5 Practical Cyber Security Tips for SMEs
Over the past 18 months, 25% of Small to Medium Enterprises (SMEs) in Ireland have experienced a cyber attack.
Whilst cyber security awareness has increased overall, worryingly 40% of SMEs are still not prepared for a cyber security incident or breach.
With cyber criminals becoming increasingly aggressive and innovative in their attack methods, it is now more important than ever for SMEs to become more proactive in their cyber security strategy and increase their overall cyber security stance.
In this blog we walk you through 5 practical tips that you can use to help increase your businesses cyber security posture and enable you to work towards creating an actionable cyber security strategy.
1. Train Your Employees
Educating employees is key to ensuring your business is protected from cyber security attacks or breaches.
Humans are the weakest factor in a business's cyber security efforts. According to a recent report by IBM, 95% of all breaches were due to human error.
To be effective, training must be consistent, engaging and give the workforce real life examples of what to look out for. It should also include specific rules in regards to emails, web browsing and social networks.
What cyber security training should be included?
Consideration should be taken when it comes to the specific types of training employees within your business may need.
Training such as recognising social engineering attacks such as phishing emails, password security and what to do in the event of a cyber security incident or breach should be included as standard.
Depending on the business size and industry, further cyber security training in other areas may be required to increase your employees' awareness.
Make Cyber Security Discussion the Norm
Regular conversations about the potential impacts a cyber incident could have on your business's operations should be conducted to ensure your employees understand their obligations when it comes to cyber security.
Encourage Your Employees to Report Anything Suspicious
Employees should be encouraged to report any suspicious signs immediately. Even if it turns out to be a false alarm, it helps to develop a culture of security awareness among employees.
2.Protect Your IT Assets
Secure authentication has been a key focus in cyber security education for almost as long as computers have been around, and for good reason, passwords can often be seen as the keys to the kingdom when it comes to your IT assets.
In Ireland alone, over 16 million passwords were leaked in 2021.
Strengthen Your Passwords
Password strength is often seen as a product of two factors: password length and complexity.
Creating long passwords that contain a variety of characters, numbers and symbols will make it more difficult for attackers to crack them and recover the plain-text password. For every extra character in your password, the feasibility of cracking it vastly decreases.
Update Default Passwords
Default passwords are one of the most common issues discovered by our consultants when conducting penetration tests on businesses.
When software or hardware is purchased, it often comes with a default set of credentials designed to help you get up and running with your new offering as quickly as possible. However, in the hustle and bustle of getting everything configured and working correctly, the default credentials are often neglected, leaving an open door for cyber criminals and insider threats.
The ideal way to discover these devices that you currently have with default credentials is through an internal penetration test. This can pick up all devices, including those that you may have overlooked during your day-to-day business operations.
3. Secure Access to Networks and Systems
Network security is a broad term which covers a range of technology, devices and processes designed to protect the integrity, confidentiality and accessibility of a businesses networks and data.
All businesses, regardless of size, industry or infrastructure, require a degree of security to their networks and systems to protect them from the ever growing cyber threat landscape.
In this section, we concentrate on three main security aspects that you can quickly implement into your business.
Access controls essentially restrict access to information within the businesses data and services based on their role and the information they need to complete their job.
Access can be based on a number of factors such as authority and responsibility. In addition to this, access to computer resources can be limited to specific tasks including the ability to view, create or modify files.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) is an encrypted connection between a user's device and a network. It is one of the best ways to protect your business, especially when your business has employees who need remote access to internal applications and data.
A VPN is one of the most important tools to keep a business protected from a data breach and provides businesses with secure remote access capabilities for remote workers.
A firewall is a network security device that monitors incoming and outgoing traffic on a business network. The device permits and blocks data packets based on a predefined set of security rules.
The device's main purpose is to establish a barrier between a business's internal network and incoming traffic from external sources in order to block malicious traffic such as criminal hackers or malware. This, in addition to a VPN, is vital for your remote workforce to ensure you have a robust cyber security posture to prevent cyber criminal attacks.
4. Secure Your Businesses Backups
Data loss can happen to anyone and cause massive problems for businesses. Trying to get back vital information can be expensive, time-consuming and recovery is highly unlikely. While there are preventative measures you can take, the best way to protect yourself against data loss is to have a robust backup system in place.
Test Your Backups Regularly
Backups should be regularly tested and updated to ensure you have the data available in the event of a disaster.
The most basic approach to testing is to run through the restore process periodically. Performing these tests can be time consuming, but if you don't do them, you run the risk of losing all your data if your backups fail unexpectedly.
5. Develop Policies and Procedures
When creating policies and procedures for your business, clear and specific rules should be outlined for your employees. These will help in guiding your workforce through situations they may encounter such as what to do in the event of receiving a phishing email or how to report a cyber security incident.
Your policies and procedures are also a platform to demonstrate your businesses approach to cyber security and will assist you in building the foundations of a strong culture of cyber security throughout every aspect of your business.
To create clear and effective policies and procedures, they should:
- Be short and succinct, with specific guidelines for employees to follow
- Be written clearly and in language which is easy to understand
- Be realistic in what it is instructing and be practical
- Highlight the consequences an employee could face if policies and procedures are not adhered to
- Be regularly reviewed and updated when necessary
6. Bonus - Get Started!
We have released a free practical guide on ‘Developing a Cyber Security Strategy for SMEs’, containing comprehensive and actionable information on:
- The top cyber security attacks SMEs should look out for
- Actionable tips to increase your businesses cyber security posture
- Frameworks that can help improve your cyber security strategy
If you are an SME looking for guidance on how to get started in improving your cyber security stance or want to make sure you are on the right track, this guide will do just that.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.