Firstly, small businesses are in the so-called ‘sweet spot’ of having more money in their bank account than the average consumer. They also move money around far more often than regular people, such as paying invoices, money transfers and payroll.
In a recent article for internet security company ESET, André Lameiras noted that with much of the media coverage focused on truly big security breaches, many small business owners might be forgiven for thinking they’re safe.
“Far from it,” he warned, “These days, no company is too small to be noticed by the criminally inclined – or become collateral damage from attacks aimed at other targets. Too often, companies fall victim to attacks that are indiscriminately deployed at scale to haul in a bigger catch.”
The second reason why SMEs are the ideal target for attackers is because of their size – put simply, they are less secure than large enterprise organisations. This may be because of a false sense of security, but it could also be because the business just hasn’t made cyber security a real priority.
Mr Lameiras says that regardless of their size and stage of preparedness, businesses should regularly evaluate their incident response capabilities, even more so in times of increased risk.
“If your company is only now assessing its security risk, it is safe to assume your security posture is at a fledgling stage. There are, however, a few simple steps that you can immediately take to protect your data and the data of your employees,” he said.
Make an inventory to assess your risk: If you don’t know what you have, you can’t protect it. Maintain a list of all your hardware: PCs, laptops, mobile phones, routers, and printers. Also include your digital services, like the software you use, bank accounts, and cloud services such as Google Docs and iCloud. This inventory will make it easier to know where and what could go wrong.
Define your security policies: Safety and good leadership go hand in hand. Make sure you communicate to your employees why this is an important topic, why only authorised staff can enter the office, or why they should not use personal laptops or other devices to access work data. If they work remotely, explain why they should be careful when connecting to public Wi-Fi hotspots.
Set up your controls: To ensure that the policies agreed upon are being implemented, it is important to put IT controls in place. A foundational step is to set a unique username and password or passphrase for each employee to access their laptop and the company’s intranet. Set out the protocol that workers should follow in case they encounter any kind of security issue or incident. You should also use security software to protect employees from malware. Finally, consider using encryption to prevent data from being accessed and read by an attacker and two-factor authentication to provide an extra layer on top of the password.
Test your security policies: With the previous steps taken, your company already benefits from a certain level of protection. But you still need to make sure all steps have been well adopted and that they offer a smooth response in case of an attack. Keep in mind that you need to make sure employees use strong and unique passwords.
Educate: Increasing employee cyber security awareness is a long-term effort. Even well-informed workers might fall for simple phishing emails. An effective security strategy depends on your leadership to inform and educate employees.
Keep testing: Once you’ve been through the previous steps, don’t let your guard down. You need to reevaluate your processes at least once a year or more often during periods of crisis. Make sure your employees maintain compliance with your guidelines, that all software is up-to-date to stay safe from known vulnerabilities and to disable or remove the accounts and access of employees who have left the company.
