A Guide to Cybersecurity for SMEs

Knowledge Exchange examines best practices for small and medium enterprises to strengthen their defences against cyber threats.  

With cyberattacks surging since the pandemic, small and medium enterprises (SMEs) face extraordinary challenges when it comes to cybersecurity. According to a recent survey by cybersecurity company Guardz, 57% of SMEs have experienced a cybersecurity breach, among whom 31% reported their business had been targeted by a breach in the past 12 months alone.  

So, why are hackers targeting the smaller fish in the pond?  
 
For cybercriminals, it’s about choosing the path of least resistance to an organisation’s data, infrastructure, and finances. Due to lack of budget and resources, many SMEs have weaker security measures, limited security training and a lack of dedicated IT staff in place to combat cybercrime. Also, SMEs can offer a gateway for hackers to gain access to larger businesses through supply chains, which makes them even more attractive to hack.  

The hard consequences of these attacks include data loss, financial costs, reputational damage, or a complete system shutdown that can last hours, days, even weeks, bringing your business to a standstill. In many cases, SMEs have gone out of business over one successful cyberattack.  

How to protect your SME from cybersecurity threats  

It is paramount for companies to put the nbackuecessary precautions in place to thwart any potential attacks. Knowledge Exchange shares five key steps to take today to protect your SME: 

One of the largest cyber-security threats to SMEs unfortunately comes from the behaviours and habits of employees. Luckily, it’s also the threat that you have the most power to control, and building a strong security culture is key.  

Ensure every employee, including executive management, prioritises cybersecurity by:  

1. Establish a Strong Security Culture amongst Employees 

• Creating a comprehensive security strategy for detecting, measuring, and responding to security risks. This includes carrying out a comprehensive risk assessment, choosing a reliable security framework and establishing security policies.  
• Outlining cybersecurity roles and responsibilities company-wide and educating all employees on cybersecurity best practices and policies including password management, incident response and access control. 
• Requiring employee involvement and accountability with regular delivering security training on how to identify and report suspicious activity, as well as training exercises to increase awareness, such as phishing simulations and security drills. 
    

2. Invest More in Cybersecurity  

Today’s cybercriminals go way beyond traditional spam or malware threats, so relying on basic security  such as firewalls, antivirus software, and basic email filtering technology is no longer sufficient. Despite smaller budgets and less sophisticated cybersecurity infrastructures than larger enterprises, SMEs must be prepared as much as feasibly possible to prevent modern-day attacks.  

Key areas for investment are:  

• Prevention is the best defence. Increase your overall cybersecurity budget now before you experience a cyberattack. 
• Implement advanced tools such as multi-factor authentication for users, data encryption, automated intrusion detection and testing systems, and endpoint protection. 
• If needed, supplement in-house IT staff capabilities by partnering with a Managed Service Provider (MSP) who can provide necessary expertise and support, including managing and monitoring security activities 24/7. 
   

3. Secure Backup and Recovery of Data  

To an SME, data loss due a cyber-attack can be one of the most devastating costs, leading to a lack of trust, a bad reputation, and a loss of significant business revenue.  In the event of a cyberattack, a data backup and recovery plan is fundamental, and should include: 

• Regular backups of all critical on-premises business data to an offsite location, such as a cloud-based backup service. 
• Conversely, if important company data is mainly held in a cloud infrastructure, consistent backups of valuable information should be made to an offline database. 
• Testing of your backup and recovery plan (including Data Loss Protection Tools) regularly to ensure it is functioning as intended and can be used in a data loss event. 

4. Future-proof your Cybersecurity Risks, Measures and Technology  
   Cybercrime is evolving at an unprecedented pace. As cyber-attacks continue to rise, the variety and complexity will also grow, especially now with AI. 
   You may be prepared today, but it’s important to stay up to date with the latest cybersecurity trends to future-proof your infrastructure’s defence. Take steps such as: 

• Installing any software updates on your devices when available to capture the latest security capabilities, in addition to adopting new and improved cybersecurity technologies as necessary. 
• Carrying out regular security risk assessments and vulnerability testing to detect new security threats and identify solutions. Incorporate any learnings from these tests into updated staff training to guarantee employees are educated on the most recent security measures and best practices. 
• Maintaining supply chain integrity by ensuring due diligence is implemented with any third-party vendors. Continuous due diligence with third party vendors in maintaining supply chain integrity as compliance regulations often only define the minimum acceptable standard for cybersecurity policies and processes. 
   

5. Establish an Incident Response Plan 
   So, what should you do in the event of a cyberattack? While you may have established a strong cybersecurity culture to limit cyberattacks, an incident response plan (IRP) is essential to ensure potential attacks are stopped in their tracks. A 2021 IBM study showed that 40% of SMEs don´t have one and for companies with less than 500 employees the cost of an average cyber-breach was around $3 million per incident. 
   In the event of an cyberattack, an IRP will: 

• Define the exact procedures and recovery strategies your SME must follow.  
• Ensure you respond swiftly to contain the cyberattack, minimizing damages. 
• Investigate and remediate any breaches to protect from further financial, legal, and reputational fallout.  
   

Final Thoughts 

In conclusion, SMEs have become an even bigger target for cybercriminals, and cyberattacks will continue to increase and become more complex. However, despite limited resources, there’s a lot you can do to reduce cybersecurity risks starting right now. Engaging employees in building a secure culture, investing in cybersecurity tools and services, and planning for potential attacks will go a long way in protecting your SME.