An SME’s Quick 10-Step Guide To Cyber Security
29 September 2017 00:00
There's many ways of losing sensitive data or having it stolen, and with them come many repercussions and punishments - especially for SMEs.
Nowadays, the cyber security strength of SMEs is no stranger to scrutiny. Many of the articles and blogs you'll come across that relate to SME cyber security will be littered with phrases such as "woefully underprepared", "easy targets" and "growing threat".
But, for these smaller to medium-sized enterprises, there are still huge responsibilities to protect personal information that your business and it's employees collect and use. Sorry to be the bore, but breaching this means financial, operational and reputational turmoil - which many businesses find it difficult to ever overcome.
And not just for the SME themselves; For smaller businesses acting in the supply chain for larger organisations, a potential breach can have catastrophic effects on your clients (if you're not aware of this sort of threat, then this blog is definitely worth a read!).
So, dig into this guide to get a step-by-step view of how to practice cyber security for SMEs (with credit to the ICO).
1. Assess The Threats And Risks To Your Business
In order to establish what level of security is suitable for your organisation, it’s important to sit down and review the personal data you hold, and what risks they pose. Consider the processes involved when collecting, storing, using and disposing of personal data.
Also, consider just how valuable the sensitive and personal information in your ranks might be, and what repercussions or distress this could cause to the relevant stakeholders should this data be compromised in a breach.
Once you’ve gathered this information, you’ll have a clear view of what security measures are appropriate for your company's needs - and you’ll be ready to start putting them into place.
2. Get Certified With Cyber Essentials
Unfortunately, there isn’t one single product that will be able to give you a complete guarantee of security for your business. Perhaps the best approach is to use a set of security controls that complement each other - although ongoing support is hugely important for a good level of security.
What To Do:
This is where the ‘Cyber Essentials Scheme’ comes into play. This provides a clear outlook on five key controls for keeping information secure. These are:
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management and Software Updates
Obtaining a Cyber Essentials certificate and following these key steps can help provide certain security assurances and help protect personal data in your IT systems.
3. Secure Your Data On The Move And In The Office
Often overlooked, the physical security of company equipment can provide just as many risks as that of the network infrastructure. Personal data on these devices can become easily compromised due to loss of theft of laptops, mobiles, tablets and USBs.
There’s also the risk of printed documents containing sensitive information that can be left lying around long after they’ve served their purpose.
Allowing untrusted devices to connect to your company network or connecting company devices to untrusted networks, is another security issue to consider. Often, employees working on the move connect to open Wi-Fi sources in hotels, cafes and conferences - putting personal and company data at risk.
What To Do:
You can strengthen the physical security of your office by storing your servers in a separate room with added protection. Any devices, USBs or CDs that are used for backup should be locked away when not in use. For further protection, either ensure that personal data is not stored on the device or that is has been appropriately secured and cannot be accessed when lost or stolen.
Good access control and encryption are important here, with different forms of encryption being:
- Full Disk Encryption - All data on the device is encrypted
- File Encryption - Individual files are encrypted
Make sure you know exactly what protection you are applying to your data, as some software only offers password protection to stop people making changes to the data (which might not stop a criminal from reading the data).
For mobile devices, there can sometimes be an option to enable a remote to disable or wipe facility. This allows you to send a signal to a lost or stolen device in order to locate it and, if needed, delete its data (you will most likely need to pre-register the device to use this type of service).
If employees are authorised to connect their own devices to your company’s network, then the security risks will inevitably be heightened. Here’s a small article on how you can address Bring-Your-Own-Device (BYOD) security risks.
4. Secure Your Data In The Cloud
In an age where smartphones and tablets are seen as business necessities, there is a host of online services that require users to transfer data to remote computing facilities - otherwise known as ‘the cloud’.
The risks of processing data in the cloud arise due to the fact of personal data, which you are responsible for, will leave your network and be processed in those systems managed by the cloud provider.
This means you’ll need to assess the security measures that the cloud provider has in place to ensure they are appropriate.
What To Do:
It’s important to know what data is being stored in the cloud. Most modern devices can have cloud backup or sync services switched on by default. Enabling two-factor authentication (2FA) for remote access to your data cloud is also a key consideration.
5. Backup Your Data
Disasters such as floods, fires or even vandalism can happen. For businesses, especially those that are smaller sized, you need to be up and running as quickly as possible for financial and reputational purposes. As well as this, loss of data can also put you at risk of breaching the Data Protection Act.
The next risk is one you’ll be sure to have heard of; Malware, specifically ransomware, can disrupt the availability of access to your data. Ransomware can encrypt your data until you pay up to have it decrypted. The only problem is, most cyber criminals have no intention of ever allowing you to regain access, regardless of whether you’ve paid.
What To Do:
You need to have a strong data backup strategy implemented in order to protect against disasters and malware. Avoid storing backups in a way that is permanently visible to the rest of the network.
This can help dodge the risk of falling victim to malware, as well as having files accidentally deleted. Also, store at least one of your backups off-site.
6. Train Your Staff
Another criminally overlooked method of protection, employee security awareness can act as your front line of defence. In an astounding statistic, over 90% of all successful data breaches contain elements or are caused by, human error. A lack of cyber security education is at fault for many of these cases.
One of the main traps for end users is when falling victim to emails containing malicious links or attachments, otherwise known as ‘phishing attacks'. There’s also a high proportion of human-prone errors that involve simply sending them an email to the wrong recipient, containing sensitive information.
What To Do:
Employees at all levels, including the c-suite, need to be aware of their role and responsibilities in cyber security. Security awareness training should be conducted on a regular basis, covering a wide range of topics from social media, to working remotely.
A cyber security culture within your business is proven to significantly reduce the risks of employee-caused breaches or loss of data. Also, keeping up-to-date on the latest threats and risks is vital. Subscribing to security related-blogs is a good way of ensuring this (we offer a free subscription to our weekly roundup, which you can sign up for here).
7. Keep An Eye Out For Problems
Most breaches go undiscovered for months, long after the damage has been caused. But when being attacked by cyber criminals and malware, the warning signs can sometimes be in clear view.
What To Do:
Regularly checking your monitoring services (i.e., software messages, access control logs and other reporting systems) for any alerts is vital. Also, make sure you can check what software or services are running on your network. Ensure you can identify any warning signs of what’s there that shouldn't be.
Scan your system for known vulnerabilities with regular scans and penetration testing. Address any vulnerabilities that you may find.
8. Know What You Should Be Doing
Any risks you find within your business need to be addressed in a consistent manner - a good company policy will allow you to do just that.
Some businesses fail in their bid for protection as they’re not currently using the security they already have in place and are not always able to spot and flag a problem.
You should consider what actions need to be put in place should you suffer a breach. Effective incident management can reduce the damage and distress caused to stakeholders.
What To Do:
Review the personal data you have and what methods of protection you have. Ensure you are compliant with any industry guidance or other legal requirements.
Document the controls you have in place and find where you improvements are needed. Once these have been located and improvements are in place, monitor the controls and adjust them where necessary.
Be proactive and minimise the damage of a potential data breach by considering the risks for each type of personal data you hold. Use an acceptable use policy and training materials for employees in order for them to understand their responsibilities in data protection.
9. Minimise Your Data
Some (or a lot) of the data you hold may be out-of-date, inaccurate or no longer of use. This happens in most companies, as large amounts of information get collected over time.
But for protection (and because the DPA says so), personal data should be accurate, up-to-date, and no longer kept if not needed.
What To Do:
Make a decision as to whether the data is still needed. If it is, make sure it’s stored in the right place.Move any wanted data to a secure location in order to prevent unauthorised access.
If you have data that you no longer need, it’s best to delete it. But make sure this is in line with your data retention/ disposal policies. Specialist software or assistance might need to do this in a fully secure manner.
10. Make Sure Your IT Contractor Is Doing What They Should Be
For an SME, outsourcing your IT requirements to a third party is common. But, you need to be satisfied that they are putting in at least the same level of security with your data as you are.
What To Do:
Ask for a security audit of the systems containing your data, which can help highlight vulnerabilities that need to be addressed. Also, review copies of the security assessments of your provider and visit them in person if possible.
Check the contracts you have in place. They must be in writing and must require your contractor to act only on your instructions and comply with certain obligations of the DPA Don’t overlook asset disposal - if you use a contractor to erase data and dispose of or recycle your IT equipment, make sure they do it adequately.
You may also be held responsible if personal data gathered by you is extracted from your old IT equipment when it is resold.