Call us about IT support in Birmingham 0121 309 0090

    Get in touch today

    Call us about IT support in Birmingham 0121 309 0090

    Cybersecurity for businesses

    I speak to many SME business owners who understand why they need cybersecurity, but are looking for honest, straightforward and practical cybersecurity guidance. This a simple yet effective, best practice framework that small and medium business owners or leaders can follow.

    This article covers:

    • What is cybersecurity best practice?
    • How cybersecurity best practice benefits SMEs
    • Challenges when adopting cybersecurity best practice
    James explaining cybersecurity best practice for SMEs

    What is cybersecurity best practice?

    There are four elements to reaching best practice:

    1. Implement effective security controls
    2. Educating your employees
    3. Limiting access
    4. Continuity planning

    1. Implement effective security controls

    Install anti-malware software on every computer

    Anti-malware software scans computers system for all types of malicious software and protects from malware such as:

    Spyware

    Software unknowingly installed onto your computer, that gathers personal information and tracks what you do on the web. It violates your privacy and be used by hackers, advertisers and data firms.

    Adware

    Software that automatically displays banners or pop-ups when online – they’re more-so irritating than anything and can make computers/browsers run slowly.

    Worms

    Malware that spreads copies of itself from computer to computer, designed to spread across multiple devices whilst remaining active on each device.

    Anti-malware allows you to browse the web safely, keeps your personal data and files secure from hackers.

    Ensure computers and network equipment have the latest security updates

    We all have pop ups saying ‘software update is available’. It’s tempting to press ‘cancel’ or ‘remind me later’ – those few minutes waiting for the update or restarting your computer can feel like an eternity when you’re busy. And let’s be honest, not shutting down feels like time-saved at the end of a long day.

    Do this at your peril!

    Computers and networks need the latest security updates to maintain an SMEs cybersecurity defences. These essential updates will ultimately keep your private information safe. Even common applications, like operating systems and browsers, can make you systems vulnerable if you don’t accept updates. Consider the short-term inconvenience as a long-term gain – preventing the scary prospect of identity theft, loss of money, credit, and more.

    Use firewalls to maintain network security

    A firewall acts as a barrier between your computer and the internet. As incoming or outgoing traffic goes through the firewall, it checks against a predetermined set of rules. Websites, viruses or malicious attacks are blocked if they do not pass these tests.

    SME businesses should implement both firewall software and hardware to maintain effective cybersecurity protection. Firewall software protects individual employee computers and firewall hardware protects group networks.

    Web filtering to prevent access to malicious websites

    Cyber attacks often require users to visit a webpage that initiates a malware download. In phishing attacks, fake websites that appear to be legitimate can trick users to give away their login credentials or personal details.

    DNS filtering (blocking entire websites by blocking the domain) and URL filtering (blocking specific webpages from a website) can control the content accessed on the internet.

    Email filtering to block spam and malicious emails

    Email filtering, as the name suggests, filters email that go inbound into your mailbox and outbound from your server. It ensures that no spam, malicious content, or sensitive data makes it in or out of your server unauthorised.

    Popular email platforms will have basic filtering capabilities, however, a dedicated filtering service will protect SMEs against ever-evolving, sophisticated cyber hackers. Email filtering detects:

    • Fake sender addresses
    • Technical properties and errors typically found in spam
    • Malicious links and attachments

    Phishing emails, which could also include an attempt to blackmail victims, invite users to click a link or download an attachment can contain malware that spreads like a virus. If clicked, it can extract all the data from inside the hard drive. It can also enable the attacker to track sent emails. This type of cybersecurity attack can also allow hackers to create phishing scams; communications sent in the name of your SME organisation, appearing as you, a trustworthy source to your clients, customers and a wider audience.

    It maybe that you may have already been a victim of a data breach. It is possible to check whether your email address has been pawned and fallen into the wrong hands.


    2. Educating employees about cybersecurity in SME businesses

    If you were to ask employees what phishing or malware are, it’s likely that they probably wouldn’t know. We would argue it’s not important to know the precise definition or technical names of different cyber attacks. However, it is important that employees are aware of what attacks look like and their role in their business’ SMEs cybersecurity strategy. It is usually employees, not technology, that are the first entry point for phishers. Educating employees can be done in a few ways:

    Automated training

    Deploying automated user education and awareness training

    We’ve found the simplest and easiest way to train SME employees about cybersecurity is through an automated education and awareness training tool. We use KnowBe4. Employees are enrolled onto personalised courses and sent automated email reminders to watch/complete short video tutorials. You’re also emailed scam alerts to inform of recent scams and what to do if you are targeted.

    The video tutorials can be watched on demand, which is perfect for those working from home, removing the effort to check diaries and organise workshops. The videos are quite funny too, making what can be a ‘dry’ topic, engaging and easy to understand. As admin, you can check the progress of your employees and also send simulation phishing attacks to ‘test’ their awareness.

    Policies and responsibilities

    Developing policies which define your cybersecurity posture and inform your team on their responsibilities

    An SME business should have GDPR documentation and processes, as well as a security or cybersecurity policy. You’re probably wondering what an SME cybersecurity policy should include. Below is a basic framework:

    Cybersecurity policy framework

    Aim and Scope

    Responsibilities

    Legislation

    Personnel Security

    Contracts of Employment
    Information Security Awareness and Training
    Intellectual Property Rights

    Access Management

    Physical Access
    Identity and Passwords 
    User Access
    Administrator-level Access
    Application Access
    Hardware Access
    System Perimeter Access (Firewalls)
    Monitoring System
    Access and Use

    Asset Management

    Asset Ownership
    Asset Records and Management
    Asset Handling
    Removable media 
         Users breaching these requirements may be subject to disciplinary action
    Mobile working 
    Personal devices / Bring Your Own Device (BYOD)
    Social Media (see 38-57 for social cyber tips)

    Computer and Network Management

    Operations Management
    System Change Control
    Accreditation
    Software Management 
    Local Data Storage 
    External Cloud Services
    Protection from Malicious Software
    Vulnerability scanning

    Response

    Information security incidents
    Business Continuity and Disaster Recovery Plans
    Reporting


    3. Limiting access

    Removable media

    Controlling access to removable media such as USB drives

    SMEs should create very clear guidance and cybersecurity policy around removable media. Their capability to hold large amounts of data and be transported or lost makes them a huge vulnerability to any SME business’ security. It can lead to loss of information and introduction of malware.

    In normal circumstances information should be stored onto corporate systems. To limit their use, only allow certain media ports and users access to portable devices. Also, formally issue and keep a log of who has removable media.

    Users should encrypt information held on the media. Take appropriate steps, when the media is reused or destroyed, to ensure that all previously saved information cannot be accessed. Removable media should also be automatically scanned for malware when introduced to any system.

    Zero trust network

    Only provide staff with the access levels they require to carry out their roles

    Provide reasonable, yet minimal, system privileges or data access. What access is required for an employee’s job? Continually review access, particularly when granting highly privileged administrative accounts. This minimises risk if an account is misused or compromised. This is particularly recommended if team members are remote working due to the heightened security risks.


    4. Cybersecurity continuity planning for SMEs

    Back up

    Have a robust back-up and SME business continuity plan to help recover from a potential cybersecurity breach

    At some point, your SME business will experience some kind of cybersecurity incident. Incident management or continuity planning is really important to reduce the impact of a cyber attack to your company. The supporting policy, processes and plans should be risk based and cover any legal or regulatory reporting requirements. Having the right skill-set, defined roles and responsibilities (whether in-house or out-sourced) is crucial to having an adequate response.

    Incident management or continuity plans should be tested and continually evolve to improve the way in which you respond.

    Have a systematic approach to the back-up of essential data to avoid data loss. We would advise SMEs to have automated back-up, which gives complete peace of mind. If you use physical media to back-up data, ensure it is secured and offsite. And it is really important to test your back-up! Test retrieving data that has been archived regularly just to be sure!


    How cybersecurity best practice benefits SMEs

    • Automating many of the cybersecurity practices, described above, require minimal maintenance once they’ve been set up.
    • Have confidence that your data and systems are protected and knowing that you have a good level of protection against common threats. In addition, it’s good to know that you can recover data if your defences are breached.
    • It gives your clients confidence that you are protecting their data and systems.
    • Avoid GDPR compliance failure and damage to your brand reputation. You don’t really want to be notifying or being fined by the Information Commissioner’s Office (ICO) or having to inform your clients and customers of any breaches.

    Challenges when adopting cybersecurity best practice

    • There’s a lot of misinformation from cybersecurity vendors and it can be difficult to select what you really need.
    • People are busy and stick to their habits, so it can be a slow process getting them to change to better security habits. People are the biggest threat to security, so this is crucial to get this piece right.
    • Even for people who are tech-savvy, it can be difficult to decipher cybersecurity and compliance standards.

    What next?

    This article encapsulates the core and broad areas of cybersecurity. Each business' cybersecurity will differ depending on your industry (e.g. accountancy), the technology, systems and devices you use and your supply chain. Your cybersecurity will also need to incorporate more granular elements, relevant to your business; such as your website may need CAPTCHA.

    If you have smart or Internet of Things (IoT) elements to your business, for example, sensors to your manufacturing or engineering factory, then the security of this element will need to be addressed and covered.

    If you’re looking to make your business cyber safe, remember to lean on an expert and ask lots of questions. Hopefully we have answered many of your questions in this article today.

    Speak to an expert

    If you still have questions about your business' cybersecurity, then why not schedule some time with one of our experts.

    Schedule time

     

     

    Sign up to our newsletter

    If you want to keep up to date with the latest cybersecurity tips, then subscribe to our newsletter:
    Sign up to our newsletter

    Cybersecurity for your business

    Learn about our cybersecurity business packages and pricing to understand what coverage your small or medium sized business might need.