As an SME, there is near enough a 1 in 2 chance (or higher) that your business will be subject to a cyber attack – if it hasn’t happened already.
The 2019 Cyber Readiness Report by insurer Hiscox found that the proportion of small firms (less than 50 employees) reporting one or more incidents (typically a ransomware attack, denial of service or email scam), rose from 33% to 47%. For medium-sized firms (with between 50 and 249 employees) the proportion leapt from 36% to 63%.
The good news is that basic cyber security measures and precautions can protect your business against 80% of cyber attacks – and improve your cyber security defences going forward.
This article is based on Ascentor’s “Practical cyber security guidance for SMEs” – a more detailed guide is available to download as an ebook from the Ascentor website.
1: Use the cloud – along with secure working practices
When you use the cloud, you are using systems developed by the likes of Microsoft, Google and Amazon, and used by HM Government amongst others. Cloud providers have done all the development work and created multiple levels of control. That offers a robust level of security that you get as standard.
However, while cloud service providers take the burden off SMEs technically, they can’t keep you secure if you adopt insecure working practices. For example, there’s no point in having strong technical security controls if you allow ex-employees to access your data or current employees to have unrestricted access to all of your data.
Top tip: Migrate your business to the cloud, a service as simple as Google Docs is a good place to start for a micro or small business. Take steps to make sure cyber security is seen as the responsibility of all and with secure working practices too.
2: Regularly backup your data
It’s easy to get relaxed about your data – until it’s gone or you can’t gain access to it. By doing a regular backup you’ll ensure your business will be able to function not only in the event of a cyber attack but possibly through the impact of a fire, physical damage or theft.
Backups are done so that your original data can be recovered – so protect them by not allowing staff to access them and keeping the data in a place that’s not connected to the device holding the original data. Consider having an offsite copy that’s protected from fire too. Ideally, your backup strategy should meet the best practice of 3 copies, 2 on different media, 1 off-site and encrypt all backups.
However, a word of caution. Many assume cloud services such as Office 365 and Google Docs provide a backup. They don’t. If you delete something it will store it in the trash for 30 days, then it gets deleted from trash. So, while cloud services provide resilience to the data and sync across multiple devices, it’s not the same as a real backup.
Top tip: Identify your own business-critical data, the things your business would not be able to function without – and keep your backups separate from your computer and preferably off-site, following the 3 copies process as above.
3: Secure your boundary
The likelihood of you not having some form of firewall to stop the bad guys getting in easily is slim, but they are not a silver bullet. By definition, a firewall allows data into your organisation and this can be turned against you if the firewall configuration is weak. To be more secure, you should also consider a proxy device and make sure all your data goes through it before it lands on your laptops and desktops.
Top tip: Make sure you change the default password on your firewall when you install it and regularly thereafter. Even better, get a firewall with proxy included and if you haven’t moved to the cloud yet, have a dedicated proxy in a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork. If you are using the cloud then a cloud-specific proxy solution may be the right way to go.
4: Stay protected from malware/ransomware
By restricting the ability of systems to operate (until a ransom payment is made), ransomware has the capacity to cause long-term damage to the reputation and profitability of your business. They are one of the most impactful forms of cyber attacks.
However, if your data is backed up, secured from tamper and you can easily access it at all times, then the threat of access denial and a payment to regain it becomes meaningless.
Top tip: Regularly backup and make sure your antivirus is always turned on and is up to date with the latest version. Backup user files and system files. Some ransomware infects master boot records so you will need to be able to recover the system before you can recover user files. And read Ascentor’s “Top ransomware tips for SMEs“.
5: Patch Patch Patch
AV is great at stopping the known malware threats but to be properly protected you need to update your system software as updates are provided by the provider. Your laptop, desktop, server (if you have any) and operating systems are the first things to patch, but don’t forget your applications and your networking devices (router, firewalls etc.), which are often updated on a much less regular basis.
However, while they are meant to fix security vulnerabilities and other bugs, patching can sometimes introduce new problems or, in worst case scenarios, server failure. So, to help you prevent patching problems, we’ve shared some of our experiences and tips in our article “What can you do when a patch goes wrong?”
Top tip: Microsoft and Apple provide regular operating system updates and it’s relatively easy for SMEs to use the inbuilt solution. For applications it’s more complex and time-consuming. Take the pain away and use an 3rd party patch tool so those pesky applications dont get installed and forgotten about leaving you vulnerable without knowing about it. If you’re worried about patches causing your IT to crash and unable to work, wait a week or two, to let bugs get identified and fixed, but think hard before making this decision as patching late could cause you more hassle if you get hit by malware.
6: Be alert to phishing and business email compromise (BEC)
BEC is a good example of why technology alone cannot solve your cyber security problems.
Data from GetSafeOnline suggests that nearly half a million UK SME businesses have been impacted by an email-based scam. These typically work by a fake email pretending to be from the MD, Finance Director, or perhaps a supplier. Data from Lloyds Bank indicates that an average loss in an email-based scam is £27,000 – that’s a huge amount to lose for an SME business.
Training to look for the signs of suspicious activity can help with awareness of the risks – question whether the person concerned would really say what the email says. Poor use of English, email from mobiles etc. are warning signs.
Top tip: Make it standard practice to re-confirm email based requests for payment, call the person who you think has been compromised and check. It might slow the process down but if it saves you £27,000 – no one is going to complain about that.
7: Preventative measures for mobile devices
Our mobile devices are often also an entry point to business information and networks. So, their security is paramount.
You may have put policies in place to regulate the use of personal devices at work (often called BYOD – Bring Your Own Device), but that doesn’t mean your employees won’t ignore them. That’s why we recommend preventative action. Ascentor’s full SME cyber security ebook download contains detailed recommendations for company-issued and personal devices used in relation to work.
Top tip: Using a Mobile Device Manager (MDM) can bring an additional layer of security for company-issued or BYOD phones. It is software that allows IT administrators to control, secure and enforce policies on smartphones, tablets and other endpoints. Avoid public wi-fi, use a VPN secure connection when travelling and make sure you read our post on business travel before you leave.
8: Create strong, memorable passwords
All the protection provided by the likes of Microsoft Office 365 or Google is lost if you fall down on poor password security. However, employees often make them so easy to guess or crack – they might as well leave the front door open.
Passwords should be strong, memorable (to the owner) and most important, really difficult to crack. We recommend you change them regularly – at least every 60 days. We’ve written two articles on creating passwords, you can access them here. It goes without saying but don’t share your passwords. They should be a secret known only to you or the people in your organisation who need to know them.
Top tip: Turn on “two-step authentication”. Most mobile services now offer a simple code-based system that sends you a numeric password by SMS/Text to secure your login credentials. Use a password manager for business purposes as opposed to one suited to an individual user. A business version will have admin controls so you can control the permissions each user has.
9: Be wise to the Insider Threat
Your own employees can pose a significant cyber security risk too. There are various reasons – employees with a grudge, malicious actions (such as leaving with a database), human error.
Most insider threat incidents happen once a person has left and the organisation hasn’t rescinded access. So, focusing on high-risk scenarios is a good place to start. Revoking the employee’s credentials should be a priority to minimise that risk. Carefully consider who needs access to what.
Top tip: Insider threats happen when people with access and privileges abuse them. As they are operating on the inside, spotting this can therefore be difficult. Review your policies on who you grant privileges to, particularly with reference to contractors. Does everyone need the levels of access they currently have?
10: Manage and learn from Shadow IT
Employees, often for what they think are good reasons, are increasingly bringing not only their own IT – but their own IT workarounds into the workplace. They want to get their work done quicker so they download an app and do their own thing. That’s Shadow IT.
There are all sorts of security risks; increased risk of data loss (your IT department can’t backup software they don’t know is present in your networks), increased risk of data breach, cyber security risks and of importing malware. Forecasts have predicted that by next year, a third of all successful attacks on businesses will be caused by Shadow IT.
Shadow IT is covered in more depth in Ascentor’s article “What is shadow IT and how do you manage it?”
Top tip: Talk to your employees about Shadow IT issues – be open and learn from them. If you are able to propose workable solutions, you will stand a better chance of strengthening your cyber security and the risk that comes with it.
11: Choose the right security standard for your business
If you are looking to protect your business from cyber attacks there are a number of standards and certifications that can help. What’s more, completing them is not as complex as you might think and they’ll also send a reassuring message to your customers that you take security seriously.
Several, such as the Government’s Cyber Essentials Scheme and the IASME (Information Assurance for Small and Medium Enterprises) Governance Standard, have been specifically developed to serve the needs of SME businesses. Others have been developed to support cloud vendors (the Cloud Controls Matrix – CCM), while the Payment Card Industry Data Security Standard (PCI DSS) apply to businesses that accepts, transmits or stores any cardholder data.
Top tip: Save yourself time and find out about the main standards by reading our blog article “The most popular cyber security standards explained” with links to each. It does exactly what it says. At the very least, become Cyber Essentials certified. Ascentor offers several levels of support for Cyber Essentials certification.
12: Become CyberWyse
You may well be feeling that you need to do more, perhaps you’ve already been hacked and this article has shown you where other weaknesses still exist. You may just want to get on and cover all bases – but are wondering where to start.
That’s why Ascentor has designed CyberWyse. It’s a smart packaging of the UK’s best-known cyber security measures for SMEs that will provide you with all you need to protect your business from basic cyber attacks – with our expert support to get it all done.
We take away the headache of not having enough time, skill or resources and help you through a quick and effective approach to reducing your organisation’s exposure to cyber risk. Find out more about CyberWyse.
Top tip: Gain the reassurance of completing CyberWyse – it will give you Cyber Essentials (CE) Plus and the Information Assurance for Small Medium Enterprise (IASME) Governance Standard with cyber security insurance, delivered with full support from Ascentor.
In conclusion
We hope this article has highlighted some of the cyber security issues and given you some tips that will be helpful within your business. But, effective cyber security depends on more than technical solutions. Despite your best efforts, it can be the actions of your people that, often through accident, can increase the risk of a cyber attack.
That’s why cyber security needs strong leadership to get the message embedded. When policy and process come together with support from the top, you have the means to increase the odds that your business won’t become one of next year’s statistics. All the tools are out there – if you need any support, Ascentor is here to help.
