Top cyber security tips for SMEs

As the cybercrime landscape becomes stealthier and more astute, businesses consequently become more susceptible to threats.

In the corporate world there is equity at stake too, as sensitive intellectual property and confidential data are increasingly at risk of exposure, impacting both reputation and competitive position.

Companies are at risk on many levels; ranging from vulnerabilities in popular software ubiquitous with large and small firms, to new work trends such as BYOD that expose business networks in a manner that is challenging to mitigate. More than ever, IT security is of optimum importance to enterprises, so below are some essential points to help protect your business from external IT threats.

Know your resources

When protecting your company from IT threats, the initial point of action is an internal audit. A review of your company’s assets is imperative to determine what is precious to the company so as to then prioritise its level of defence. This should also help to identify potential or existing weak points in a company’s IT structure; whether it’s poorly configured hardware, out-of-date software or exposed security holes on webservers, operating systems and private networks, a thorough appraisal will identify the areas in urgent need of realignment.

Oversights that some would regard as minor omissions are very often high risk errors that can lead to network infiltration and internal data breaches. Surprisingly, rookie mistakes such as storing valuable information in plain text and permitting common access to critical networks still occur within organisations today. Regular IT audits put a business one step ahead of cybercriminals by identifying and remedying shortcomings early. As an overall principle, all vital data should be protected from prying eyes, so this means databases, passwords, credit card details and similar intelligence should always be encryption protected.

An audit should also flag compliance issues. Decision makers within a company must carefully deliberate access rights for personnel on office networks and physically within the workspace too. A business puts its security on the line by not restricting access to central parts of the work network for non-pertinent members of staff. A chief consideration should be whether to restrict access by default and then only grant access on a case-by-case basis. Another is whether your firm has all its eggs in one basket by only using one network; would it be safer to move the critical elements of the current network on to its own platform?

This ethos extends to physical access too. Decision makers must look at floor plans to ascertain where employees or visitors are not authorised and secure them appropriately. Locking a PC and disabling its USB ports when not in use are changes that require a shift in office culture amongst staff, but remain integral to maintaining compliance standards.

Know your employees

A common means for cybercriminals to cross the security threshold of a business is via staff. Inadvertently or not, employees do not always abide by IT security best practice. By relying on a lack of IT knowledge or safety complacency, the bad guys are able to penetrate office networks via mobile devices (both work related and personal), as they continue to occupy an ever-growing role in business operations.

For this reason it is necessary to survey all mobile devices that physically move across network perimeters. If devices contain company information then they should at least be passcode encrypted and operate a mobile security solution; a further measure would be to enable them with a remote wipe feature in case of theft, loss, corruption. This might seem excessive, however, bear in mind that a laptop or phone can be easily replaced, but once data is lost or leaked it is irretrievable.

The popularisation of Wi-Fi hotspots is a convenient solution for employees who need to work away from the office, but still connect to the company network. However, free Wi-Fi offerings from cafés and other outlets provide an infamous route for hackers to steal passwords. There is a strong case for providing VPN connections for employees on the move, as this ensures the networks safety without impacting staff productivity.

Know your enemy

Knowing where threats originate from is an important aspect to mitigating them. Understanding the motives of potential enemies can help predict the type of security problem you’ll be up against, as well as its frequency and priority. For example, beware the disgruntled employee whose contract was recently terminated, this type of situation presents a clear vector for data breach and underpins earlier points regarding compliances.

Staying abreast of the latest malware attacks and hacking techniques will help keep a business ahead of the game, and aid its reactive capacity during a crisis. Remember that it’s easier to predict your opponent’s next move if you know the resources available to them.

Conclusion: plan and have a plan

IT security for enterprises focuses on planning. The best method of protection is to monitor your company for possible weaknesses and observe the external environment to see what impacts most detrimentally on your company. In my mind, the best way to approach security is to have a good representation of what matters to you and devise a strategy in case something happens to it.