10 steps for SME cyber security

With around half of all SMEs now having experienced multiple cyber attacks, we asked four experts to explain how business owners can improve their security.

1. Know what you’re trying to protect

After all, how can you protect your data if you’re not sure what or where it is? Once you’ve made an inventory (laptops, phones, software, data etc.), Pitman says it’s equally important to implement a way of keeping track of any new additions, because the software and data you use and store will be changing all the time. “Often an SME’s inventory will only list the computers or devices themselves and not the software that resides on them,” Pitman warns. The best way to stay on top of things is to use software that will give you an up-to-date snapshot of everything digital that props up your business.

2. Involve the whole team

Educating the workforce about the common types of threat is crucial, says former police officer Edward Whittingham, MD of cyber-security company The Defence Works. “Employees should be taught about how to spot phishing emails, why they should never trust links received within emails and the importance of good password practice,” he says. “Bite-sized monthly training often works well, as it helps keep awareness about cyber-security front of mind.”

3. Enable, don’t control

“Employees, being human beings, will always take the path of least resistance to get things done,” says Pitman – so your well-intentioned cyber-security policies may actually result in staff working around them and inadvertently exposing the company to risk. An example Pitman gives is workers emailing documents to themselves to sidestep restrictive policies. It’s far better, he says, to pay attention to their objections about control measures and find solutions that both keep the business secure and give employees the flexibility they need.

4. Tighten up basic security

Start with a password manager, which provides a way of storing all of your passwords in one central, secure location, suggests Whittingham. It also allows employees to easily use different passwords for different accounts. “They’re a great way of not only increasing security but also making the administration of accounts that little bit simpler,” he says. A second coat of armour comes from two-factor authentication. “This is a way of adding an extra layer of security when logging into an account,” says Whittingham. “Instead of being able to access it with just a password, it typically requires a user to confirm a unique code via a text message or an authentication application. It’s usually very easy to implement and it needn’t cost a penny.”

Bite-sized monthly training often works well, as it helps keep awareness about cyber-security front of mind

Edward Wittingham
Managing director, The Defence Works

5. Back up data

Businesses of all sizes should be doing this, says Whittingham, who explains that one low-tech way of doing it is to take manual backups to a secure storage device at regular intervals. “No matter how you do it, backups should not be connected to the network you use for work as they could then be at risk of being compromised in an attack,” he says. “There are lots of solutions available, many of which take the pain out of doing it and use encrypted cloud storage – they’re often very affordable, too.” With suitable backups in place, a business can recover much more quickly from an attack such as ransomware.

6. Keep software and devices up to date

Javvad Malik, of cyber-security awareness training company KnowBe4, says that after social engineering (manipulating people into revealing confidential data online), one of the most common ways companies are breached is through unpatched software, apps, or devices. “Because of this, SMEs should ensure all of their assets are kept up to date whenever the manufacturer releases a new patch,” he says. “In most cases, companies can set operating systems, phones, computers, and apps to automatically update to ensure this.” When older tech becomes unsupported by manufacturers, Malik says companies should consider replacing it.

7. Lock down privileges

Companies often have to let third parties into their systems to install new software or for development reasons, says Malik. With this in mind, your corporate policy should ensure that access is revoked once this external work stops or is completed. “It's all too easy to have ‘orphan’ accounts that could be compromised at a later date,” Malik says. On a related note, companies should also limit the privileges some of their staff have on their accounts. “Normal, day-to-day activities such as checking emails should not need high-privilege accounts to do so,” he says.

8. Pay special attention to sensitive data

Business leaders need to realise it’s not a case of ‘if’, but ‘when’ a company is breached, says Gary Marsden at digital security specialist Thales. Their most critical data needs to be handled with extra care. Under GDPR (General Data Protection Regulation) rules, customers’ PII (Personally Identifiable Information) is considered especially sensitive and, if compromised, is one of the main reasons companies get fined under the new regulations. “A key way to protect this extra-sensitive data,” says Marsden, “is through controlling admission to allow only authorised users to gain access and strong key/certificate management, too.”

9. Evaluate and repeat

SMEs should be reviewing their cyber-security policies on an ongoing basis, says Marsden. “It requires constant examination and oversight to combat the ever-increasing number of threats out there,” he says. “Those that can’t dedicate the time or do not have the in-house skills to do this should consider outsourcing to a specialist third party – as a growing number of SMEs already have.” He adds that SMEs need to ensure they’re compliant in protecting all customer data in the future as well as the data they already have in their system.

10. Develop a doomsday plan

“When the worst happens and a company is targeted, you need a response and recovery plan that can be actioned quickly,” says Pitman. “Do contact the police and report the situation – but they’re not going to be able to help you continue business as usual.”

What will be more valuable, he says, is a recovery plan that enables the team to carry on working – probably using a cloud-based system, rather than your own, compromised, internal network. “Pay attention to your technology experts when they say they want to spend time and money on the setup of your system,” says Pitman. “Ultimately, it’s about not having all your eggs in one basket – and it takes a little extra investment and education upfront to save potentially significant revenue loss later.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top