An SMEs Guide to Cyber Security
Cyber security is currently very much on the agenda for SMEs, as the digital world becomes central to so many businesses. The internet has created a revolutionary new realm of opportunity for SMEs. The capacity to reach new customers and share your brand has never been greater. However, with this abundance of new opportunities comes an abundance of new threats, with cyber attacks on UK businesses a daily occurrence. In 2015, 60% of small companies suffered a security breach. Luckily, it is also something you can adapt for and protect yourself against. This guide will lay out simple, easy-to-implement measures for SMEs who want to take full advantage of the internet without being vulnerable to attack or theft.
For SMEs, what is at risk from cyber attacks? It is vital to recognise the capacity of cyber security to impact on your entire business in a manner that goes far beyond a classic IT issue or financial theft. Your money is a primary attraction to many cyber criminals, of course. However, many other vital aspects of your business also require protection, namely your reputation, and your data/information. Your client lists, customer databases and their financial information, plans of any deals, designs and processes for product manufacturing, your financial records and your pricing information are all potentially valuable assets that require protection from spying and theft.
Who poses a risk to SMEs? It’s not only career criminals looking to benefit from cyber crime. Current or former employees may also commit an offence, as might people you do business with. In some cases, business competitors will use stealth methods to steal vital information and ideas. Obviously, trust is a vital element of any healthy business, but it’s also important to be aware and realistic. Cyber crime, like other types of crime, is not always committed by a stranger. Insider knowledge can make certain types of crime easier to commit, and keeping your security well-managed and up-to-date will help your business to avoid this possibility.
Cyber security practices, then, should be taken as seriously as any physical security measures, such as locks, CCTV, or security personnel. With the right knowledge and tools you can keep your business secure and make the most of evolving technologies and connections in the rapidly changing digital era.
Malware
It’s vital that your online SME is protected from malware, and this article will tell you how to ensure that it is. However, let’s start by clarifying what is meant by the term ‘malware’. Malware is a small piece of software that is used to disrupt operations, steal sensitive data, spam you with advertising, or gain access to your private systems. Malware can hide in your system, spying on your every move as a prelude to theft or even blackmail. It can easily infect your computers, tablets and smartphones, and can still pose a risk if you host remotely on ‘the cloud’. The term ‘malware’ underlines that this type of software is intentionally malicious, rather than simply malfunctioning. Malware refers to a number of different types of hostile software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, or scareware.
Malware is often disguised as, or embedded in, non-malicious files. It might take the form of other software, or code that can be activated. The most common types of malware are currently worms and trojan horses. Worms replicate and spread via shared computer networks, taking advantage of lax security. Trojan horses trick users via things like fake email attachments.
Spyware or other malware is not only picked up from browsing, social networking, and other online activity. Sometimes it is embedded in programs supplied officially by companies. Downloads may contain undisclosed tracking software, and not only does this invade your privacy, it has been known to provide glitches in security that then allow for further malware to access your computer system.
Internet Security
As frontline protection against malware, it is vital to install anti-virus software on all systems. It’s also vital to keep all your software and web browsers up to date so that you can benefit from the latest advances to combat the latest threats, which evolve over time. It is a good idea to create a policy with a standardised agreement regarding when and how security updates should be installed by all employees to ensure your entire network remains adequately protected. Ensure any online passwords are complex, with a mixture of letters and numbers, and that they are regularly updated.
It’s important to be aware of what kind of risks are out there, and to communicate these risks to your staff. Ensure to regularly update your company’s information on scams to allow for changing strategies and tools employed by cyber criminals. Phishing scams, for example, are currently particularly common and they are most easily avoided through being aware of the risks. Fake emails, fake social network posts and even texts will attempt to bait the recipient into giving away sensitive information to what they believe to be a trusted source.
Phishing emails sometimes pretend to be from your bank, a known company or individual. The most obvious are easily avoided, such as claims you have won a lottery you never entered, but increasingly sophisticated phishing scams require increased digital literacy so that nobody clicks on links to malware or gives away sensitive data. Ensure all staff are vigilant in checking that emails are genuine and accurately resemble the features of the alleged source. Common signs are spelling mistakes, inaccurate logos, strange tone, unlikely claims, unexpected requests or missing information/signatures/details.
Computer Security
Computer security support best practice dictates all businesses should maintain an inventory of all current IT equipment and software. This will reduce the possibility of items being removed and tampered with, as well as outright theft for the purpose of stealing information contained on the machine, without anyone noticing. It will mean you will be immediately aware if any such item is stolen. Some machines can now be tracked, to aid the police in retrieving hardware and apprehending the culprits.
Seemingly benign hardware items brought in from home by employees can bring threats into your business. It is recommended that you restrict the use of removable hardware in machines, as these are a possible source of malware. Devices to be aware of include USB sticks, CDs and digital cards.
Passwords, security protocols, activity, and logins all require careful management. Provide a standardised configuration and security protocol that all staff can adhere to. Ensure that there is a standard and well-maintained system for keeping track of passwords, log-ins and changing staff members. Never keep default passwords that come with the machine or software. Restrict access to systems and software so that only those who need to access it can. Ensure that anyone working remotely is storing and transmitting data in a secure manner, using encryption. Ensure you can review activity logs if necessary in the event of malicious activity.
Keep your hardware secure and monitored to prevent unwanted access. Ensure your computers are in a secure location and that they cannot be accessed by unknown or unwanted parties.
Keep your system clutter-free and current so that you know exactly what is being used. If any software or equipment is no longer needed, it’s best to dispose of it, preferably by donating or recycling. Ensure that there is no sensitive information on it before doing so.
Network Security
Networks can be particularly prone to password attacks. There are three main types of password attack. The first is a brute-force attack, where the hacker simply guesses at passwords until they gain entry. The second, key-logging, is the most sophisticated. The hacker tracks all of a user’s keystrokes thus finding out all of their login information. The third is dictionary attacks, where combinations of words are entered systematically. Regularly changing all network passwords and keeping them complicated, with a mixture of letters and numbers, is highly advisable. Anti-virus software will protect from the kind of malware that would allow keystrokes to be spied on.
You can improve computer and network security using several other security measures, including firewalls, virtualisation strategies, proxies, and access control lists (ACLs).
Firewalls are a security system that monitors and controls the incoming and outgoing activity on your computer or network. It acts as a protective wall between your computer (a host-based firewall) or internal network (network firewalls) and the potentially hazardous world of the internet. Some experts note that as cyber threats evolve and come from more angles, a firewall alone no longer offers enough protection for businesses. Next-generation firewalls provide a security boost.
Virtualisation strategies can provide tailored access control to applications, files, web content, email and attachments. The user’s role, location, connection and device affect their capacity for access. This provides a more detailed and in-depth approach to security that will heavily bolster the function of a firewall.
Proxies, or proxy servers, act as an intermediary between you and the internet, allowing you to search for and retrieve content more safely or anonymously.
Access control lists (ACLs) can create a list of those permitted to access sensitive content so that you can have total control over who can view it or alter it.
How to Protect Your Company from Cyber Crime
It’s a good idea to test and improve your cyber security on a regular basis. It’s also important to continue updating your knowledge over time. As threats evolve, this allows you to manage any change in the level and type of risk. Communicating with other businesses about recent attacks and crimes can help you develop mutual support and stay aware.
Awareness also means assessing your business for weak points of entry. This can include online financial transactions, easily accessed hardware devices, or frequently changing staff with access rights. Ensure that these points of vulnerability are as well-secured as possible.
It’s also important to ensure that all your staff are informed about cyber security and that everyone has access to a shared policy. Making cybersecurity a regular part of meeting agendas is an easy way to keep it at the forefront of good practice, and to encourage dialogue that will keep people curious, informed and engaged. Pass on anything you’ve learnt to the entire team, and any useful resources, so that nobody is left in the dark. It’s easier for people to adapt to new technological issues if discussion about the issue is encouraged in the workplace.
If your business is attacked, report the incident to the police. Also ensure that all devices are swept for malware and totally cleaned before you commence business. Take time to reflect on how the attack happened and what measures can be implemented to avoid a repeat incident. Consider sharing the experience with other trusted businesses to develop a trust relationship where you can mutually inform one another of current risks.
It is advisable to seek advice from security consultants and IT support companies to ensure you have the best protection available and are implementing it correctly.
Cyber Security Insurance
The risk of information or financial theft, or other disruptions to your business, is very real. Small businesses have far more attractive assets than a lone individual, but are less likely to have the sophisticated security or know-how of a large company.
Around half of UK companies are not even aware that there is insurance available for cyber risks, and less than 10% have coverage. This is staggering considering the prevalence of successful cyber attacks on UK businesses and that 60% of small businesses were affected last year alone. However, as the threat becomes more commonplace, many SMEs are waking up to the issue, and realising that insurance is a vital ingredient any company’s cyber security plan.
With UK insurance being a world leader, SMEs are in excellent hands. A good insurer can help an SME develop their knowledge of cyber security, so that they are better equipped and better protected. As insurance and security norms catch up with the digitalised world, it’s certainly time to get ahead of the competition and ensure that your business is informed and secure.