Cybersecurity

Types of cyberattacks

A cyberattack is a malicious and deliberate attempt to access and disrupt your computers and networks and steal data.

Here are some of the most common types of cyberattacks:

• Advanced persistent threats are a type of attack where a hacker gains access to your computer or network over a long period of time to collect and steal information. Making sure your software and operating systems are up to date can help prevent this type of attack.
• Phishing emails try to trick you or your employees into ‘doing the wrong thing’, such as clicking a dodgy link and downloading malware. There are lots of things you can do to prevent phishing attacks. Email filtering software that automatically flags or blocks suspicious emails is one solution. You should also train your employees to spot and report any suspicious emails.
• A password attack is when a hacker steals your passwords in order to access your systems. You should never share your passwords. Setting strong passwords and changing them regularly are also effective ways to prevent password attacks.
• A denial of service attack is when a hacker floods your servers with requests in order to make your services or website inaccessible. This can lead to reputational damage and loss of income. The National Cyber Security Centre provides advice on how to prevent and respond to denial of service attacks.
• A malware attack can cause damage in a number of ways, such as by stealing your data or taking control of your devices. Malware is often downloaded onto your device or network by clicking on suspicious links. Installing up to date anti-malware software can help prevent this type of attack.

Cyberattacks are getting more complicated, so it’s important you know how to identify and prevent them. The National Cyber Security Centre publishes weekly reports about the latest online threats that businesses face.

How to prevent cyberattacks

There are a number of practical and low-cost actions you can take to protect your business from a cyberattack.

• Regularly back-up your data, particularly if it’s business critical. Store your back-ups securely, such as on a separate drive or in the cloud. You should also limit access to your data to essential members of staff only.
• Install anti-virus software and make sure you keep it up to date. You should also keep all your IT equipment and operating systems up to date.
• Make sure you take steps to secure other devices such as smartphones and tablets.
• A strong password policy is important. A strong password should include a combination of letters, numbers and special characters. It shouldn’t be easy to guess. Change your passwords regularly and never share them.
• Provide training so that your employees know how to spot and report potential cyberattacks.

The National Cyber Security Centre provides a five-step guide to help small businesses improve their cyber resilience.

The Cyber Essentials Scheme

What is the scheme?

Cyber Essentials is a government-backed cybersecurity certification scheme for small businesses. Its goal is to set out the basics of cybersecurity and help your business through the process of self-protection against cybersecurity risks.

Cyber Essentials covers all the basic security weaknesses that your business might have in its IT systems and software. It works on the basis that straightforward but robust measures can have a big impact when it comes to external cybersecurity risks.

Cyber Essentials certification can help show your customers and partners that you are serious about cybersecurity. It can also save you money because it may cost less to insure your business if it has Cyber Essentials certification.

Requirements for certification

You must meet five requirements for Cyber Essentials certification:

• Firewalls: Computers and network devices must be protected by a correctly configured firewall (or equivalent network device). This will help protect your network and devices, and ensure that only safe network services can be accessed from the internet.
• Secure configuration: Computers and network devices must be properly set up and configured to reduce their vulnerability to cyberattack.
• User access control: Employees’ access to software, settings, online services and devices should be at the lowest level necessary for them to perform their roles. You should only grant additional access to employees who need it.
• Patch management: Software on all devices must be kept up to date to ensure that they are not vulnerable to known security issues for which fixes are available. You should remove software that is no longer supported or updated from your devices.
• Malware protection: Every device must be protected against viruses and other malware.

What is the certification process?

You can choose any accredited certification body to manage your Cyber Essentials certification.

There are two levels of Cyber Essentials certification available – Cyber Essentials and Cyber Essentials Plus. The standards that your business must meet are the same for both levels, but the assessment methods are different.

Once the certification body is satisfied that your business has fulfilled all the requirements, they will approve the certification and send the official certificate together with brand guidelines for using the Cyber Essentials certification logo. The certificate lasts for a period of 12 months, after which your business must seek recertification.

For more information, and to a view directory of certification bodies, go to www.cyberessentials.ncsc.gov.uk/getting-certified.

Download this guide

DISCLAIMER While all reasonable efforts have been made, the publisher makes no warranties that this information is accurate and up-to-date and will not be responsible for any errors or omissions in the information nor any consequences of any errors or omissions. Professional advice should be sought where appropriate.