Steps SMEs should take to improve their cyber security

The amount of work conducted digitally means a typical organisation can’t function without technology, from storing data in the cloud to running a website or providing services over the internet.

Unfortunately, disrupting an organisation’s access to its network and data is precisely what criminal hacking groups seek to do. In the last 12 months, 39% of UK businesses experienced a cyber attack ⁽¹⁾.

It is more important than ever to ensure that your organisation is protected against the growing threat of cybercrime.

Taking steps to improve cyber security can often be daunting, especially if you don’t have an in-house cyber security specialist for guidance. This article outlines simple steps your organisation can take to improve its cyber security posture.

Secure Your Network

Securing your organisation’s network is one of the first steps to improving overall cyber security. These are some steps to take to prevent malicious users from entering and exploiting your network:

• Ensure all devices connected to the network have an up-to-date firewall and anti-virus – These pieces of software update regularly and will have a list of new bugs and vulnerabilities found with each new version. As attackers often take advantage of these ‘zero-day vulnerabilities’, keeping your firewall and anti-virus updated with the latest versions will stop malicious users from exploiting bugs found in older versions.
• Keep software and operating systems updated – As previously mentioned, attackers utilise bugs and vulnerabilities found in old versions of software. These bugs are typically fixed in new updates; ensuring software and operating systems are updated prevents these attacks from occurring. It is possible for a single device running an older version of a piece of software or operating system to allow an attacker to gain unauthorised access to an organisation’s entire network.
• Check who can download new applications or software – Employees should have just enough access to software, settings, files and data that allows them to perform their role. They should not have the ability to download and install various software freely. Only give additional permissions to those employees that require them, and admin permissions should only be given to those that perform administrative tasks such as adding or removing users from accounts. Restricting admin access will minimise the chances of admin accounts being compromised in the event of a cyber attack.
• Use good password security – Passwords are an easy and effective way to keep business and customer data safe. All of your company devices and accounts should be password protected. The NCSC recommends you use three random words, at least twelve characters or more, ensuring passwords are unique and not easily identifiable. Use two-factor authentication (2FA) for an added layer of security.
•  Cyber awareness training for employees – Ensure employees are prepared for any type of cyber incident; consider implementing cyber user awareness training to embed a culture of good practice around cyber security.

Securing Data

Data is the backbone of almost everything that takes place on the internet. 90% of small businesses and 93% of medium companies gather data from employees, customers, and other individuals⁽²⁾, this must be kept safe and secure.

• Check who has access to data – Employees should only have enough access to files and data that allows them to perform their roles.
• Keep data regularly backed up – Ensure business-critical data is backed up regularly. This means that in the event of a severe data loss, such as hardware failure, data corruption, or a ransomware attack, it is possible to recover the data from the backup and minimise the impact on your organisation’s operations.
• When backing up data, follow the ‘3-2-1’ rule:
  • Three copies of your data should be kept.
  • Two of the copies should be stored on different storage media, such as one on a hard drive and another in the cloud.
  • One of these backups should be stored off-site.

Create an incident response plan

An incident response plan is one of the best tools an organisation can have to prepare for a cyber attack. If you don’t already have a plan in place, visit the CyberScotland website to download your free Cyber Response Plan. The pack gives you helpful information on preparing your business, PR, comms, and legal considerations.

If you are the victim of a cyber attack you must get the right support either by calling the SBRC Incident Response Helpline (0800 1670 623) or by contacting the police on their non-emergency phone number (101).

Useful Links:

• Scottish Business Resilience Centre Website
• CyberScotland Website

References:

1. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022
2. https://www.gov.uk/government/statistics/uk-business-data-survey-2021/uk-business-data-survey-2021-detailed-findings

Written by Sarah Gardiner, Ethical Hacker at the Scottish Business Resilience Centre