Small and medium-sized businesses face the same threats as their bigger brothers. For many hackers, SMEs are seen as easier targets, believing that less is being done to protect data such as information about clients, customer details or bank details. They also perceive it to be easier to access one of your customers’ systems where you are linked through e-commerce, by email or in some other way.
Recently published research found that many small firms are still not doing enough to protect themselves. The survey by Barclaycard of over 250 small businesses found that just one in five rank cyber security as a top business priority, despite previous government research having found that the average cyber attack on a small business costs between £75,000 and £311,000.
Another HM Government report confirmed that 74 per cent of SMEs reported a security breach but that only 7 per cent of small businesses expected information security spend to increase in the next year.
The greatest cyber security threat to SMEs are its own employees; many cyber-related losses suffered by UK SMEs come from within, for example, when employees deliberately misuse data, intentionally or not. Clicking on links sent in emails can trigger a ransomware scenario where a ransom is demanded by the hacker in order for normal operations to resume; the sum might not be huge but, once paid, you become an even bigger target.
The issue of cyber security for SMEs is made even more pressing by new European regulations aimed at protecting customer data. The EU’s new General Data Protection Regulation will come into force in 2018 and could result in companies being fined up to €20m or 4% of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data.
What steps can be taken to better protect SMEs in this ever-changing cyber landscape? Here are just a few.
Update your software: Download software and app updates as soon as they appear. They contain vital security upgrades that keep your devices and business information safe. Many instances of hacking have relied on businesses not staying updated with software patches.
Generate stronger passwords: Use strong passwords made up of at least three random words. Using lower and upper case letters, numbers and symbols will make your passwords even stronger. You could also consider using a password generator. Why not develop a company policy on strong password practices?
Be extra careful with emails: Delete suspicious emails as they may contain fraudulent requests for information or links to viruses. Unsolicited emails often contain attachments or hyperlinks (particularly shortened links); many phishing attacks attempt to trick you into opening a file loaded with malware or to visit a site which runs malicious scripts on your computer
Install anti-virus software: Your computers, tablets and smartphones can easily become infected by small pieces of software known as viruses or malware. Install Internet security software like anti-virus on all your devices to help prevent infection. Don’t settle for free or ‘lite’ versions but go professional; spend a little bit of money, it’s a wise investment.
Information governance: Understand where your information is and who has access to it. Use external help if you do not have the resources to help you map this out. Once you have your ‘map’ i.e. the different paths a hacker could take to get to your information, then attack path mapping allows you to tie paths to risk levels that will drive priorities.
Staff training: Make your staff aware of cyber security threats and how to deal with them. For example, The Government offers free online training courses tailored for you and your staff that take around 60 minutes to complete. You can encourage staff by holding learning sessions – lunch and learn for instance. Most security issues are based on ignorance, not malicious intent. Assume staff don’t know all the answers and give them an environment to learn.
Keep an eye on administrator privileges: Avoid using an account with administrative privileges for normal day-to-day activities and web browsing. Accounts with lower privileges warn you if a programme tries to install software or modify computer settings thus allowing you to decide whether the proposed action is safe.
Monitor access: In terms of IT, you should monitor access to your network, including memory sticks and other plug-in devices, which can be used to steal company information. Stay vigilant when contractors and outsiders are in the office.
No credit card data on servers: Into e-commerce? Consider using somebody like PayPal to handle payment processing and avoid the need to access customer’s credit card details. Let your servers work for other parts of the business and let somebody else deal with the financial transactions.