Although organisations of all sizes are targeted by cyber criminals, small-medium-enteprises (SMEs) have become the preferred target. Part of the issues SMEs face is the lack of resources & depth of expertise. They simply do not have the time, money, or dedicated staff to stay ahead of these attacks.
Whilst it can be daunting to stay on top of your cyber security needs to protect your intellectual property and minimise the frequency of data breaches. The other part of the issue is perception. Most SMEs don't see themselves as being at the risk level as their enterprise counterparts because they believe their data isn't as valuable, although they can also be a foothold for attackers to gain access up the supply chain of larger organisations.
According to the latest research (Hiscox, Department for Digital, Culture, Media and Sport):
- Around a third (32%) of businesses report having cyber security breaches or attacks in the last 12 months.
- In 30% of cases, this resulted in a negative outcome, such as a loss of data or assets.
- More than 60% of firms having reported one or more attacks - up from 45% in 2018.
- The percentage of firms scoring top marks on cyber security had fallen, with UK organisations doing particularly badly.
- Only 27% (under three in ten) of businesses have a formal cyber security policy or policies.
It's necessary SMEs take their security priorities seriously, and they get back to some of the basics of cyber security.
One advantage SMEs have is the relatively small amount of priviledged accounts they need to manage and audit. Make it part of your weekly routine to look who has admin priviledges and shut down access to anyone who shouldn't have full permissions to these accounts.
If you're like most SMEs, you're probably already running an element of your business from the cloud, whether you're using software-as-a-service, cloud infrastructure environment, VOIP telephony, or more. However, as an SME, you need to make sure you are implementing the correct and proper controls and configurations, and have visibility into the accounts to mitigate the potential of account takeovers.
Take the lead and identify the things you can't do, either due to time or resources. Some items for the "can't do"
list could include things like penetration testing, risk assessments, security operations centre (SOC), forensics and
large scale incident response.
This may mean partnering with a trusted managed services provider like BlackStone Associates, who provide a wide array of cybersecurity solutions for SMEs.
Having an 80-page incident response plan that no one reads isn't feasible for a SME. Keep your incident response plan nimble by only including a few sections and a notification chain. However, it is imperative you keep this updated on a regular basis - at least annually.
Regular backups are vital insurance against a data-loss catastrophe. Developing a solid backup plan requires an investment of time and money, but the cost is far less than the burdensome task of recreating data for which no backup exists. Develop a written backup plan that tells you the what, where, how, who and when of your backups.
Think beyond just your office and its computers and perform regular tests by restoring a few files to a different computer at a different location so you can test your plan before you actually need it.
Squasing vulnerabilities is like being a participant on Wipeout. You feel outnumbered, outmatched and exhausted. One of the most important aspects of patch management is staying on top of the next patch. You should have this in your calendar as part of your weekly or monthly "maintenance" checklist. Pay attention to notification from the vendors so your systems stay up to date.
With a smaller number of users, you need to keep track of who's logging in via the VPN and only enable the service to those with a need. Make sure that as employees are hired or leave that you update their access accordingly and include this as part of new user set up or off-boarding checklist.
With a small IT team, the last thing you need them to be doing is password resets for staff who have locked themselves out of their systems. A little training will go a long way, so update, communciate and teach your staff to create a long unique password phrase that they'll remember, and establish a technical control for a longer period. Password managers can also be helpful for setting up unique passwords.
Depending on your industry, it could be difficult to monitor all inbound and outbound connections for SME staff. However, with a smaller pool of users, it can be easier to lock down your traffic. Do you use SSH, FTP? If not, lock down those inbound/outbund services. Having a smaller pool of users will mean your operational needs are most likely to be condensed, therefor limiting your attack surface.
Are your systems protected from malware to prevent the download of infected files or installation of suspicious software? Make sure there is a malware policy in place to ensure up to date malware protection and that it cannot be bypassed by users. with a smaller pool of users, it can be easier to lock down your traffic. Do you use SSH, FTP? If not, lock down those inbound/outbund services. Having a smaller pool of users will mean your operational needs are most likely to be condensed, therefor limiting your attack surface.
Maximise your IT investments
Cost effective & scalable solutions
Technology roadmap & planning
Quick resolution of IT issues
Technology aligned to your goals
01753 369 701
BlackStone Associates implemented systems & controls that eliminated hours of downtime we had experienced with past vendors. They consistently recommend the most cost effective systems/procedures and constantly look out for our company's best interests.
Bradley James Executive Search