Managing cyber security risk is about doing the basics right.
Cyber security is usually not high on the list for a small to medium-sized enterprise (SME). It is often something “we should probably do something about” but never becomes a priority. It’s unfortunate to note that small and medium-sized businesses are becoming more vulnerable to targeted attacks. As per Barracuda Networks’ recent report, this year witnessed a significant rise of 350% in social engineering attacks aimed at businesses having 100 or fewer employees.
Tackling your cyber security risks does not have to be overwhelming. Businesses just need to focus on the IT basics to protect against 80% of cyber threats.
Take a look at our blog “Small Businesses are Attacked by Hackers 3x More than Larger Ones” to find out why cybercriminals are targeting SMEs.
Why businesses need to prioritise cyber security
Two key reasons businesses should address their cyber security risks are reputational and financial damage.
Reputational damage
A cyber security breach does not just impact your business, but also your customers. Typically, cybercriminals go after end-user data such as payment information, and passwords or even impersonate your business to access your customers. A customer data breach not only impacts the reputation of your business but often results in customers losing trust and moving their business elsewhere.
Financial Damage
Loss of business is just one example of the financial impact of cyber breaches. Businesses also potentially face fines or penalties for failing to manage personal data according to GDPR or government standards. Or in the worst-case scenario, a cyber-criminal blocks access to business-critical systems using ransomware demanding payment in exchange for the return of your own data.
How to mitigate cyber security risk
Whilst this all sounds scary, The UK Government NCSC states that implementing basic IT control will protect you from 80% of cyber security risks. So, what are they?
Secure Data Storage
Every business, regardless of which industry it works in will have to store confidential data, files, and documentation in some form or other. This could be your staff HR documentation, customer data, financial records or even intellectual property owned by the company. The first step in minimizing your cyber security risks is determining where your data is stored and how it can be accessed.
Whether it is stored in the cloud or on-premise, you need to make sure adequate security is utilised to protect your data. Typically, this is in the form of a firewall which acts as a barrier only allowing the right traffic through. In addition, businesses should investigate a process for backing up data regularly in the event of a disaster and policies for how long to retain confidential data.
Where a lot of businesses struggle is the access to this data. Storage systems that are slow or overly cumbersome often result in staff saving files locally to their machines to avoid lengthy upload or download speeds. Or worst case, a staff member sends themselves a file to their email address to work on at home. Storing confidential data in multiple locations not only poses version control challenges but also increases the risk of data breaches, especially if some of the storage locations are outside your network.
Ensuring that your business data is securely stored and readily accessible to authorized personnel can significantly decrease the chances of data falling into the wrong hands.
Invest In IT Equipment
It is standard practice to safeguard your organization’s hardware from common cyber-attacks, such as malware, by using endpoint security firewalls. It is also imperative to regularly update your business devices with the latest versions of their operating systems and manufacturer updates to ensure smooth functioning.
Even though it can seem time-consuming and frustrating when you are waiting for a device to restart and see that dreaded update window pop open, these updates keep your devices protected from new cyber-attacks. New protections for vulnerabilities that occur in both hardware and software are introduced through remote updates that are pushed to devices.
Keeping control of costs is a constant challenge for SMEs who do not have the same resources as larger enterprises. One area, however, that does require regular investment is your IT hardware. Manufacturers have set a limit on the support duration for laptops, desktops, and other IT equipment. For instance, devices powered by 7th generation Intel i5 and i7 processors or older will no longer receive support after October 14, 2023. This implies that such devices, as well as any devices connected to them, will be at risk due to the lack of updates.
Password Management
Many people find passwords to be a hassle, particularly since many applications now mandate the use of both upper and lower case letters, a combination of numbers and letters, and the inclusion of a special character. This often leads to team members having a physical paper list of passwords on their desks which is vulnerable to physical theft, or documents saved on their desktops.
Using a password manager is the easiest way to not only keep critical system passwords secure but also make the user experience for staff better. Most password management software includes the ability to suggest a randomised password and automatic password fill and can also act as a second-factor authentication. Controlling a staff member’s access to systems in one place can make managing a leaver process that much faster.
Staff Education
The most vulnerable area for all businesses is its staff. Email phishing attacks are the leading source of cyber breaches for all organisation sizes. The Cyber Security Breaches Survey 2021 shows that 83% of attacks were from phishing.
Once a cyber-criminal gains access to your network, there are several nefarious things they can do with your business data. You must educate your team on what to look out for in a phishing attack as well as provide mock phishing emails to test where there are vulnerabilities. These two actions alone will go a long way in protecting your data.
Least Privilege Access
The principle of least privilege access sees users and applications only gaining access to systems, folders, drives, and software that they require to perform their jobs. By restricting access to sensitive business data to only those who require it, you reduce the likelihood of accidental vulnerabilities.
Having a new starter and leaver process works alongside this principle by mapping out the user’s requirements and building their equipment and software accordingly. Blocking access to certain types of websites, and limiting software to approved lists reduces the likelihood of malicious software being introduced to your network unintentionally. By separating administrative rights from a users everyday account you can avoid accidental permissions being granted.
The best approach here is to start strictly and unblock as time goes on. It is harder to track and remove permissions already granted.
Monitoring
If you have followed all the previous suggestions, then you may want to consider monitoring your cyber security for additional peace of mind.
It’s possible to monitor at both a low and high level. Most larger organisations have the resources to do extensive monitoring which includes logging user login behaviour to detect anomalies, but it is also possible to do low-level monitoring to give you time to react to a potential breach. An example of low-level monitoring is tracking any mention of your business domain on websites known to sell stolen data (also known as the dark web).
Put your cyber security to the test with a free dark web check from Xiria.
Creating Trust with Cyber Essentials
Cyber Essentials is a government-backed, industry-supported scheme. designed to help SMEs protect themselves against common cyber-attacks. Achieving Cyber Essentials, not only better protects your business from 80% of cyber-attacks, but also increases trust for your existing and potential new customers.
Xiria’s Ultimate IT Package provides teams with the essential productivity and security tech needed to work efficiently and securely.
Looking for advice on how to manage your business’ cyber security risks or interested in the Cyber Essentials scheme? Speak to our team of experts for an informal chat.