The surge in cybercrime during the pandemic should have been a wake-up call for any business who couldn’t confidently say whether their devices and data were adequately protected. Displacement from the traditional office space made everyone more vulnerable – 30bn data records stolen in 2020, more than the previous 15 years combined. While these sorts of headlines should have pushed SMEs to review their security capabilities, many are still under the misconception that they’re either too small or not interesting enough to be targeted.
The problem with this thinking is that it assumes every type of attack is like a bank robbery – targeted, planned for, and unlikely to happen to them. The reality, however, is that many cyber-attacks are more like a petty criminal trying their chance at an unlocked car door. While you can’t stop criminals from trying their luck, businesses can put processes in place to make it much more difficult for an attack to happen.
Deploying baseline cybersecurity practices
With many devices now being used out of the office, and for over a year, one of the first steps for an SME seeking to address these threats is to get insight into the status of all the machines accessing their network. You need to know whether baseline security measures are in place and up-to-date. This should be a company-wide forensic check of your IT infrastructure – checking firewalls, email filtering services, anti-virus and patch updates. You will also need to conduct a security review to assess whether there are any vulnerabilities that could lead to a malware or ransomware attacks.
As well as reviewing devices, it’s also important – especially in the age of hybrid working – to also protect data on the move. File encryption is one way to do this. Even if a hacker gets access to a machine, or an employee unwittingly sends a file to the wrong person, encrypted data remains protected and secure.
Finally, are there any security tools or capabilities you already pay for that are not being utilised? For instance, when making the move to the cloud, many SMEs opt for a bundle package from a provider like Google or Microsoft. These packages usually include lots of security measures as standard, such as multi-factor authentication. This is simple to set up (all you need is a smartphone) and it will add an extra layer of protection – you just need to switch it on.
Train, educate, enforce
Making sure the basics are in place is just the minimum, however. To protect against more sophisticated attacks (i.e. those ‘bank robber’ style attacks) organisations must take a closer look at their employees’ actions. Human error still accounts for 90% of data breaches. It’s all too common to see confidential files accidentally sent to someone outside your organisation – because they pop up as the first email contact on a personal device, for example.
General good practice is to ensure employees are clued up on how they can help protect the business and its assets from hackers – including what to look out for and how to respond when an attack takes place.
What’s key is that organisations provide this education, and they do it continuously. In the same way that we don’t stop learning once we leave school, businesses shouldn’t stop teaching their staff about cyber threats after one session. The reality is that the techniques used in cyber-attacks are constantly changing, so user education needs to be delivered regularly for it to be effective.
While the principles of cybersecurity haven’t changed, cybersecurity is now being played out in a different working context. So, more than ever, businesses should assume a ‘zero trust’ approach – and assume that attacks will happen, not that they might.
With this mindset, you should then start to implement some of the technology and the protective processes mentioned above. But, big focus also has to be place on that continuous education of the workforce. By putting these appropriate measures in place, organisations will reassured that they have done what they can to minimise the damage inflicted should they ever fall victim to a cyberattack.
To understand how your business can identify, protect, and mitigate cyber security risks, register for Probrand’s free cyber security event here.
Author: Mark Lomas, technical architect, Probrand