SME Cyber Security Challenges
Cyber attacks are at their highest level ever and will continue to increase Year-on-Year. Cyber criminals see SME's as easy targets due to the amount of highly valuable data they have. This is also facilitated by the myth that SME's are too small to be of interest to the criminals
There is a lot of confusing information out there and combined with a lack of knowledge cyber security can be an area businesses don't delve too deep into and we're here to guide you through the minefield.
The below list may help your to raise the awareness about cyber security and the risk within your business.
This is by no means a exhaustive list but it may help you to develop a practical and affordable cyber security solution to address your own cyber risks to ensure that your business is operating in a safe, secure and compliant environment.
- Lack of awareness around the current real-world cyber security risks
- False sense of security, with a heavy reliance and dependence on internal IT Team or external non security IT third-party provider
- Lack of cyber security knowledge, understanding, ownership and leadership
- Poor cyber security maturity and posture within their businesses
- Lack of staff training (at all levels) – like Health & Safety, cyber security is everyone’s responsibility and training should be completed regularly
- Lack of budget. Cyber security is now an integral cost of doing business for us all
- There are some very simple and affordable solutions for businesses of all sizes and across all industries. The first is education. Start at the top, with the board. Remember, cyber security is not an IT or Technology issue, it’s a whole of business risk and is a journey of discovery that requires a fundamental change in mindset and culture. Build a security culture that encompasses all departments and operations since cyber security is everyone’s responsibility.
- Establish ongoing training – Incorporating regular Security Awareness Training for every one within the business is critical to your business security. It is the most effective way to combat social engineering, poor password practices, successful phishing attempts and other cyber threats that could put your business at risk. And don't forget to train new starters!
- Review your policies, processes and procedures and ensure that all staff are aware of these polices and are trained appropriately, make policies user friendly. Then test them to ensure they are effective and work. It’s simply to require a new or existing employee to sign an “I have read and understand company IT and cyber security policies.” Basic training for all staff on how to spot, manage and report the vast malicious social engineering techniques, such as phishing, spear phishing, business email compromise, spoofing and vishing, this could be vital to the survival of your business.
- Develop a Cyber Incident Response Plan. This is a simple plan for all staff to follow in the event of a data breach, incident or attack. Test it to ensure its effective and amend where necessary. Regularly review and make sure employees that have left are taken off of the Response Plan.
- Establish responsibility – Ensure that the board appoints someone to take ownership of updating the board on a regular basis in relation to the company’s cyber security posture. It should form part of any monthly management meetings.
- Outline responsibilities for monitoring, evaluating, and reporting risks. Make sure all users are aware of who to report incidents to.
- Advance your knowledge – Stay up to date with cyber security legislation, standards, best practices and reporting requirements. Use the following for guidelines;
- National Cyber Security Centre (NCSC)
- Information Commissioners Office (ICO)
- European Union General Data Protection Regulation (EU GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- International Organisation for Standardisation ISO 27001
- National Institute for Standards and Technology (NIST)
- Cyber criminals view SMEs as easy targets and rich pickings, this is because SME defences are often not as advanced as those of larger businesses.
- To protect themselves, companies should consider multiple layers of cyber security, and include monitoring to alert of potential cyber incidents.
- Engage external specialists to assist your business in the areas where your IT manager or Third-Party provider can’t. Remember, they’re probably already overstretched, may not have the required knowledge or experience, and some may think that they can take care of this themselves. Many cyber security companies will actually work in partnership with your IT to support and educate them along the way.
- Unfortunately, not. This is one of the biggest misconceptions that many boards, directors and senior managers display. Cyber security is not an IT or Technology issue, it’s a risk to the whole business. That risk sits with the board and the business owners/directors and whilst a company can rely on IT teams or outsource the technology requirements, they can’t outsource their responsibility
- IT security and cyber security are very different areas, and whilst there is a relationship between the two, traditional IT security methods, such as firewalls, anti-virus and anti-malware software, whilst part of basic and essential security, are no longer enough to keep threat actors at bay.
- Many IT Managers or Third-Party Providers often lack the in-depth cyber security expertise or knowledge required to protect businesses today. Many confuse IT security with cyber security and can inadvertently provide a false sense of security to their clients that their businesses are protected. Many simply do not have the capability to keep up with constant evolution of cyber risks and attacks.
- Information security and cyber security have very broad landscapes and no software or hardware will protect your business 100% from threats such as social engineering, loss of physical files, vishing, or incorrect disposal of physical documentation..
- While no single security strategy is guaranteed to prevent cyber security incidents, many techniques used in cyber incidents could be mitigated through cost-effective solutions.
- After educating & training your staff, test their susceptibility to common cyber security threats such as phishing emails and business email compromise (BEC) and re-educate those who may require additional training. Educate but do not chastise them.
- Perform social engineering exercises attempting to find out if users will give up sensitive information or access to systems.
- Conduct a breach response exercise and go through the steps of your plan to evaluate how effective it is.
Get the basics in order. To increase the odds of mitigating a catastrophic cyber incident, ensure you have deployed the basic cyber security measures as below;
- Next-generation Firewalls
- Email Secure Gateway
- Network Monitoring
- Endpoint Protection
- Web Filters
- Password Manager to prevent staff from forgetting or losing their passwords, using poor password hygiene or reusing passwords
- Enforced Multi-Factor Authentication everywhere possible
- Encryption of sensitive data – at rest and in transit, as required by regulation and company policies (make sure it forms part of your policy)
- Mobile Device Management for all relevant devices such as tablets and smartphones
- Data Backups, and test the regularly.
In a word, no.
- Disaster Recovery - Have a plan and test it, regularly. How long can you business afford to be offline? How long can you afford to have less than normal operational capacity?
- Regular Security Review – Periodically evaluate all security controls to determine whether the cyber security controls are adequate for your risk appetite.
- Culture – A good security culture can only be driven from the top down. This will help create an openness so that users feel comfortable reporting incidents to the relevant responsible person.
- Data Classification – Identify the types of data you hold and establish data handling procedures in line with the sensitivity of the data..
- Collaborate with Internal Stakeholders – In the event of a cyber security incident, personnel and teams in the company’s IT, HR, finance, legal, and other departments should be ready at a moment’s notice and be aware of their roles and responsibilities following an attack. Again, test the response and review the results and make any necessary amendments.
- Employ Security Monitoring – Without real-time monitoring of your network, digital environment and endpoints, your company will only learn about an attack or cyber incident after the fact. Be proactive, prevention is always better than cure.
- Understand Regulatory Requirements and Liability – A response to a cyber incident or data breach should consider regulatory compliance and procedures. You risk fines and other penalties if personal information is exposed and your response is considered inadequate.
- Undertake Data Incident Response Planning – Despite best efforts, a security breach is always a possibility. Cyber security threats are evolving daily and it is vital to be proactive and ready. Develop a Data Breach Incident Response Plan and test it regularly.
- Supply Chain – Many data breaches have originated from the supply chain. Regardless of size, all businesses should employ basic supply chain management best practices to understand and control this risk. How secure are the businesses in your supply chain?
- Risk Acceptance and Risk Transfer – Even with robust security processes in place, businesses can still suffer downtime due to a cyber incident or data breach. Companies should evaluate the overall effectiveness of their cyber security processes and decide how much risk they are comfortable with or transfer that risk through a cyber insurance policy. By implementing effective cyber security processes, companies may be able to receive reduced premiums or more favourable policy terms. Be fully aware of what your policy covers and what it doesn't, don't wait to find out in the event of an incident, it will be too late.
Call us, we are here to help.
We are always happy to help with security questions or problems and if we don't currently have a solution we will source one!
Just pick up a phone and call us!