By Eugene Muller, Technical Manager, Probrand
The news that the number of cyber breaches and attacks on UK small businesses has dropped made for joyful reading. The figures, which come from the government’s latest annual cyber security breaches survey, seem to indicate that small businesses may be gradually improving their security practices. As someone who works to help SMEs protect their people, devices and data, however, I would urge caution. While the numbers have fallen, the figures are still high – 612,000 UK businesses experienced an attack in the last twelve months. It’s critical that SMEs don’t become complacent and that they continue to take a proactive approach. Assessing potential risks regularly and putting defences in place are both essential measures.
A zero-trust mindset
To implement a successful security strategy, businesses must first adopt the right mindset. I still regularly speak to business leaders who think that a breach is something that happens to other people. This comes from a belief that their business isn’t big enough to capture the attention of a hacker. In reality, it can be far more lucrative for criminals to pursue smaller entities precisely because of this – SMEs are less likely to have a robust security system in place, making them easier to access. Smaller organisations may also be targeted by those looking to carry out a ‘stepping stone’ attack and access data that could lead them to a bigger, more profitable organisation.
The primary consideration for any SME when it comes to cyber protection is to adopt a ‘zero trust’ approach that is not a case of ‘if’ a breach will occur, but ‘when.’ This philosophy requires organisations to put in place appropriate controls to detect breaches and slow down hackers so that IT teams have a chance to stop an attack before it infiltrates multiple areas. This is all about segmenting your systems and creating more obstacles for hackers to get over if they breach that initial barrier.
Building a layer of defences
When putting protective measures in place, a good first step is unified endpoint management (UEM). UEM technology provides organisations with the ability to enforce the compliance of all endpoint devices, offering monitoring protection throughout the network.
Businesses can then treat each segment within the network as an independent and potentially insecure unit. A useful analogy is that of a house where both the external and internal doors are locked. If one room holds particularly sensitive information – i.e. your customer data – then you can limit the number of people with keys to that room.
Investing in multi-factor authentication technology will help secure the house. Together with conditional access policies, these technologies provide layers of barriers to hackers. They require multiple checks of the user, ensuring only those who have permission to access certain areas can do so.
Employee training
Education and training plays a vital part in preventing attacks and yet 52% of SME employees have received no cyber security training. What warning signs employees should be looking out for? Keep in mind that user training isn’t a tick box exercise, it needs to be carried out on a regular basis so users are kept up to date with new methods of attacks and expected standards.
In addition to training, consider putting in measures to encourage staff to speak up and report issues without fear of “getting it wrong.” This could include a dedicated portal where staff can flag anything that looks suspicious and where anything immediately dangerous can then be escalated by the IT team.
Cyber criminals have been around for a long time and evolving methods means they’re unlikely to desist anytime soon. While SMEs are improving their approach to IT security, they must stay focused. By assuming you will at some point be the victim of cybercrime, rather than wondering whether it could happen, you can make it that bit harder for an attack to take place.