The days where SMEs had nothing to fear are long over. It is well established that the size of an organisation is no longer directly proportional to its desirability as a target.
Any entity that has information – be it intellectual property or customer details and so on, is potentially attractive to cyber thieves.
Moreover, SMEs don’t have the enterprise-sized budgets to defend themselves. They have to do more, with a whole lot less. However, Lutz Blaeser, MD of Intact Security, which distributes Avira locally, says there are several steps that can help them better protect themselves.
Firstly, he says they must identify what their most important information is. A senior manager, who has a broad view of the organisation, and of potential risks, should be made responsible for this. Once the vital data has been identified, steps can be taken to protect it.
Also, Blaeser says to ensure a firewall is in place.
“A firewall can repel much malicious activity coming from outside your company, and can also be used to manage your employees’ Internet browsing, and prevent them from accessing potentially harmful Web pages.”
Keeping your PCs up to date is also vital, he says. Make sure all software updates are installed regularly, and all patches are applied as soon as possible. A network is only as strong as its weakest link, which could well prove to be a machine that hasn’t been updated.
“This goes for AV too,” Blaeser says. “Update your AV regularly. New threats are being written every second, so it is vital to have your databases updated all the time. Also, make sure your security solution is flexible, and like Avira, stays in step with your growing and changing company.”
Enforce a policy of ‘least privilege’ to ensure that only employees who strictly need access to information to do their jobs, are able to access it.
“Make sure that sensitive data is locked down, and not just hanging around.”
Also, he says, implement strong passwords, and make sure these are never written down. Use the strongest possible passwords, with a combination of upper and lower case, number and symbols, and change passwords on a regular basis.
Get a handle on BYOD, says Blaeser. “Many employees are using their own devices, and working remotely. Make sure you have a BYOD policy in place, governing what is allowed and what is not, and what the requirements for security are.”
It is not easy to security devices outside your office as thoroughly as you can secure ones within, but risk can be managed by having a framework in place to make sure any outside equipment is approved, and that the equipment is protected with AV and strong authentication.
Extend this principle to external drives too, which are too easily forgotten about, says Blaeser. Drives that offer encryption are useful, as they can so easily be left lying around with sensitive information on them.
Moreover, as they are plugged in to outside machines, and shared among friends, they can easily become infected with malware.
“Make sure your security solution automatically scans external drives, to check for malware,” Blaeser says.
Have a “fallout” plan in place. “No one is infallible, make sure your company is prepared to handle any fallout in the event of a breach. Have measures in place, and communicate them to your staff. Make sure your employees understand why security matters, and teach them to think twice before doing something potentially risky.
“A list of ‘dos’ and ‘don’ts’ can be effective here. Teach them to be aware of tricks such as social engineering, and not to share too much on their social media pages,” says Blaeser. “Many attacks are made possible through spear phishing, and being aware of the tricks cybercriminals use, can help prevent this.”
