Despite the number of significant data breaches rapidly increasing since 2012, SMBs sometimes feel that they’re too small to be targeted – but the reality is very different. While it is true that smaller businesses are not as likely to be the direct focus, many cyber-attacks aim for breadth and simply seek to cause as much damage as possible. The result is that almost half of all UK small businesses have been hit by a cyber-attack or breach, with many suffering significant financial consequences.
It’s understandable that small businesses may feel as though there is little they can do to prevent an attack. But it is precisely because an attack is so likely that you should be making preparations and taking increased precautions.
For an in-depth look at your particular situation, consider using an IT Security Health Check tool which will help to identify the areas in which you’re doing well, and also the weak links in your business security that need to be improved. Nevertheless, the following steps are all essential preventative measures for businesses of all sizes.
Do you have a data policy?
Companies may spend a small fortune on setting up the latest antivirus and security measures, but with 4 or the top 5 causes of a data breach being the result of human error, if your staff are using weak passwords or not identifying potential phishing emails, your defences could be undermined.
For a policy to be effective, it should be updated regularly to keep up with the latest developments in security. However, the key is to make sure it is transparent and enforceable. If the implementation feels impractical or unnecessary, staff may struggle to stick to it for more than a few weeks before reverting to old habits. If the policy is too demanding, it may simply be ignored.
A good example is expecting complex passwords to be changed on a regular basis. Without clear justification and process to follow, you will probably begin to see an abundance of post-it notes covered in passwords – not secure at all, but a way that staff might fulfil what is asked of them without impacting on their efficiency.
In this instance, providing a password manager to staff would resolve the issue. Many password managers not only store multiple passwords but also help to generate new, secure codes. The result is that your staff now have secure access to everything they need, and just one password to remember.
By understanding the needs of the people who will have to implement it, your policy will help to raise awareness and understanding among staff while cutting down on the simple mistakes that could make your company a victim.
Are your endpoints secure?
It used to be that your only security endpoints were the desktop computers in the office. Today, all of that has changed. With the development of technology, the way people work has also altered. Many people now use multiple devices, laptops, phones and tablets to complete their work. In 2017 59% of US companies allowed employees to use personal devices for work, with another 13% planning to.
In addition to this, mobile working is becoming commonplace. But along with the benefits of flexibility, wellbeing and productivity, more devices accessing company data means increasing the number of endpoints that could become openings for an attack.
From not having the latest security updates installed to devices being lost or stolen, companies need to ensure that mobile endpoints are as secure as those in the physical office. Bring your own device (BYOD) policies can ensure that staff are clear as to the expectations around their use of company data, and of tools on personal devices – including using two-factor authentication and adhering to best practices.
Do you back up?
One of the most notorious forms of attack in recent years has been ransomware. Used in the 2017 WannaCry attack on the UK’s NHS, ransomware locks your device and demands payment to release files. In some cases, timers increase the amount of money required or even threaten to delete data. Of course, paying the ransom holds no guarantee of getting your files back.
The simple solution to such a threat is to restore the infected devices, to remove the ransomware and restore your data from a backup.
The importance of keeping secure backups of all company data cannot be understated. Ideally, your backups should be stored outside your office network for extra security. A popular solution is to use cloud storage, which can provide the added benefit of increased levels of encryption for your data.
Are your staff trained?
As we have already touched upon, staff understanding and support are critical when seeking to reduce levels of human error.
Education and training should include advice for all members of staff and all technical ability levels. While some staff may by quite tech savvy, others may only be comfortable with word processing and little beyond that – unaware of the risks of connecting to unsecured free Wi-Fi when travelling, for example.
By building a culture of understanding around the importance of data and BYOD policies, staff will feel confident, both in avoiding threats and knowing what to do if they suspect suspicious activity.
In many cases, a lack of resources may be the reason for underdeveloped cybersecurity defences within SMBs. With few trained IT staff, small businesses may be forced to prioritise day-to-day activity over establishing preventative measures.
Prevention is better than cure, and while preparation will require an investment of time, the financial cost can be minimised. Ultimately, any preparedness will be worth it as the benefits of reducing the threat of a potential attack are far greater than what it would cost if the worst happens.
Related posts:
