With recent cybersecurity breaches affecting major UK retailers like Harrods, Marks & Spencer, and Co-op, the urgency for businesses of all sizes to shore up their digital defences has never been clearer. These high-profile incidents are a stark reminder that no organisation is immune to cyber threats—regardless of size or reputation. Small and medium-sized enterprises (SMEs) are often seen as easier targets due to limited security infrastructure. In this article, Ryan Pluckrose, Business Systems Engineer at ABS Limited offers practical, accessible advice to help SMEs strengthen their cybersecurity posture and avoid becoming the next headline.
cybersecurity isn’t just for large corporations – it’s essential for businesses of all sizes. As someone who has worked with numerous SMEs on their security strategies, I’ve seen firsthand how simple measures can make a significant difference in protecting your valuable data and systems.
Understanding the Security Landscape
When approaching security, I always break it down into two main categories: physical access and digital access. Both are equally important, though often the digital side gets more attention.
Physical security is about controlling who can physically access your equipment. This might seem obvious, but it’s surprising how many businesses overlook basics like securing server rooms or leaving passwords on Post-it notes attached to monitors. A stranger under the guise of a delivery driver, for example, could potentially access your office space and gain sensitive information if proper protocols aren’t in place.
Digital security, meanwhile, encompasses everything from password policies to network protection. The good news is that implementing robust security doesn’t have to be complicated or expensive.
Top five security tips for SMEs
1. Implement Strong Password Policies
Weak passwords remain one of the biggest vulnerabilities for businesses. I urge businesses to consider using a password manager for the entire organisation. Solutions like Bitwarden offer team functionality that allows secure password sharing when necessary while maintaining individual security.
Your password policy should require:
- Minimum 14 character passwords.
- Unique passwords for each service.
- Regular password rotation for high value, priority and sensitive items, for example bank account access or databases, especially after suspected breaches.
For those who need to remember a master password, try creating a phrase or story using a string of words together rather than complicated combinations of random characters. For example, “10GiganticRobotsSwingingLightsabers” is both memorable and secure. Great explanation c/o xkcd.com here.
2. Use multi-factor authentication
Two-factor authentication should be your minimum standard wherever possible. However, be aware that SMS-based verification has vulnerabilities – specifically ‘SIM jacking,’ where attackers can convince your mobile provider to transfer your number to their device, so
they can access everything on your device, including your email. They can often convince them using basic information which could be found on your social profiles for example.
Codes sent as SMS or via email are weaker ways to secure access. Instead, use authenticator apps like Google Authenticator or Microsoft Authenticator. These provide a substantially higher level of security since they don’t rely on your phone number and are tied to your specific device. There are other options with physical hardware like YubiKey, which is often considered the most secure, but it still has loopholes (like any system) and could be considered more cumbersome as it’s another thing to carry.
3. Keep your systems updated
Those update notifications we often ignore? They’re crucial for security. ‘Patch Tuesday’ (a broad industry term for a regular bug fix update, originally formalised by Microsoft) addresses security vulnerabilities that hackers actively exploit. See an example from Bleeping Computer here.
Outdated firewalls, routers and antivirus software create significant risks. For Windows users, keeping Windows Defender updated is generally sufficient for most small businesses.
Mac users should ensure they have the ‘only allow trusted applications’ setting enabled and keep their system updated. This is easily toggled for specific applications if you know it’s safe.
4. Apply the principle of least access
Not everyone in your organisation needs admin access to everything. Implement role-based access controls where team members only have access to the data and systems necessary for their specific responsibilities.
Someone often starts with a lot of access, because it was easier to set up, and then it’s forgotten so it never changes. Another way to combat this potential risk, is to implement periodic reviews to help catch these.
This applies to everything from network folders to your ERP system. If you’re retroactively implementing this in an established business, it can be challenging, but it’s worth the effort. The question to ask is: ‘If this person’s account was compromised, what critical business systems could they access?’ Ideally, the answer should be ‘very little.’
5. Train your staff
Technical solutions are only effective when paired with good human practices. Regular training sessions on identifying suspicious emails, proper data handling and security best practices can prevent many common attacks.
Teach your staff to verify email addresses (ie. to actually read the email address and not just the preview name that often shows) before clicking links or downloading attachments. Those ‘urgent’ requests from the CEO asking for gift card purchases? Always verify through a separate channel before acting.
Beyond the basics
For businesses ready to take security more seriously, consider:
- Regular data backups stored both onsite and offsite.
- Network segmentation to contain potential breaches.
- Careful handling of customer data, especially in AI tools which might store your inputs.
- Regular security audits and / or penetration testing for larger organisations.
Remember that security isn’t about eliminating all risk – that’s impossible. Instead, it’s about implementing reasonable measures that protect your most valuable assets while still allowing your business to function efficiently.
By following these guidelines, you’ll be better protected than most small businesses, making you a much less attractive target for opportunistic attackers who typically go after the easiest prey.