It is the great paradox of our time that SMEs have never been so well-informed of cyber security risks, but are so poorly protected from attack.
Cyber security is a topic that has been widely written about – barely a week goes by without another high-profile cyber breach making headlines.
However, many small and medium-sized businesses are overcome by the scale of the risk and, paradoxically, fail to take any preventative action at all.
The risk is real – and significant – but it is easy to ignore until it happens to you.
The key is to start small. No business will ever be totally immune to all cyber risks, but working towards cyber resilience needs to be on every business owner’s agenda.
Best practice for SMEs
Small business owners tend to have a “just get things up and running” mentality, which often means that good security falls by the wayside.
There are a number of steps you can take immediately, using your own internal resources:
- Avoid unnecessary features. Look closely at what you are implementing and consider questions like, “Do I really need all these features turned on?” Or, “Do I really need that software?” Turning off anything unnecessary will go a long way to keeping things secure.
- Consider the permission levels of staff. Ask yourself, “Does that person need that level of privilege?” Restricting access to the minimum amount necessary is a simple way to reduce your vulnerability.
- Backup! There couldn’t be a more vital time to do this with the level of ransomware threats that are out there at the moment. It is not sufficient to do ad hoc backups; implement a proper backup regime and test it:
o Backups of the most critical data to your business should be done more frequently and ideally with a copy offline and offsite.
o Offsite backups are becoming easier as cloud-based backup services are plentiful.
o When selecting a cloud-based backup service, be sure to assess the level of encryption offered so that you can be sure that your data in the cloud is safe.
- Patch – everything and regularly. Simple.
Consider bringing in the experts
While getting the basics in place is a good start, bringing in external expertise will really ramp up your organisation’s resilience to cyber threats.
For example, penetration testing is a simple way of identifying your key areas of vulnerability and will show you exactly what you should focus on.
Importantly, cyber resilience should be approached more broadly than from just an IT perspective; for example, being aware of your obligations from a legal perspective is critical. New mandatory reporting requirements that are coming in will change the way business owners respond to a cyber breach of any kind.
Additionally, incorporating clauses around cyber security into contracts with suppliers and partners are essential to protect your business. Having the right legal expertise to do this can be invaluable.
Instilling a culture of cyber security
Many breaches are caused by human error, so making sure that your team is aware of the risks (for example of clicking on an email link that may expose the organisation) is vital.
Make this part of the induction process for all new employees, and consider how to build cyber security into any new projects upfront; make it part of all of your business processes.
Take a multidisciplinary approach; cyber security is no longer just an IT consideration, you need to consider it from legal, communications and operational perspectives, too.
Cyber security health checks are a good way for a small business to quickly assess the strengths and weaknesses of the organisation’s IT security controls, and to measure them against best practice.
Developing cyber resilience is an ongoing process for all businesses and can seem an insurmountable task; however, there are immediate steps that you should take to start the process and kick-start your journey to cyber maturity.
Rob McAdam is the founder and CEO of Pure Hacking, an IT security company that works with organisations to identify and mitigate IT security risks.
Analysis: The misnomer of bank regulation and loan costs
By Adam Zuchetti
Analysis: Bank ‘misconduct’ a woeful understatement
By Adam Zuchetti
Analysis: Banks wrongly targeted as business custodians
By Adam Zuchetti