Any business that employs fewer than 250 people can be categorized as a small and medium-sized enterprise (SME). There are more SMEs than there are corporations and overall, SMEs employ more people. SMEs serve as a driving force for competition and innovation in many economic sectors.
Media coverage of cybercrime tends to focus on corporations, such as the cyberattacks on Equifax, the US Department of Homeland Security, and Uber in 2017.
Organizations of all sizes, however, are at risk of cybercrime. According to 2017 reports from Verizon and UPS, nearly two-thirds of all cyberattacks target small organizations. Here are six cybersecurity tips to help SMEs with their cybersafety.
1. Understand the risks – to implement effective cybersecurity policies, processes, and procedures, it is important to know your data security management risks. Conducting a risk assessment is part of understanding and managing the potential risks that can disrupt business continuity. This involves the following key steps:
- Understand the system processes
- Develop an information asset inventory
- Identify cyber threats and risks
- Determine risk impact and calculate risk likelihood
- Analyze the control environment
- Select appropriate security controls and risk treatment options
Organizations should conduct risk assessments at regular intervals to continually improve cybersecurity practices.
2. Conduct employee awareness and training – according to a recent study from Keeper Security and Ponemon Institute, careless employees are the leading cause of data breaches at SMEs across North America and the UK. A rise in the number of ransomware attacks should be a cause for concern. The study also found that:
- 50% of SMEs experienced a ransomware attack in the past year
- 79% of SMEs targeted said the ransomware infiltrated their system via a phishing or social engineering attack
- 53% of SMEs were hit more than once throughout the year
Many SMEs are unprepared for ransomware attacks, so it’s important to create a culture of cybersecurity awareness. Cybersecurity procedures should be practiced every day and employees should be aware that emails, websites, and files that appear safe may be corrupt.
3. Install firewalls, and antivirus and anti-spyware software – any computer or network used by an organization should be secured with a good firewall that takes Wi-Fi into consideration. Unified threat management is an advanced firewall that restricts dangerous website visits, incoming malicious email, and network compromises. The latest versions of anti-spyware and antivirus software should be installed. Vendors provide security patches and updates for software, so be sure to update to the latest version regularly. Configure all software to install updates automatically.
4. Limit access – safeguard electronic data by applying access control. Employees should only have access on an “as needed” basis and employers should restrict access to sensitive information. Digital access, e.g. case files containing sensitive information, and physical access, e.g. the office environment where computers are, should be limited. Access policy and regulations should be reviewed on a regular basis to ensure data security needs are met.
5. Add security layers to protect login credentials – keep private data cyber secure by adding levels of protection on top of usernames and passwords, including multi-factor authentication and encryption. Hardware such as mobile devices should have device management solutions in place, with over-the-air and data protection settings. Laptops should be securely stowed when not in use. If a device is lost or stolen, encryption – with device management to prove the lost data was encrypted – will ensure the data can still be kept secure.
6. Regularly back up data on all computers – duplicates of data should be stored, e.g. documents, electronic spreadsheets, databases, financial records, human resources files, etc. Backups should be automated on a weekly basis. Copies should be stored off-site or in the Cloud, via secure providers such as Amazon, IBM, or Salesforce. These top three Cloud providers have sophisticated cybersecurity measures in place to best protect confidential data.
Achieve effective cybersecurity measures by applying ISO 27001
Organizations of all sizes should consider information security management system (ISMS) implementation. Through an independent certifying body, an organization can gain certification that is accredited by the International Organization of Standardization. ISO 27001 is the international standard that describes ISMS best practice. Achieving ISO 27001-accredited certification is a strong indication that a business is following best practice to protect personal information.
IT Governance is the world leader in implementing ISMSs and has helped businesses across the globe to achieve their cybersecurity objectives. Find out how IT Governance can help your company secure its critical information assets by downloading our ISO 27001 consultancy brochure.