier. 

And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.

The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)

You can find out more about how to switch to remote working safely in our latest ebook.

3. Organisations are adopting more data encryption

At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year. 

How we did 

Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’.

However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats.  Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.

Start 2021 right. Protect your business from 98.5% of security threats by getting Cyber Essentials certified.

4. Robotic Process Automation (RPA)

Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters?

How we did 

In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027.

However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you. 

5. The next wave of GDPR fines is on its way 

2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same. 

How we did 

If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators.

These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.

July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.

So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.  

6. Greater threats to cloud security 

The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities. 

How we did 

Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months. 

This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.

7. 5G and IoT devices on the rise

Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?

How we did 

Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing. 

As for IoT devices, they continued their inevitable march to ubiquity. Experts estimate that the number of active IoT devices installed in 2020 reached 31 billion. This represents an 8 billion rise from 2019 and many are predicting a similar increase in 2021.

8. The cybersecurity skills gap

The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online.

We thought that it would become one of the defining trends of 2020. Were we right? 

How we did 

The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged.

However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.

10. Employee training for threat awareness

Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020. 

How we did

Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously.

Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.

All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

You’ve probably heard the phrase BYOD before. ‘Bring Your Own Device” has been the darling of business and technology journalists for much of the last decade. And BYOD really is more than just hot air and hyperbole. For SMEs, it has the potential to change the way we approach procurement and resourcing forever.

However, what you’re less likely to have read about, is its connection with the Cyber Essentials certification. So, if you’re considering taking the plunge and adopting a BYOD policy, read our short guide first. 

What is BYOD?

BYOD, or Bring Your Own Device, is simply giving employees the option to use their own devices for work. And this can mean everything from their own smartphones through to tablets and laptops. 

Why do businesses adopt BYOD?

Like most business decisions, the benefits of switching to BYOD are largely cost-based. As any SME founder will tell you between grimaces, procuring hardware for all your staff can be eye-wateringly expensive. So having employees use their own is an immediate boost to a businesses’ bottom line. A Cisco report into BYOD found that businesses using it saved on average $350 per person, per year. 

But it’s not all about the money. BYOD also offers employees greater choice over the tools they use for work. Anyone who’s ever used an Apple laptop at home and Windows machine at work (or vice versa) knows how annoying it can be to keep switching between operating systems. So why not let your people choose? 

On top of this, BYOD can provide productivity benefits. The same Cisco study revealed that workers save an average of 81 minutes per week by using their own devices, or nine working days every year. And it can even improve employee wellbeing. In a study produced by Samsung, 78% said it helped them achieve a better work-life balance. 

What does it have to do with Cyber Essentials? 

So BYOD has many benefits and is becoming ever-more popular in the UK – 45% of UK businesses in 2018 had some form of BYOD plan. But what does this have to do with Cyber Essentials?

Well, it’s actually very simple. Any device being used for work purposes is likely to connect business networks and access company data. This poses security risks. 

As we discussed in our recent ebook on remote working, employees using their own devices to access company networks and data can present a host of problems. Personal devices will often have inferior security tools to business ones. Employees are less likely to follow strict security protocols on their own devices. And, there’s plenty of evidence to suggest that we all engage in riskier behaviour when using our personal laptops and phones.

All of this can expose your business to unnecessary risks. But it doesn’t mean you need to scrap your plans for BYOD.

Does Cyber Essentials cover BYOD? 

If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials. This includes doing some after-hours work on your home computer, accessing the company Google Drive, and even browsing work emails on your mobile. 

If a device is used to connect to the business network or access any business information, then it should be considered within the scope of Cyber Essentials

It’s all too easy to fall into the trap of considering personal devices some separate entity, entirely disconnected from work. But that just isn’t the reality of many of our working lives. In our ‘always-on’ culture the personal and professional have a habit of bleeding into each other, particularly in an era when many of us are working remotely. 

This means it’s vital you ensure that all devices used for work, whether personal or company-provided, follow the core tenets of Cyber Essentials. For example, ensuring security settings are switched on and up-to-date, anti-malware tools are installed, and apps are regularly updated. 

What if you don’t have a formal BYOD policy? 

Even if your business doesn’t have a formal BYOD policy, it’s still important you guard against the threat posed by personal devices. To illustrate, at CyberSmart we don’t have a formal BYOD policy, but we know many of our people use their phones to access emails and files. 

So to ensure we’re not giving cybercriminals a backdoor into the business, we ask that every employee installs CyberSmart Active Protect on any device they might access work from. The CyberSmart app constantly checks any device that it’s installed on is compliant with Cyber Essentials and flags any problems to both us and the user. This means that however our staff choose to work, we can be sure they’re doing it safely. 

BYOD has the potential to totally transform the way your business looks at procurement. But it also requires good cyber hygiene if it’s to be liberatory rather than a liability. So if you’re considering adopting BYOD, start by getting Cyber Essentials certified. 

Just when you thought the endless rounds of Brexit negotiations were finally drawing to a close and it was safe to tune into the news again, another problem has reared its head. What will happen to GDPR after Brexit? And will UK companies still be able to exchange data within the EU? 

To provide some clarity amongst the confusion, we’ve tried to answer both. So, join us on a whistlestop tour of all things Brexit and GDPR. 

Will GDPR apply in the UK after Brexit? 

Strap yourselves in, this one’s going to take some explaining. While GDPR will no longer apply ‘directly’ once the transition period ends on 31st December 2020, that doesn’t mean UK organisations no longer need to comply with it. 

This is because the Data Protection Act 2018 enshrines GDPR’s requirements in law. On top of the existing legislation, the UK government has issued a statutory instrument catchily titled ‘The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019’. In simple terms, this amends the original law and merges it with the requirements of GDPR. The outcome will be a new data protection framework known as the ‘UK GDPR’. 

Still with us? The good news is that there’s virtually no difference between the UK version of GDPR and the current EU regime. So, for the meantime at least, you should continue to comply with the requirements of the EU GDPR. 

So why all the dramatic headlines about GDPR after Brexit? 

If there’s little material difference between the current GDPR and the proposed UK version, why are we seeing headlines about the switch costing UK firms £1.6bn in compliance fees?

Well, the problem lies in how the UK’s status is defined by the EU. Once the UK leaves the EU, as a non-member state it will be reclassified as a ‘third country’. And this has big ramifications for the transfer of personal data between countries. 

Under GDPR (the EU version), transferring personal data from the European Economic Area (EAA) to third countries is only permitted in one of three circumstances.

The three options

1. If the European Commission (EC) has issued an adequacy decision. In other words, the EC has decided the third country has adequate data protection measures in place for EU countries to work with it.
2. If safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) are in place between organisations exchanging data. These are essentially commitments to comply with GDPR at the level of an individual company.
3. If an approved ‘code of conduct’ is in place between the EEA and the third country. 

At the moment, no code of conduct has been agreed between the EEA and the UK. What’s more, the EC is yet to issue an adequacy decision.

This has led commentators, such as the New Economics Foundation (NEF) and UCL’s European Institute research hub, to suggest that in the event of a no-deal Brexit, UK businesses would have to undertake option two from the three circumstances listed above. 

The problem with this is that it could prove very costly. In fact, NEF estimates setting up extra compliance measures like SCCs could cost on average £3,000 for a micro-business, £10,000 for a small business and £19,555 for a medium-sized firm. For large firms, the figure could be as high as £162,790, with a cost of £1.6bn to the UK economy as a whole. 

How likely is this to happen?

While the last section might be a little scary, it’s important to stress that it is the worst-case scenario. The UK government has stated several times that it’s committed to securing an adequacy agreement with the EC. So it’s not beyond the realms of possibility that all this will be academic and we’ll see a relatively smooth transition process.

However, there are some doubts about the likelihood of the UK being granted adequacy status. And there are a couple of compelling reasons for this. First, the EU has long opposed some of the practices of the UK security services. This has led to several protracted court battles and a few defeats for British legislators. It’s felt that unless the UK is willing to change it’s surveillance practices – something it’s repeatedly refused to do – then this is likely to provide a blocker to the UK being granted adequacy status. 

Second, the UK government has committed to ‘liberalizing’ data laws as it leaves the EU. Its argument for doing this is that data is currently ‘inappropriately constrained’ by EU laws. The problem is that this is likely to render the UK’s data protection measures inadequate in the eyes of the EU. Again, leading to a scenario in which the UK becomes considered a third country without adequacy status. 

What should SMEs do? 

At this point, it’s natural to wonder what your business can do to ensure you’re ready for the transition. After all, with all the decisions being made at an international level, what can a single SME do but wait?

We don’t yet know the outcome of negotiations on the UK’s adequacy status. So planning for extra compliance measures like SSCs is a challenge. Nevertheless, as we mentioned earlier, it’s well worthwhile ensuring your business is compliant under the current GDPR regime. At the very least, this should help you stay on the right side of the new UK GDPR standard once it’s released.

Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.

Black Friday is nearly upon us. Cue endless headlines about e-commerce retailers recording their ‘best day ever’ (since last year) and photographs of monstrous queues outside department stores.

In amongst the frenzy of articles titled things like ‘10 of the best deals on electricals this Black Friday,’ you’re also bound to find a few on safety- how to stay physically safe during the hustle and bustle or how-to’s for shopping securely online. 

However, what you won’t find is much guidance for small businesses. Black Friday brings with it a heightened risk of cyberattack, particularly in an environment when many SMEs are working remotely. So, to help you get your business through this year unscathed, we’ve put together a brief overview of the risks and some suggestions on how to avoid them. 

What cybersecurity risks does Black Friday present? 

Black Friday is a veritable all-you-can-eat buffet for cybercriminals. Millions of online shoppers, in a rush to grab that must-have deal, often means widespread carelessness on a scale that simply doesn’t happen any other day of the year – with the exception of China’s Single’s Day. 

Hackers look to exploit consumers temporarily taking leave of their better instincts in a number of ways. Let’s take a look at some of them.

Phishing scams 

Phishing scams are a year-round problem. We’ve all had a fake email from a major retailer that’s almost a carbon copy of the real thing but for the slightly misaligned logo, weird syntax or font that just doesn’t look quite right. 

However, during a major retail event like Black Friday, the chances of a successful scam go up. If you’re desperately trying to get a killer deal for a new TV and an email comes through telling you that you’re billing information needs updating, you’re much less likely to spot a fake. 

You’re probably in a bit of a rush, never the best frame of mind for considered judgements. What’s more, if you’re already shopping, a fake email claiming to relate to what you’re doing online might not set off the alarm bells it normally would. 

Old apps 

Again, this is a problem 365 days of the year. But a major retail event provides the perfect cover for cybercriminals to test out the vulnerabilities of popular software and applications for two reasons. One, technical teams’ attention tends to be focused on ensuring apps can handle the sudden surge in demand rather than security. And, two, because many consumers will suddenly be using apps they haven’t used or updated in months – giving cybercriminals an easy route in. 

Is your business considering switching to remote working permanently? Don’t make a decision before reading our new guide, Cyber Safety in a New Era of Work.

Fake websites 

Much like phishing scams, Black Friday usually comes hand-in-hand with a glut of fake websites claiming to sell this years’ must-haves at bargain-basement rates. Most of these sites are simply fronts for hackers to acquire data or launch attacks on unsuspecting consumers. 

Public networks

This is unlikely to be a problem at your workplace. But you’d be surprised how often people pop to the local coffee shop for lunch and log into an unsecured public WiFi network on a company device. And this is all the more likely on Black Friday as people check out the latest offers during their lunch hour. 

The problem is this gives cybercriminals an unbelievably simple way to hack into any unsecured devices on the network. Once in, they’ll be able to get to any company assets accessible from that device. 

Weak passwords 

We’re often banging the drum about the importance of strong passwords. And although it’s vital all the time, it’s particularly so during an event like Black Friday. With so much traffic on popular sites, it’s the perfect time for cybercriminals to try out large-scale brute-force attacks. 

How does this affect SMEs? 

You could be forgiven for wondering what the risks we’ve outlined have to do with your business? After all, aren’t they all related to consumers?

Unfortunately, that’s just the problem. We’re all consumers. And your business is made up of them. Whether it’s on their lunch break or in a spare 15 mins before meetings, it’s highly probable that at least some of your people are going to spend time buying or browsing this Black Friday. This could open up your business to some of the risks we’ve run through so far. 

If, like most companies, your staff are working from home the risks are even higher. As research from ZDNET reveals, 52% of employees believe they can get away with riskier behaviour when working from home. This includes activities like browsing suspect websites and using public networks.

How can you protect your business? 

So what can you do about it? With Black Friday just a few days away, here are a few quick tips for keeping your business safe.

Educate your people

Most risky cyber behaviour stems more often from ignorance or carelessness than malicious intent. So educate your people about the risks we’ve covered in this piece. It doesn’t have to be more than a quick all-company email later this week.

Ensure everyone has the right security

Check that all corporate-owned or managed devices have the latest security capabilities correctly set up. With many people working from home, ensure the same practices you’d insist on in the office are being used everywhere. 

Practice good password hygiene

All your employees should be using complex passwords and two-factor authentication, as well as changing passwords regularly. So, set up a password policy with these requirements and ensure everyone follows it. 

Run the latest versions of all software

Ensure everyone is regularly installing updates and patches for the software on their devices. You can read more about the importance of patching and updates here. 

Encourage staff to shop on personal devices

It might not sound like much, but limiting the number of sites your people visit using company devices can minimise the risk of attack. So by all means let your employees shop ‘til they drop, but keep it to personal devices. 

Secure your network gateways

It’s easy to forget about WiFi itself when thinking about cybersecurity, but it’s a crucial part of good cyber hygiene. Changing the default settings and passwords on home routers can help reduce the likelihood of staff being attacked and, in turn, reduce the risk of a breach for your business. 

‘Black Friday’ always sounds a bit like an economic disaster or tragedy. And, in cybersecurity terms, it certainly has the potential to cause problems. However, by following the guidance we’ve provided, you should have everything you need to ensure this year passes without a hitch. 

Want to know more about how to reduce the risks involved with remote working? Then download our new guide, Cyber Safety in a New Era of Work.

If you’re like most businesses, you’ve probably spent most of 2020 in a convoluted game of musical workspaces. January to March in the office. March to August at home. Back in the office for September and October. Then back home again for November.

Fortunately, it looks like the end is in sight. Several pharmaceutical companies are on the verge of creating an effective COVID-19 vaccine. However, even with the discovery of a vaccine, it’s unlikely our working environments will ever return completely to their pre-pandemic state. 

Many businesses, as well as their employees, have noted the benefits remote working can bring. And this is leading to an increasing number considering making the switch for good. However, if your business is thinking about adopting remote working full-time, or even just cutting the hours you spend in the office, there are a few things you need to know.

To help, our team of cybersecurity and compliance experts has created a new guide, Cyber Safety in a New Era of Work. In it, we tackle a few of the questions on everybody’s minds and show you how to make the transition to remote working safely. 

What’s in the guide? 

Our guide is broken down into three parts. First, we look at how we got here and what’s driving changes in the way we work, including the benefits of remote working. Then we look at the cybersecurity risks working from home presents for a small business.

Finally, we look at ways to overcome the challenges remote working brings. No CyberSmart guide would be complete without some simple steps small businesses can take to protect themselves. 

Download our new guide here or follow the link below.

‘Patching’ is one of those cybersecurity terms that sounds simple and homespun while somehow also appearing technical and complex. But in reality, patching is one of the easiest ways to protect your business against cyber threats. Here’s everything you need to know about it: the what, the why and the how. 

What is patching?

Remember how your mum would fix your school uniform with a patch of similarly coloured fabric when you ripped it falling over in the playground for the hundredth time? Well, the same principle applies to patching in cybersecurity. 

Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. It could be that the software was built with vulnerabilities that weren’t anticipated at the time or it might be that a new cyber threat has emerged. Whatever the reason, software developers get around the problem with security patches. 

Just like the million little fixes to your school trousers, security patches are small adjustments. They don’t change the fundamental function of the software, but they do get rid of ‘holes’ a cybercriminal might exploit to access your data or systems. 

Why is patching important? 

The best way to illustrate why patching is so important is to give an example of what happens when it isn’t used. Remember the Wannacry ransomware attack back in 2017?

The crisis began when the USA’s National Security Agency (NSA) discovered a vulnerability within Microsoft Windows. However, rather than report this immediately to Microsoft, the NSA used its knowledge of the vulnerability to create software capable of exploiting it. Unfortunately, cybercriminals then stole this tool from the NSA and used it to launch the Wannacry attack. 

The result of this unpatched vulnerability was an onslaught of ransomware that cost organisations across the globe $53 billion, including a £92 million bill for the NHS. 

Why is this relevant to SMEs? 

Of course, as an SME, it’s unlikely you’re sitting on software vulnerabilities that could put an almighty dent in the global economy. But that doesn’t mean patching isn’t important. 

If the tools you’re using – say, your operating system or anti-virus software –  have vulnerabilities, it gives the bad guys an easy route into your systems. Once they’re in, confidential employee information, financial data, and everything else your business guards closely, is at their fingertips. 

And it’s not just your business. As Wannacry proved, a weak link anywhere in a supply chain puts everyone in at risk. 

How do you make sure your business is protected?

The best thing about patching is that it’s the simplest thing you can do to improve your business’s cybersecurity. All it requires is that you continually update the software and tools you use. This could mean checking for updates every few days or just simply switching on the auto-update setting for all company devices.

This is very easy to do on a personal level. But what about if you scale this practice up company-wide? Surely keeping track of several or even tens of employees’ devices is tricky, to say the least?

There are two relatively simple routes around the problem. 

Clear security policies

The first is clear company security policies. Make it clear to your people that everyone needs to update software as soon as a new version or patch is released and explain why. Most of us are more likely to adhere to a policy if we know why it’s there and what we risk if we don’t follow it. And don’t squirrel it away on some long-forgotten corner of your company server. Ensure everyone has access and knows where to find it. 

Use an active protection tool

The second approach is to use an active protection tool like CyberSmart Active Protect. Active Protect scans all of your company devices every 15 mins, checking everyone is using the latest versions of software and security settings are configured properly. If anyone in your business has missed something, you’ll know about it through the CyberSmart Dashboard.

Our products can even help with creating clear policies. CyberSmart Policy Manager allows you to host your security policies in-app and distribute them to all company devices. So you can be sure everyone has access to and reads your organisation’s policies. 

Although it doesn’t sound like much, ensuring every tool your business uses is running the latest version really is the first step to a safer working environment. So why not start making it part of your routine today?

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

If you’ve been considering improving your cybersecurity lately, chances are you’ve come across the phrase ‘cyber hygiene’. And you’re probably also wondering what it means. Cyber hygiene is one of those slippery phrases that seems to change meaning depending on who’s using it.

So, in the interests of clearing up some confusion, here’s our guide to cyber hygiene. What it is. Why it’s important. And, what it looks like in practice. 

A definition of cyber hygiene 

Simply put, cyber hygiene is the steps and practices every organisation should take to ensure good digital health and protect themselves against cyber threats. The idea behind cyber hygiene is that these practices should become part of our day-to-day routine. Think of it as a bit like your physical hygiene, say brushing your teeth twice a day, washing your hands regularly, or wearing a face mask. 

Why is it important?

In the same way that if you don’t look after your teeth you’ll eventually end up with a hefty dentist’s bill, your cybersecurity needs constant maintenance to avoid a breach. 

But cyber hygiene’s importance goes beyond simple maintenance. There’s a widespread perception among SMEs that cyber-attacks are something that happens to bigger, higher-profile companies. It’s not hard to see why- after all, the news cycle is filled with tales of the latest Fortune 500 behemoth to suffer an embarrassing breach.

Unfortunately, this couldn’t be further from the truth. According to research from the Federation of Small Businesses, in the last two years alone, SMEs were subject to 10,000 cyberattacks daily. And 1 in 5 reported suffering a breach during the same period. 

In the last two years alone, SMEs were subject to 10,000 cyberattacks daily

What’s more, the risks are only growing with many businesses switching to remote working. A recent report from VMWare reveals that 91% of businesses globally have seen an increase in cyber attacks since countries began implementing lockdown measures. On top of this, home office networks are 3.5 times more likely to be hacked than corporate ones. 

Maintaining a good standard of cyber hygiene is the most effective way to guard against all of these threats. 

What does good cyber hygiene look like in practice? 

We’ve tackled why cyber hygiene is important but what does achieving it actually involve? 

Good cyber hygiene is probably best divided into three broad categories: occasional check-ups, daily routines and good behaviours. Let’s take each in turn.

Occasional check-ups 

People are often surprised by how many cyber threats can be averted simply by giving your corporate devices and networks a regular health check. When software is out of date, firewalls and anti-malware aren’t switched on, or security settings aren’t configured properly, you provide cybercriminals with an easy route into your business. 

Start by checking every device in the company is running the latest version of any software you use and it’s security settings are configured to the highest level of protection. Also ensure that your network is secure and that all anti-malware and firewall tools are switched on, up-to-date and configured properly. 

Daily routines 

Cyber hygiene is as much about what you do and how you do it as it is about maintenance. A great place to start is by putting in place universal practices across your organisation.

This includes steps like setting up a strong password policy, using two-factor authentication for anything coming in or out of your business and keeping work devices for work purposes.

Good behaviours

Few of us set out to put our workplace at risk with our actions online. But we’re all human. And whether it’s through misunderstanding the risks or just being a little careless, many of us do exactly that on a daily basis.

Getting everybody on your business on the same page about your cybersecurity standards is just as important as keeping your tech fighting fit. The best way to do this is to ensure your business has clear, understandable policies in place so everyone understands what they need to do (or not do). And it’s no use hiding them away on some long-forgotten corner of your server. Make sure they’re easy to find and everyone has access to them. 

Three simple ways to get your cyber hygiene up to scratch 

The steps we’ve outlined so far might feel a little overwhelming. Where do you start? Surely running through all that will take forever? And what do you do if cybersecurity isn’t really your forte?

Fortunately, there are three very simple routes to improving your cyber hygiene – regardless of your budget or level of expertise. 

1. Get a Cyber Health Check

Before you start improving your organisation’s cyber hygiene, you need to know your current level. In other words, it’s time for a check-up.

Our soon-to-be-released Cyber Health Check is a simple way to assess your current level of cybersecurity. We’ll run some tests to check how you’re doing. Then, once we’re done, we’ll send you a free downloadable report to tell you what you need to improve and some recommendations for how to do it.

2. Get Cyber Essentials Certified 

Another option is to complete the UK government’s Cyber Essentials certification. The scheme covers the essential actions every business should take to ensure its digital security and protect against cyberattacks. Cyber Essentials assesses five criteria on the way to certification: 

• Is your internet connection secure?
• Are the most secure settings switched on for every company device?
• Do you have full control over who is accessing your data and services?
• Do you have adequate protection against viruses and malware?
• Are devices and software updated with the latest versions? 

Not only does the Cyber Essentials scheme cover all of the maintenance steps we discussed earlier, research also shows it could help protect your business against 98.5% of cyber threats. And that’s not all. Many government bodies require Cyber Essentials certification from any supplier or service provider they work with. So getting certified could open up new avenues for your business.

Even if you’re not likely to work with the public sector, Cyber Essentials certification is a great way to demonstrate to customers and potential partners that you’re serious about protecting their data.

3. Use an active protection tool 

As we’ve said throughout this piece, maintenance is key to good cyber hygiene. But that doesn’t mean you have to set aside a day each month to check your defences are in order. There’s a far simpler, less time-consuming way to achieve the same thing.

The CyberSmart Active Protect scans your company devices 24/7, checking for updates, firewalls and security measures. If anything’s configured incorrectly or out-of-date Active Protect lets you know, allowing you to fix issues in a couple of clicks. And, to make sure your people stay safe, Active Protect lets you check on the individual status of their devices, and distribute company security policies across them.

Practising good cyber hygiene is a necessary part of modern business. But, as we’ve hopefully demonstrated, it doesn’t need to be time-consuming, complex or costly. So why not get started today? After all, where’s the harm in a check-up?

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.