Cybersecurity made simple: five steps SMEs can take to guard against attack.

Three Business Blog Team
On: 31 Oct 2019
Share this post


Cybersecurity can be an intimidating subject for many small and medium businesses because the threats are so varied, from email fraud and ransomware infections to data breaches. But behind the technical descriptions of the types of risks, there are actually some simple, straightforward actions you can take to help mitigate the risk of reputational or financial damage. Jacky Fox, managing director of the security practice at Accenture in Ireland and vice-chair for Cyber Ireland, shares her advice on how SMEs can reduce the chances of falling victim to a security incident.

Some SMEs might mistakenly think their size puts them under the radar of attackers; others believe they may be more resilient than they really are. The truth in today’s world is that no business is immune. Some small businesses fall victim to indiscriminate attacks, others are a target because of the information they hold, or because they could be the weak point that attackers can exploit to access a larger company they do business with. In other cases, human error could expose the company to risk. Here are five steps a small or medium-sized business can take to guide its path to improving security.

Step 1: establish good governance.

Governance is, simply, the way you do things as a business. It sets out your strategic vision, and the policies and procedures around that – and it helps you to align your cybersecurity aspirations with those goals. Most importantly, this sets the tone throughout the entire business; governance as it relates to security needs everyone’s support from the top down in order to be effective.

Governance starts with setting in place a framework of policies and procedures. For example, this might start with a statement like ‘we value the data that’s entrusted to us’, or ‘we value the intellectual property that we own’. These statements then guide policies. In any organisation today, no matter how small, you expect guidance about acceptable behaviour. This lets people in the business understand that, for example, they shouldn’t send emails with a customer database attached.

Putting good governance in place in a business doesn’t need to be a huge undertaking; a small number of policy documents should be sufficient in most SMEs. They also don’t need to go it alone if they feel they lack the expertise to do so. Independently recognised standards like ISO 27001 offer guidance on governance. Alternatively, there are useful frameworks such as NIST, which can be helpful in managing cybersecurity risk. You may even be able to avail of free online resources to help implement these frameworks, provided by research institutions or government bodies. Alternatively, for businesses who have a specific budget to allocate to security, some consultancy firms provide pre-packaged templates to help companies with their governance.

Step 2: understand your business assets and risks they face.

It might seem surprising, but many businesses don’t have a thorough list of what they own, which makes it difficult to know their exposure to risk, or what they need to protect the most. There are two dimensions to this question: one refers to the physical assets the business owns, such as servers, mobile phones and laptops. The other dimension is to identify the threat and risks those assets face.

However, it is better to think mainly in terms of information assets, such as a customer database, or intellectual property that could be a formula for a product or the company marketing plan. This is the ‘secret sauce’ that differentiates your business, along with any personal information you hold about your employees or your customers. Do you have a system that handles credit card information, and what would happen if this was breached? Knowing what you have, and its importance to the business, determines the level of protection you need to apply.

There are frameworks online that can help you evaluate threats and risks, such as MITRE, but these can be complex. As with the previous step, it is often beneficial to work with a reputable external security specialist for this as their independent perspective can help businesses to identify what the problems are.

Step 3: provide security awareness training.

There are two strands to providing awareness training. One level is generic: to educate staff about common security risks that all companies face, like email scams, CEO fraud, or ransomware. This exercise might involve a presentation to everyone in the company, but nevertheless it’s important to do this. The more people know about particular threats, the better they can recognise them and prevent them.

One very effective tactic for security training is a phishing campaign, where everyone in the company receives a fake email that appears to come from a recognised colleague’s email address. In reality, the address is faked or ‘spoofed’, and it’s created to trick people into clicking on the link it contains. Running a phishing campaign is a great way of showing employees what a phishing email is, what it looks like, and how people can be duped if they’re not looking out for some telltale signs. Most cybersecurity incidents start with attackers targeting people, not systems and that invariably means via email, which makes this is a very valuable way to ensure your staff are well prepared to protect the business.

The second layer is where an organisation customises its training. Linking back to the previous point about understanding the assets, this training needs to reflect what’s valuable to the organisation and should include the procedures to follow in order to keep their data secure. So, if employees need to transfer information from the business network to do their jobs, this training should show them the appropriate ways to do this safely, such as through encrypted email. It’s important to encourage the proper secure behaviour and ideally to give people choices of right things to do, rather than ending up in a situation where they try to circumvent controls.

As for how often to run this training, an annual event is the absolute minimum. Doing it monthly is even better, as it makes the messages easier to digest than in a large once-off presentation. Once you understand assets and risks, it’s very easy to customise training to your business. You can get ideas online and adapt them to the business so that the messages land with staff.

Step 4: put protection in place.

This step is about putting in place technical controls to protect the business. The most basic element used to be known as anti-virus but now it’s more commonly called endpoint protection. This software runs on laptops, PCs, servers and, increasingly, mobile devices, and will block many known attacks. Having good backup systems in place is another highly useful control. They ensure that if the business loses data for any reason, it can be restored from an older version of the information.

Given the nature of today’s cybersecurity threats, you shouldn’t stop there. The business should also consider having the ability to monitor the network for intrusions and trigger an alert for any suspicious activity that could indicate malicious intent. It’s helpful to think of security in terms of layers; not all businesses need to apply every single one uniformly across the business. The decision to use more advanced levels of protection, or not, will become clear after you have been through the risk assessment exercise in step 2.

Step 5: develop resilience and recovery plans.

Protection is a key part of cybersecurity, but it’s not the only part. Businesses also need to focus their efforts around resilience; that is, ensuring they could survive a security incident, and how quickly they could recover full operations.

Getting these plans ready is a process of asking questions like: how would we recognise when an incident has occurred? How long would it take us to get back to business as usual? What resources do we need to have in place if we were hit by a ransomware infection? The time to do this exercise is before an event happens, not during or after.

Fortunately, there are lots of resources available online to help your security efforts; you won’t be alone. For recovery planning, there are playbooks that explain how to deal with a distributed denial-of-service (DDoS) attack or a malware infection.

Further reading.

At a general level, some useful links to follow include Cyber Ireland, which is a community of more than 100 members that include cybersecurity professional services companies, product manufacturers and security researchers. They are in the process of developing education and awareness tools about cybersecurity.

Another good guide for SMEs is Cyber Essentials, which also operates a certification scheme. It’s run by the UK National Cyber Security Centre which itself is a very useful source of security information and advice, written for a business audience.

Last year, the Irish Government’s own National Cyber Security Centre published a 12-step free guide for businesses that contains some good advice. Lastly, the Technology Ireland ICT SkillNet has many free or low-cost courses for in-person or online learning in the basics of cybersecurity.

Jacky Fox spoke to Three’s Head of SME, Padraig Sheerin, for our podcast series, An Eye on Irish Industry. The podcast, entitled Protect & Serve: cybersecurity for SMEs, is now available to listen to on our Business Learning Centre.