Cyber Essentials Requirements – Your Guide to Getting Certified

If you’re considering getting Cyber Essentials certified, you’re taking an important step towards fundamental cyber security preparedness. This UK government-backed scheme can help every size of organisation achieve a minimum standard of cyber security.

This comprehensive Cyber Essentials requirements guide comes from our Head of Security, Jake Ives, who regularly helps businesses achieve certification. Below, Jake gives an overview of the scheme and its requirements, answers some of the most frequently asked questions and talks about the latest 2025 updates.

What is Cyber Essentials?

Cyber Essentials is the UK government’s way of helping businesses protect themselves from hackers. Think of it as a cyber security MOT for your company.

It comes in two tiers. For basic Cyber Essentials, you fill out a detailed questionnaire about your security setup, and an assessor checks your answers. Cyber Essentials Plus includes everything from the basic level, plus hands-on technical testing where assessors actually scan and audit your systems to verify the controls are working in practice.

If you pass the Cyber Essentials requirements, you get a certificate that’s valid for a year. It’s become more or less essential for winning government contracts and shows clients you take cyber security seriously.

You can attempt the certification process yourself or get help from a provider such as Intersys, which offers a Cyber Essentials Assessment Service.

How effective is Cyber Essentials?

The scheme has a proven track record of enabling cyber resilience – organisations that have Cyber Essentials controls make 92% fewer insurance claims. It’s also a reliable supply chain tool that can bolster cyber security across entire supply chains and assure organisations of the cyber security standards of their suppliers.

While it doesn’t make an organisation bulletproof, it mandates a foundational level of security that every UK business should have in place to ensure that they are protected from common threats. Without the controls in place, a business is at risk from even the most basic of threats.

The Cyber Essentials framework is well known, trusted and, when completed in full and with accuracy, will improve your security posture and provide your customers with peace of mind.

How long does it take to complete Cyber Essentials?

It varies and depends if a foundational layer of security already exists and how well the IT estate is configured.

We’d recommend first logging what devices, software and cloud apps your business uses. Then, come to a Cyber Essentials assessment expert such as Intersys for an in-depth audit.

In our case, the combined knowledge of our infrastructure and security teams will put you in the best place to pass quickly. We can also explain everything to you in plain language and provide cost-effective, smart solutions.

How hard is it to get a Cyber Essentials certification?

The Cyber Essentials requirements in the framework are achievable for businesses of all sizes. However, an initial gap analysis engagement is always recommended to ensure you’re ready to take the assessment.

For example, if you can’t centrally manage your devices, or report on the status of those devices, you cannot guarantee the presence of important controls such as BitLocker or password policies – or verify if those controls are implemented in a consistent manner across devices. Also, if you don’t know your assets or can’t properly track your user accounts that exist across the systems in your IT estate, you’ll struggle to provide comprehensive answers. In these scenarios, achieving Cyber Essentials is going to be difficult and will require some work.

For non-technical users taking the assessment, knowing how and where to start is easier said than done. This is why I’d recommend involving an IT partner to help you prepare.

What are the components of Cyber Essentials?

There are five areas:

Firewalls: Firewalls block unauthorised access to and from private networks, but they’re only effective when firewall rules are correctly configured to control who can access your systems and where users can browse.

Secure configuration: Secure configuration involves setting up computers and network devices to reduce vulnerabilities and provide only necessary services, which prevents unauthorised actions and ensures devices reveal minimal information to potential attackers.

Security update management: Regular patching and updating of all software including third party software and applications is essential because once vulnerabilities are discovered and made public, threat actors can rapidly exploit them to gain unauthorised access.

User access control: Access control restricts system and data access on a “need-to-know” basis, which minimises the risk of information misuse and limits the damage an attacker can cause if they compromise a legitimate user account.

Malware protection: Anti-malware software or whitelisting defends against malicious software that can steal sensitive data, corrupt files or deploy ransomware, potentially saving organisations significant money and protecting their reputation from cyber attacks.

How can I know if I am ready to get assessed?

If you agree that the following statements are correct for your organisation, you could meet the Cyber Essentials requirements and consider taking an assessment.

How to prepare for Cyber Essentials?

The Cyber Essentials framework adapts to the current IT threat landscape and is therefore always changing. What’s important is to distinguish between written policies and actual technical controls.

It is true that some of the Cyber Essentials requirements can be satisfied by creating written policies. However, IT leads in an organisation need to ask themselves, ‘Do I really have the time to be going around to every machine every day to validate that updates are installing, users are not running as an administrator, and that Adobe Reader and other software is up to date?’ Technical controls are a must if an organisation wants to comply with the framework without requiring too much manual labour.

How do I apply for Cyber Essentials?

First, choose between basic Cyber Essentials or opt for both Basic & Plus. Once you have the basic certification, you may then take the Cyber Essentials Plus certification within three months of passing the basic. Then, find an IASME-approved certification body – or a cyber security provider working with an IASME-approved body – and register and pay. You then need to complete the online self-assessment questionnaire covering the five security controls.

The assessment takes about an hour if you come prepared. (You can download a free question set in advance from the IASME website to prepare answers before applying.) You receive results within three days and the certificate is valid for 12 months.

Why should I use a professional Cyber Essentials assessment service?

UK government statistics reveal that 44% of British enterprises struggle with fundamental and advanced technical competencies. These organisations don’t possess the assurance needed to execute the essential procedures outlined in the government-backed Cyber Essentials framework.

This matches up with our experience. Numerous companies abandon the Cyber Essentials application before completion. As a result, they exceed the three-month completion deadline – forcing them to restart the entire process or abandon their certification efforts entirely. Also, many organisations struggle to understand the technical expertise required to implement Cyber Essentials Plus assessors’ guidance. Their certification attempts subsequently stagnate.

While it may seem obvious, countless businesses also overlook renewal deadlines and forfeit their certification status. This is precisely why engaging our expert team to oversee the entire process through our Cyber Essentials evaluation service delivers genuine value.

We’ve helped many organisations prepare for and pass Cyber Essentials by providing thorough gap analysis and suggesting cutting-edge tools and mechanisms to achieve compliance without breaking the bank.

For organisations with a good foundational layer of security in place already, we typically recommend just a day of consultancy to have our security team assess your organisation. Further to this, we then help you fill out your questionnaire and answer any questions you have before submitting your answers.

What happens if I fail Cyber Essentials?

If an organisation does fail to meet Cyber Essentials’ requirements, you are allowed two working days to examine the feedback from an assessor, fix the identified issues, update your answers and resubmit your application without additional cost. If you fail the resubmission, you’ll need to start the entire process again with a new application and payment.

It’s always better to be prepared and not fail – Intersys helps organisations of all sizes get ready for the assessment by running a mock audit and suggesting ways to improve security and mitigate vulnerabilities.

I’ve worked with organisations that previously took the assessment and failed due to not having many of the controls in place. They subsequently reached out to us for assistance, and we conducted a one-day assessment to get them to a better place and ultimately pass.

Why do Cyber Essentials keep updating?

The Cyber Essentials framework keeps changing because it needs to accurately reflect the current cyber landscape. As new threats emerge, it’s important that organisations are prepared to deal with them. Sometimes threats become so prevalent that a framework will include it as a standard.

What is the Cyber Essentials 2025 Update?

For Cyber Essentials Basics

The changes are quite minor and most of the focus is on modernising the terminology and definitions. For example, the word ‘plugins’ is changing to ‘extensions’ for better accuracy.

References to home working have been changed to home and remote working, because working from home is more or less the same as working from a café, or airport, where you’re not going to be able to confirm if the router adheres to Cyber Essentials standards, just as you wouldn’t be able to confirm it for every employee’s home router either.

There is a new reference to passwordless authentication standards, as this has become more commonplace in the last 12 months. Passwordless authentication is a way of securely logging into your accounts without using a password. This technology uses other entry points such as passkeys, fingerprints or face scans. What this does potentially suggest is that one day the framework will favour this method over a password, and may introduce stronger complexity requirements on passwords.

The reference to patches fixes will change to ‘Vulnerability Fixes.’ Vulnerability fixes will also include ‘registry fixes, configuration changes and running scripts’ if the vendor of software is unable to provide official patches within the mandated 14-day period. This means that IT professionals need to spend more time on the lookout for emerging threats and remediations published by third parties, since the vendor themselves may not publish the remediation officially within the 14-day period. The rule is basically saying, ‘Fix it somehow within 14 days, even if the vendor hasn’t.’

For Cyber Essentials Plus

1. Evidence must be kept all year

Auditors now have to keep all their evidence and documentation for the full 12 months your certificate is valid, not just during the assessment. This means your questionnaire answers better be spot-on because there’s a permanent paper trail that could be reviewed at any time.

2. Partial scope gets stricter checking

If you’re only certifying part of your business (not the whole company), auditors must now verify that the excluded parts are properly isolated from the certified areas. They need to confirm your IT networks and systems are genuinely separated – no more taking your word for it.

3. One-size-fits-all approach

The assessment guidelines used to say procedures were “illustrative” (meaning flexible). That word’s gone. Now every business gets exactly the same rigorous assessment process whether you’re a two-person startup or a 200-person company – auditors can’t adapt or go easier on smaller businesses anymore.

Basically, Cyber Essentials Plus just got more thorough and less forgiving across the board.

Intersys is a cyber security provider with almost three decades in the industry and a track record helping organisations achieve Cyber Essentials Basic and Cyber Essentials Plus. As part of a comprehensive service, we can guide you all the way through your assessment, undertake any remedial action and handle document submission. See our Cyber Essentials Assessment Service page for more on our process and costs – or contact us now.

Cyber Security Frameworks Comparison: A Complete Guide

In today’s complex threat landscape, organisations need structured approaches to manage their cyber security risks. This comprehensive guide compares the most widely adopted cyber security frameworks, helping you make an informed decision for your organisation.

Whether you’re looking to start a tendering process for a government contract, preparing for an external audit or simply keen to look at best practice standards for cyber security, you’ll find a good baseline of information here.

In our cyber security frameworks comparison, we focus on six leading frameworks that are the most widely used – CIS Cyber Security Framework, NIST CSF 2.0 (the most recent version), ISO/IEC 27001:2022 (the most recent version), Essential 8, Cyber Essentials Plus and IASME Cyber Assurance.

What is the CIS Cyber Security Framework?

In any cyber security frameworks comparison, the Center for Internet Security (CIS) Controls framework stands out for its practical approach. This American standard has gained international recognition and is now used globally. While it was initially developed through collaboration with US government agencies and private sector experts, organisations worldwide have adopted these controls due to their practical, risk-based approach.

The Center for Internet Security (CIS) Controls framework provides 18 prioritised safeguards organised into three implementation groups tailored to different types of organisations and their risk profile.

This framework is particularly notable for its “defense-in-depth” approach and practical implementation guidance.

The updated version of CIS Controls — v8 was created to reflect the latest developments in systems and software. It factors in developments such as the move to cloud-based computing, virtualisation, work from home and constantly changing attack strategies. You’ll find actionable ways to prevent the most common attacks, making it highly practical for organisations of all sizes.

Key features:

What is the NIST cyber security framework?

The National Institute of Standards and Technology (NIST) is an American government agency responsible for creating internationally competitive measurement standards for the nation’s industries.

It also develops cyber security standards, guidelines, best practices and comprehensive resources. It has been publishing the NIST Cybersecurity framework since 2014.

Cybersecurity Framework (CSF) 2.0 (last updated in February 2024) is the newest and most comprehensive version yet.

Version 2.0 is aimed at a much wider audience including all types of organisations and industry sectors regardless of their cyber security resources.

The updated framework is now organized around six (instead of the earlier five) core functions: Govern (being the latest addition), Identify, Protect, Detect, Respond, and Recover. The new governance function focuses on details of how “… the organisation’s cybersecurity risk management strategy, expectations and policy are established, communicated and monitored.” The idea being that governance actions are crucial for including cyber security into an organisation’ wider enterprise risk management strategy (ERM).

NIST CSF 2.0 introduces enhanced guidance on governance, supply chain risk management, and cyber security metrics.

Here’s a quick run through of the six core functions of CSF 2.0

  1. Govern: This strategic function has been added to oversee the rest of the five core functions. It looks at how cyber security is understood and catered to in the wider organisational context. Focus areas include “… the establishment of a cyber security strategy and cybersecurity supply chain risk management; roles, responsibilities and authorities; policy; and the oversight of cyber security strategy.”
  2. IDENTIFY: Focuses on developing organisational understanding to manage cyber security risks to systems, assets, data, and capabilities. This includes inventorying assets; understanding the business context; identifying threats, vulnerabilities and risks; establishing policies and determining risk tolerance levels to support operational resilience.
  3. PROTECT: Outlines appropriate safeguards to ensure delivery of critical infrastructure services. This includes implementing access control, awareness training, data security, information protection processes, maintenance, and protective technology to limit and contain the impact of potential cyber security events.
  4. DETECT: Defines activities to identify cyber security events in a timely manner. This includes implementing continuous monitoring capabilities, establishing anomaly detection processes, and ensuring effective detection methods to maintain awareness of unusual activity that could signal security incidents.
  5. RESPOND: Details appropriate actions to take when a cyber security incident is detected. This includes maintaining response planning processes, establishing communications protocols, conducting analysis, implementing mitigation procedures, and incorporating improvements based on lessons learned from incidents.
  6. RECOVER: Identifies appropriate activities to maintain resilience and restore capabilities or services impaired by cyber security incidents. This includes recovery planning, implementing improvements based on lessons learned and coordinating restoration activities with internal and external stakeholders. 

Key features:

What is the ISO 27001 cyber security framework?

ISO/IEC 27001 is arguably the world’s best-known standard for information security management systems (ISMS). According to an ISO survey, over 70,000 certificates have been issued in 150 countries across a wide range of economic sectors.

The framework enables organisations to create, implement, operate, monitor, review, maintain and constantly improve their information security management system (ISMS).

In 2022, the ISO 27001 and its supplementary standard 27002 (which is part of the wider ISO 27001), were both updated to the newer ISO/IEC 27001:2022.

The update no longer refers to the framework as a “code of practice,” but rather a reference set of information security controls. ISO/IEC 27001:2022 is also much longer than the 2013 version with several controls having been reordered and updated.

The framework takes a systematic approach to managing sensitive company information, focusing on people, processes, and technology. The accompanying ISO 27002 provides detailed implementation guidance for security controls.

Key features:

What is the Essential Eight cyber security framework?

Developed by the Australian Signals Directorate, the Essential Eight framework provides a prioritised list of mitigation strategies to help organisations protect against cyber threats. This framework is notable for its simplicity and focus on high-impact security controls.

It’s important to remember that this framework provides a minimum set of preventative measures and organisations may need to use further measures depending on their maturity model and unique environments.

What are the Essential Eight?

These are the eight mitigation strategies covered by the framework:

  1. Patch applications
  2. Patch operating systems
  3. Multi-factor authentication
  4. Restrict administrative privileges
  5. Application control
  6. Restrict Microsoft Office macros
  7. User application hardening
  8. Regular backups

Key features:

What is the Cyber Essentials Plus cyber security framework?

Cyber Essentials Plus is a UK government-backed scheme that helps organisations protect against common cyber threats. The UK’s National Cyber Security Centre describes Cyber Essentials as the minimum standard of security that all UK organisations should aim for. 

Cyber Essentials basic is a self-assessment certification where your organisation must verify that it has fundamental security controls across five key areas. Think of it as a basic cyber security health check.

  1. Firewalls
  2. Secure configurations
  3. User access control
  4. Malware protection
  5. Security updates

Cyber Essentials Plus includes everything in the basic certification but also adds the requirement for independent technical verification. Independent, certified assessors carry out vulnerability testing, system scans and on-site security assessments to check whether your organisation’s controls work as they should.

Key features:

What is the IASME Cyber Assurance cyber security framework?

The IASME Cyber Assurance framework is a more affordable alternative to the ISO 27001 certification aimed at smaller organisations. It is extensive and adaptable and shows an organisation’s commitment to several key cyber security, data protection and privacy measures.

There are two levels of certification offered: Level One Verified Assessment and Level Two Audited.

The audited IASME Cyber Assurance certification is widely recognised by many industries as an alternative to ISO 27001 for smaller organisations.

This risk-based cyber security framework is divided into 13 themes. Organisations need to ensure that they meet the requirements for all the themes before they can be certified against the standards.

Key features:

Which cyber security framework is best for my organization?

Our Head of Security Jake Ives says, 

“When clients come to me and say they are looking for a specific framework, I usually have a chat with them to discuss their specific needs to work out what is best suited for their organisation. 

“It’s got to be proportionate to the size of their business. Other key factors to consider include the organisation’s location, sector, and whether they have the foundational controls already in place or not.

“For instance, they may want a NIST framework gap analysis – which is quite a mature framework – but if they’re a small company, it may not be proportionate and could work out to be quite expensive and they might be better off going for Cyber Essentials instead.

“On the other hand, if their organisation is quite mature and belongs to a highly regulated sector such as pharmaceuticals, they will need a more mature cyber security framework such as ISO 27001. Having that initial chat with your cyber security provider can help you decide which framework is best suited for your organisation’s needs.”

Best cyber security frameworks for small businesses

Small businesses typically benefit most from frameworks that emphasise fundamental controls and offer straightforward implementation guidance:

Best cyber security frameworks for SMEs

Medium-sized enterprises need more comprehensive frameworks that can scale with growth:

Best cyber security frameworks for enterprise organisations

Large enterprises require comprehensive frameworks that address complex security needs:

Best cyber security frameworks for highly regulated industries

Organisations in regulated sectors need frameworks that emphasise compliance and risk management:

Key framework comparisons

NIST vs. Cyber Essentials Plus

While both frameworks aim to improve cyber security, they differ significantly in scope and depth:

ISO 27001 vs. NIST

These frameworks take different approaches to security:

Making your decision

When selecting a cyber security framework, consider:

  1. Your organisation’s size and complexity
  2. Regulatory requirements
  3. Available resources and expertise
  4. Business objectives and risk tolerance
  5. Industry requirements and expectations

Remember that frameworks can be complementary, and many organisations benefit from implementing multiple frameworks in a layered approach.

Start with the framework that best matches your immediate needs and mature your security programme over time.

The most effective approach is often to begin with a simpler framework and gradually incorporate elements from more comprehensive frameworks as your organisation’s security maturity grows.

At Intersys we offer an end-to-end Cyber Essentials basic and Cyber Essentials Plus assessment service. We’ll take you through the entire process right from initial assessment, remedial action to help you achieve certification, organising the audit (in case of Cyber Essentials Plus) and the actual application process itself.

Intersys Welcomes Claire Geyman as Director of Finance and Commercial Excellence

We are delighted to welcome Claire Geyman as our Director of Finance and Commercial Excellence and the newest member of the Intersys Leadership Team.

Her arrival dovetails with our cyber security and IT business’ current expansion drive and she will play a central role in implementing our long-term growth strategy.

Claire comes to Intersys with an impressive track record. She previously worked at Coloplast UK as Head of Finance and Commercial Excellence for North Europe Region. As a member of the senior leadership team, her remit included everything from managing the finance function to commercial excellence and overall company strategy. Her role there spanned 14 countries, six reporting units and seven different currencies.

Claire’s duties at Intersys will include overseeing finance operations as well as informing business strategy, fine-tuning operating models and creating efficiencies through data-driven decision-making.

Embracing Intersys’ values and vision

Claire says she is looking forward to meeting everyone at the Bourne Court and Leadenhall Market offices over the coming weeks.

She says, “I’m thrilled to join the Intersys family and collaborate with an exceptional team. Intersys’ core values of trust and integrity really resonate with me and what I’ve held dear in my previous roles.”

Intersys started back in 1997 as a one-man IT support service and has grown into a full-service cyber security and IT provider with a team of over 50 employees. From the beginning, we built our business on a ‘Service Not Sales’ ethos, bringing genuine value to partners, many of whom have been with us for 10, 20 and even 25 years.

We’ve recently expanded into Leadenhall Market and have global partnerships in India, Australia, New Zealand and several other territories.

This growth highlights our increasing influence in providing cyber-secure IT solutions and specialised cyber risk services for the BFSI (Banking, Finance and Insurance) sector. Claire is joining her fellow Geyman family members – Matthew, Catherine and husband Richard – at Intersys.

Multinational financial and commercial expertise

Claire brings a wealth of experience in finance and commercial excellence to Intersys. She holds a BSc in Economics and German and is fluent in the language. She started her career working in German operations for multinational organisations before qualifying as an accountant. Her career has included senior finance roles in various blue-chip corporations, eventually leading to her previous role as Head of Finance and Commercial Excellence at Coloplast.

With Claire’s senior expertise, Intersys is well-positioned to continue its growth and offer exceptional IT managed services and cyber security solutions to clients worldwide.

Q&A with Claire

What leadership principles do you value the most?

I always begin any new venture by aiming high. For me, success starts by setting ambitious standards and following this principle has helped me achieve my goals. The next key value is integrity – it’s a non-negotiable one for me. People can expect openness and honesty from me, and I encourage everyone I work with to follow the same principles.

I also value continuous improvement and learning. It doesn’t matter how skilled or experienced you are, there’s always room for growth and improvement.

Another key principle for me is to simplify at all levels. In my own career, I’ve seen where complexity can slow everyone down, and I strongly believe that it’s important to streamline what we’re doing and only focus on what matters most.

And finally, probably one of the most important principles for me is inclusivity. I really believe that the best ideas and decisions come when everyone feels included and listened to.

Name a personal accomplishment that you’re particularly proud of.

Not many people know this about me, but I was a surrogate mother to my sister’s two children. So, I have two children of my own and I carried both my sister’s children as well because she couldn’t carry her own. It’s one of the highlights of my life.

Give us one random fact about yourself.

I’m currently doing a mindfulness and meditation course at a Buddhist centre. It’s the perfect antidote to the stresses of modern life!

World Data Protection Day 2025: Data Protection Tips from Intersys

“Data is the DNA of modern life…” said Technology Secretary Peter Kyle recently and the debate over who collects our data and what they do with it is set to intensify over the coming months.

As Kyle rightly said, “[data] …quietly drives every aspect of our society and economy without us even noticing – from our NHS treatments and social interactions to our business and banking transactions.”

He made the comments while unveiling the government’s new Data Use and Access Bill which promises to reform existing data protection regulation, focusing on harnessing data’s power to improve public services and the economy. It’s also expected to include more controls around special category data, for example.

But exactly how secure is your data when you post a video on TikTok, click on a news article within Facebook or install a cheap doorbell camera?

Data privacy concerns here in the UK are skyrocketing.

 The Information Commissioner’s Office,  dealt with over a whopping 36,000 data protection complaints last year alone. 55% of people reported a data breach and 69% reported these breaches negatively affecting their lives, leading to loss of trust, emotional distress and financial loss.

 To mark World Data Protection Day on the 28 January, we asked Intersys’ Head of Security Jake Ives for his top tips on staying secure.

While the Intersys blog has plenty of advice for organisations and businesses about online safety, we’d like to in this instance share useful tips for individuals on how they can keep their data protected online.

Jake’s online safety tips for home users 

Only enter information on sites that begin with https://

Entering information on a website that isn’t equipped with TLS/HTTPS means that your interactions could be intercepted by someone else on the network. This could be particularly risky when you’re connected to a public network. It’s also important to ensure you’re connected to the right website. 

Look closely at the address bar and scan for typos and other odd characteristics. For example, login.microsoftonline.com is the official login page for Microsoft 365, but login(dot)mcrosoftonline(dot)com isn’t (Noting the missing i).
Just because a website is equipped with an SSL certificate, it doesn’t necessary mean it’s the real website. If in doubt, use a service like the virustotal.com URL checker or the Google safe browsing site status validator to validate the legitimacy of a website.

Use DNS over TLS to encrypt your DNS queries thus increasing privacy (Quad9 and CloudFlare offer a free, reliable service).

Use this to protect privacy and prevent hackers from eavesdropping on DNS requests and responses. Taking this precaution will ensure that your ISP (internet service provider) won’t be able to see what sites you’re trying to access. This helps to protect against man-in-the-middle attacks where hackers can intercept and manipulate your internet traffic and send you to phishing sites.

Using your personal laptop/device on public WiFi? Make sure you use a VPN service that won’t collect logs.

Home devices aren’t secured to the same degree as devices managed by businesses. For instance, corporate policies won’t be rolled out to your personal machine to ensure that a Windows firewall is correctly configured and enabled. On a home device, it’s up to you to know how to correctly enable Windows firewall amongst other security measures. Therefore the safest option is to use a VPN when connected to public networks.

Use services like https://incogni.com/ to remove your information from public databases on the internet.

Remove your personal information where it exists in databases. Scammers and cold callers often use such databases to gather useful contact details.

Sign up for the Telephone Preference Service — Telephone Preference Service

Reduce spammy calls via your mobile/landline number by opting out of sales calls.

Use caller identification apps on your mobile device.

I highly recommend TrueCaller for identifying and blocking spam calls and texts.

Change your Wi-Fi password when you receive your router from your internet provider and do not disclose it to anyone.

The password your router shipped with is no doubt stored somewhere centrally. For enhanced security, I’d always recommend changing it to something unique.

Place IoT devices like cameras, Wi-Fi-enabled appliances and televisions on a guest network. Many consumer-grade routers include the ability to configure a guest network.

IoT devices are a risk, especially when they are sourced from a lesser-known brand. There is no guarantee that the devices will receive updates or that they comply with the fundamental basics of security.

My advice is to only source devices from well-known manufacturers and place these devices on a guest network, so they are segregated from the network you connect your computer to.

Login to your router management interface (if applicable) and disable WPS (Wi-Fi Protected Setup) and UPnP (Universal Plug and Play).

WPS is inherently insecure even if it is convenient. It provides an easy way to connect to your devices by pressing a button on your router instead of needing to type in a password. Unfortunately, it is also particularly vulnerable to brute-force attacks.

Universal Plug and Play (UPnP) allows devices on the same local network to discover each other and establish functional network services. UPnP can create security vulnerabilities. It can open up your router’s firewall, making it easier for hackers to access your network. In today’s world, UPnP is often considered unnecessary and is frequently exploited by cybercriminals.

Update your device regularly, and use a tool such as Patch My PC: Home Updater to ensure all of your applications are kept up to date.

Your Windows or Mac computer may have received an update, but can the same be said about Adobe Reader or any of the other applications you have installed on your device? An up-to-date OS is great, but software that hasn’t been updated in over three years isn’t. It provides hackers with easy opportunities to exploit vulnerabilities in your systems.

Make sure that your home computer includes two accounts: one that runs with ‘standard’ access and another that is set up for ‘admin’ access when required.

Running all operations on your device using your administrator account increases your exposure and the potential of contracting ransomware.  Why? Because if you’re not prompted for a password every time you want to install new software (which is the case with admin accounts), it can be very easy to download something malicious without realising what you’re doing.

Enable Multi-Factor authentication on all the accounts you use and ensure every account you have uses a separate, unique password and store this in a password management vault.

This is simply non-negotiable in 2025. Without this control, a cyber criminal who has managed to hack your password can log in to your account without facing any further checks.

If a deal is too good to be true, don’t trust it. And if something is free, you’re probably paying for it with your data.

Take that free VPN for example, you’ve got to ask why it’s free. It could well be that the service is logging your internet traffic and selling it to make a profit.

Browser plugins/extensions are not always your friend, stay vigilant and install only what is necessary.

Malicious browser extensions do exist.  In fact, 80 extensions were recently dropped from the Chrome extension gallery because they monitored user activity. Stay vigilant and only install extensions when completely necessary and if they’re provided by reputable businesses.

Be extra careful if you’re using a router that hasn’t been provided by your ISP (internet service provider). Avoid brands like TP-Link which are frequently susceptible to vulnerabilities.

If you’re not technical, the best thing to do is to stick with your ISP’s router. Resist the temptation to buy that cheap Chinese brand. Also, remember to read the reviews.

Never connect unknown peripherals like USB sticks and external hard drives to your computer.

These devices can contain infections that run automatically when inserted into your computer. Would you ever go to a fuel station and not look at what is displayed on the tank and risk fuelling your unleaded car with diesel? Use this analogy with unknown peripherals. If you don’t know what’s on it, don’t put it anywhere near your computer.

Choose  a business-grade device where possible, and avoid the cheaper devices sold by lesser-known brands.

That cheaper device may save you a couple of quid in the short term, but it may not have a trusted platform module or the ability to be encrypted.  You’ll wish you had spent more and bought one from a trusted brand when you forget your laptop on the train!

Cyber Security Year in Review 2024: Trends, Tips and Predictions from our Experts

As the year draws to a close, we chat to Head of Security at Intersys Jake Ives, for a full debrief of the last 12 months in cyber security. We’re looking at stories from the UK and beyond that have highlighted current and emerging trends in security. As always, we include solutions for the big threats out there. 

Whether it’s getting a detailed cyber security gap analysis or going for Cyber Essentials Plus certification, there are always steps that every organisation can take to stay protected.

Jake, what were the big cyber attack strategies on your scanner this year?

Ransomware as a tactic dominated the headlines this year. The National Crime Agency has warned that it ‘[…] continues to be the most significant, serious and organised cyber crime threat faced by the UK’. Whether it was against NHS blood testing platform Synnovis or American health insurance giant UnitedHealth. Hackers are also turning to  Ransomware-as-a-Service as way to carry out advanced attacks without needing the technical know-how themselves.

The sophistication of phishing campaigns is another big one for me. Phishing is no longer restricted to just the traditional email. Attackers have increasingly used QR codes and SVG images to deliver malicious payloads, exploiting the trust users place in these formats. 

There was also the abuse of Microsoft Word’s file recovery feature where hackers sent corrupted Word documents as email attachments to bypass security software. Another strategy used in phishing scams was the abuse of clean URLs and services like TryCloudFlare (that are intended for genuine audiences) to deliver malware. Over the past six months, we’ve seen several types of  malware being distributed via clean URLs with open redirect flaws.

We also saw a significant uptick in man-in-the-middle and reverse proxy attacks where cybercriminals intercept and alter communications between two parties to steal sensitive information.

What’s worse, the availability of sophisticated cyber crime tools – e.g. phishing-as-a-service – has lowered the barrier to entry for cyber criminals. It’s allowing even less technically skilled attackers to launch effective phishing campaigns such as the above using ready-made tools and services.

Another trend that caught my eye was a sharp increase in SIM swapping. This is where scammers effectively take over your phone number by transferring it to their SIM card. This allows them to receive your texts, calls, and more importantly, any 2FA authentication codes which they use to change passwords and hack into emails and accounts. People must be aware that like phone call MFA, receiving your MFA codes via SMS text is no longer secure.

If you haven’t done so already, make sure to move to a more secure app-based MFA method such as Google or Microsoft Authenticator. You might also want to reach out to your phone operator and ensure that your account details are up to date and that all available security is implemented.

From a cyber criminal’s point of view, what made a vulnerable target in 2024?

Targeting third-party suppliers, whether software suppliers, hosting providers or data custodians, can be lucrative. This is because several organisations can be at the other end of a non-descript, third-party provider’s supply chain. Incidents involving third-party cloud storage platforms were prominent this year.

 Vulnerabilities in cloud storage services were exploited to access sensitive data from multiple organisations, highlighting the risks of relying on third-party providers. Just look at the AT&T data breach where records of calls and texts of AT&T customers were stolen by hackers. The data was stored on a poorly protected third-party cloud storage company, Snowflake. AT&T was one amongst several other companies including Ticketmaster and Santander that were affected by cyber attacks on Snowflake’s customer environments.

Which were the most disruptive cyber incidents of 2024?

  1. The Russian ransomware attack on the blood test management platform Synnovis  were a stark reminder that poor cyber security can actually put lives in danger. The attack affected all of Synnovis’  IT systems and consequently disrupted clinical services including thousands of procedures and appointments across six NHS trusts. Medical records were left inaccessible and hospitals were unable to verify patient’s blood types. The NHS has become an easy target for threat actors as its cyber security is notoriously lax from decades of funding cuts and lack of modernisation. The recent updates to the NHS Data Security and Protection Toolkit which will now align NHS England with the National Cyber Security Centre’s cyber assessment framework is a welcome move. In a wider context, the new government’s Cyber Security and Resilience Bill is also expected to help secure national infrastructure by expanding its remit to include more digital services and supply chains.
  2. Across the pond, The healthcare sector was firmly within hackers’ sights as the UnitedHealth ransomware attack caused havoc in America’s private health insurance system. 100 million people were affected when the breach caused massive problems with claims processing. The incident also led to the tragic shooting of UnitedHealth’s CEO Brian Thompson. The fallout included a $22 million ransomware payment. United Health itself said that hackers had potentially stolen a third of America’s data. Hackers broke into a UnitedHealth server with compromised credentials including stolen passwords and emails. The mind-boggling fact here was that America’s biggest health insurance company didn’t use multi-factor authentication protection! Hackers were able to access the system using only basic login details. An absolutely shocking cyber security fail.
  3. The Transport for London (TfL) cyber attack led to the data of around 5,000 customers being hacked. Multiple services including contactless and Oyster payment systems were also affected. The hack cost TfL £30 million and some services such as the contactless systems have only recently been restored. 27,000 employees were asked to present themselves in-person to have their passwords changed and digital identities verified. What I found most intriguing about the incident was the arrest of a 17-year-old boy. Details are still sketchy about the exact attack strategy used and hopefully will emerge after the investigation is complete. I fear that sophisticated hacking tools are now making it easy for relatively inexperienced hackers to carry out complex attacks. You don’t need a degree in computer science to pull it off. Just an internet connection and a clear idea of what you want to do. TfL, just like the NHS, has suffered from long-term underfunding and attacks such as these highlight the importance of protecting our critical national infrastructure.
  4. Staying on the topic of critical national infrastructure, the lax security at the state-owned Sellafield nuclear waste facility was a real eye-opener for me. How could Britain’s most hazardous nuclear site have security so poor that a whopping 75% of its computer systems were susceptible to cyber attacks? The Office for Nuclear Regulation slapped an almost £400,00 fine and declared that information that could threaten national security was left exposed for years. When it comes to critical national infrastructure, regulatory bodies must insist on clear actionable steps that facilities must take to improve their cyber security. For instance, mandating twice-yearly penetration tests undertaken by two independent security providers would highlight any security gaps.

What key cyber security trends should we expect to see in 2025?

The rise and rise of malicious AI

I know I say this every year but AI-driven cyber attacks are only going to get more sophisticated and harder to spot. Until very recently I was advising clients to be on the lookout for telltale signs of a phishing email such as poor spelling and grammar, dodgy-looking logos or links. But now with the next generation of AI-powered phishing tools, it’s going to be fairly easy for hackers to create authentic-looking phishing emails that can sneak under the radar. Similarly, gone are the days when a green padlock symbol was the sign of a ‘safe’ site. It’s so easy to get SSL certificates now that even phishing sites sport them!

But this is where the emphasis on user awareness and education is going to become even more crucial in the new year. There are still some things that we should all be looking out for such as carefully inspecting the full URL rather than just looking at the first half of it.

But it’s certainly an arms race and threat actors have very sophisticated tools at their fingertips. That’s why getting basic cyber security in order is becoming essential.

Brace yourself for more state-sponsored attacks online

The impact of wider global conflicts is also going to be felt on our shores. We have seen how consistently cyber crime groups with ties to Russia, China and other hostile states have tested our security defences this last year. We should expect more of the same in 2025.

Britain’s cyber security chief Richard Horne has already warned that hostile activity in cyber space went up by 16% in 2024 alone.  These figures are worrying but there are steps that organisations of all sizes  can take to shore up their security.

I would recommend fundamental exercises such as gap analysis and cloud security reviews to understand your current security posture. Then implementing security controls such as DMARC (to prevent email spoofing) and conditional access polices in MS365 (to ringfence sensitive data and applications) are crucial. Regular penetration tests can also expose unknown security gaps in your systems and finally, a continued programme of user education and awareness is essential to ensure a culture of security within the organisation.

 Simple things like posting your personal political views on LinkedIn can give politically motivated hackers more of a reason to target you and your organisation. 

I’d also like to advise home users to be more careful when buying cheap IoT devices and placing these on the same network as their other network equipment. The security on some of these devices is often really poor and frequently responsible for opening backdoors in networks. Think twice about placing that cheap £15 camera on your network. Rotate your wireless keys, disable UPnP on your routers and use the guest network isolation functionality built into routers to place IoT devices onto this network.

In 2024, hostile state actors targeted Western organizations more aggressively. The KnowBe4 incident revealed a new employee’s device was compromised with malware by a fake IT worker from North Korea, despite rigorous hiring procedures. AI advancements now enable threat actors to create deep fakes and perform previously impossible tasks.

Passwordless authentication on the horizon

This one may not happen overnight but the idea that you should not have to rely on easily hackable passwords to log into your accounts is no longer theoretical. Windows Hello for Business uses biometrics or a PIN to allow users to log into their Windows devices. Google and Apple passkeys work similarly and all are more resistant to phishing and brute-force attacks. I’m expecting to see the healthcare, financial, manufacturing and Enterprise sectors as early adopters of this security measure as they are considered more vulnerable.

The need for cyber security audits

I anticipate that more organisations are going to see the benefit of engaging cyber security firms to conduct an in-depth security audit of their entire IT infrastructure. 

It’s a hugely important first step to understanding the current state of your cyber security, uncovering flaws and taking mitigation actions. For instance, a security audit can find out if any parts of an organisation’s services are unnecessarily exposed to the internet. 

This kind of intelligence can help organisations secure themselves from unauthenticated remote code executions (where hackers can remotely spread malicious code on a computer by connecting to it over public or private networks). 

We saw just such an attack this year in a critical SSH vulnerability. While in theory, it could take a hacker two or three weeks to exploit this flaw, the organisations that had minimised their systems exposure to the internet in the first place, were better protected.

The importance of being Cyber Essentials certified

If there’s one thing that organisations of all sizes can do right now to bolster their cyber security, it’s to get Cyber Essentials certification. The National Cyber Security Centre has made that quite clear in its annual review for 2024.

This government-backed scheme is a great starting point for protection against a variety of the most common cyber attacks. Getting this certification will ensure your systems have the right kind of technical controls in place to repel common types of phishing, malware, ransomware, password guessing and network attacks. For organisations looking for more in-depth protection, there is also the Cyber Essentials Plus certification which also includes a hands-on technical verification.

Research has shown that organisations who implement Cyber Essentials controls are 92% less likely to make a claim on their cyber insurance.  A big part of my job is helping clients get cyber essentials certified through our comprehensive Cyber Essentials readiness and assessment service. We take the stress out of the whole process by managing it right from initial consultancy, implementing mitigation through to filling out the application. It’s a security measure that not enough people are taking seriously in my opinion.

Jake Ives is Head of Security at Intersys and is at the coalface of all things cyber sec from Microsoft 365 and Azure compliance and security to penetration testing, gap analysis, security research, systems analysis and monitoring.

Intersys offers comprehensive cyber security services ranging from Cyber Security as a Service and Security Operations Centre to ransomware response, security audits and penetration testing.

Get in touch today to find out how we can help.

Intersys Celebrates Office Launch in the Heart of London’s Insurance Hub

The Intersys team swapped headsets for wine glasses on a crisp November afternoon in Leadenhall Market, to celebrate the launch of our new City of London IT office in the heart of the financial district.

With around 100 guests, it was a packed day of rooftop photoshoots, client meetings, connecting with old friends and saying hello to new faces. We even managed to catch the Christmas Lights switch on by the Lord Mayor of the City of London! 

Thank you to everyone who came along to see us.

Our address at 29/30 Leadenhall Market EC3 puts us right on the doorstep of the insurance, (re)insurance and financial industries. We are just a stone’s throw from — or should we say within a clear Wi-Fi signal of — the Lloyd’s building. 

We are excited to be neighbours to existing clients such as ACORD, ACORD Solutions Group, Citadel, Dynamo, Ebix, Munich Re, ORIC, Pharmaceutical Captives and potential new partners in the Square Mile.

‘Back where it all began’

There was a real sense of coming full circle for our founder Matthew Geyman, who started his career as an underwriter in the City in 1993.

“I’m delighted to be back where it all began, with an office in Leadenhall Market. I believe our arrival is perfectly timed to help finance and insurance sector clients manage their digital transformation, repel evolving cyber threats and find profitable new ways of working.”

Special thanks to the wonderful hosts at Cheese Restaurant at Leadenhall Market for the great venue and fantastic food and drinks.

We couldn’t have asked for a better housewarming from our neighbours; and look forward to helping more partners in the City of London.

If you work in BFSI (banking, finance and insurance) sectors and need cyber security and IT solutions, visit the team in Leadenhall Market or get in touch with us here.

We have sector-specific knowledge that can bring informed insights to your challenges, helping you to develop cyber resilient IT. As a leading, London-based IT company we also serve all sectors across the capital. We look forward to meeting you!

A Home Away from Home: Supporting Children’s Hospice South West This Christmas

We are delighted to announce that our charity appeal for 2024 will be dedicated to supporting the extraordinary work of Children’s Hospice South West (CHSW).

This remarkable organisation offers hospice care to children and young people with life-threatening and life-limiting conditions from three different hospice locations across the South West Peninsula.

CHSW’s services extend far beyond end-of-life care. It provides essential practical and emotional support, aiming to improve the quality of life for children and their families. The hospice is truly a ‘home away from home,’ offering respite care, short breaks, sibling support, and a variety of therapies to enhance well-being. It also offers vital services such as palliative, emergency and end-of-life care.

 CHSW is dedicated to helping families make the most of their precious time together.

We would love for our friends and partners to join us in supporting this wonderful foundation. Your generous contributions can make a significant difference in the lives of these children and their families, bringing comfort and hope during the most challenging times.

You can donate here.

Microsoft 365 Webinar – When We Helped Charities Get the Most Out of Their Subscription

We recently hosted the second of our Charity Tech Mastery Webinar Series in partnership with Microsoft Tech for Social Impact. This time we looked at unlocking the time-saving tools in MS365 that could help charity workers speed up their tasks and stay within budget.

As Professional Services Director Mark Kirby said in his introduction, ‘Charities and non-profits have to know the value of every pound because it’s a donation. So you need to stretch it as far as you can.’

Naveed Iqbal, Microsoft Tech for Social Impact UK Ambassador described the various ways in which  Microsoft has nurtured the charity sector over recent years. These include providing considerable tech grants as well as reinvesting profits to help smaller charities.

Mark gave an overview of the various MS365 plans (Basic, Standard and Premium) and grants available for non-profits. He then looked at a few handy apps in MS 365 that could add the most value to charities such as:

We had a great response from attendees who quizzed Mark on several topics related to MS365 apps. There was also interest in attending the third session which will focus exclusively on Copilot and how it can help the charity sector.

We know the operational challenges that many charities face on a day-to-day basis. We hope that this series of webinars will provide attendees with valuable advice on speeding up tasks and making the most of their budgets.

Watch this space for our update on the third webinar on Copilot soon.

And you can find out more about how organisations can prepare for Copilot by visiting our get ready for Copilot preparation service.

A Haven of Hope

With the festive season upon us, our thoughts are turning to the annual Intersys Christmas charity appeal.

Haven House Children’s Hospice is a truly inspiring organisation that provides nursing care and emotional support to families with seriously ill babies and children. 

The charity is there for parents and children during the hardest times of their lives. Their round the clock assistance includes day care, home visits and bereavement support. Staff are also expert at providing activities that can improve children’s quality of life such as sensory play, music therapy and physiotherapy. 

Haven House holds a special place in our hearts at Intersys and this is the third Christmas we have supported them (previous Christmas appeals were in 2009 and 2021). Not only are we passionate about their cause, we are also proud to help a Woodford Green charity that is making a difference in the local community. 

We urge our clients and friends to give generously to Haven House so that they can continue their wonderful work. 

Donate today

Here’s Why Charities Loved Our Cyber Security Webinar

We recently invited a diverse group of charities to join a webinar on cyber security resilience aimed at the non-profit sector.

Non profits occupy a special place on the Intersys client list and over the years we have supported a wide range of voluntary organisations with their IT and cyber security.

We co-hosted the event  in association with our partners at Microsoft Tech for Social Impact, who provide significant discounts and grants on Microsoft software products to charitable organisations around the world.

Intersys’ own  Mark Kirby, Executive Director and IT Strategy Specialist, and Naveed Iqbal, Microsoft Tech for Social Impact’s UK Ambassador, jointly hosted the session.

Charities are Soft Targets

As cyber attacks continue to proliferate, the sad truth is that charities have become a prime target for hackers. 

Cyber criminals are focusing on them because they store a vast range of sensitive data including PII (personally identifiable information) and financial details, to name a few. 

The Kokoro cyber attack that exposed the donor data of over 40 UK charities, including the RSPCA recently, is a case in point.

An NCSC report shows that charities are the third most targeted vertical behind governments and financial institutions. 

They are often reluctant to spend funds on cyber security because they prioritise frontline work and feel the pressure to maximise the value of donations. 

However, the reputational damage of a cyber attack can be particularly damaging for organisations that rely on their donors’ trust and goodwill. 

The Dangers of Outdated Microsoft Software

All too often we have seen charities using end-of-life Microsoft software such as Office 365 instead of the newer Microsoft 365. The dangers of continuing to use outdated software are many and can have serious repercussions for IT systems. 

It’s simple  — when you run outdated software, you say goodbye to security updates, bug fixes, patches and monitoring.

Advice for Charities to Stay Cyber Secure

Mark Kirby, who began his IT career managing tech for a major UK charity, shared his top tips for non-profits to stay secure. 

He introduced attendees to Intersys’ hierarchy of cyber security needs —  a model for cyber security based on the internationally recognised NIST framework but simplified and streamlined for non-profits on a budget. He said it was a great way to get a baseline performance of a charity’s cyber security before starting to improve it.

“I understand what it means to deliver IT on a charity’s budget. Every pound you spend is a donation, so you have to maximise value from all your investments,” Mark said. 

Mark reassured attendees that while it wasn’t realistically possible to achieve every priority in the hierarchy, getting to the compliance level was a good aim. 

The hierarchy covered everything from the very basic requirements such as identity protection and email filtering all the way to more advanced controls such as continuous vulnerability scanning and a Red Team.

Fantastic Discounts on Microsoft Products

Microsoft Tech for Social Impact’s UK Ambassador Naveed Iqbal shared the various ways in which Microsoft has been helping non profits globally. 

This includes providing 3.2 billion in grants and discounted software services to charities last year alone and equipping 330,000 non-profits with secure and modern cloud services.

He shed further light on some headline offers available to non-profits such as grants and discounts on Microsoft 365, Power BI Desktop, Power Apps, Surface devices, Power BI Pro and Dynamics Sales Enterprise. 

An Informative Q&A

The webinar ended with a Q&A session packed with more tips and advice. 

Charity staff quizzed us about the latest tools and functionality available in Microsoft 365, suggestions on making hardware more secure and the importance of using complex passwords.

In a post-event feedback survey, 100% of attendees said that they found the webinar valuable.

We’d like to thank all the charities and other organisations who attended. A special thank you goes to Microsoft Tech for Social Impact for having faith in us as a trusted partner and sharing the fantastic offers available for non-profits.

We’re hoping to roll out these webinars more regularly, so watch this space in the New Year and do check out the full video on our YouTube channel.