Security awareness programmes are not just for large companies with dedicated IT resources. Guy Lloyd at CySure explains the five steps SMEs can take to build security awareness and ensure data compliance
It tends to be household names that hit the headlines when it comes to data leaks and cyber-attacks. This can lead to SMEs developing a false sense of security. After all, who would go to the effort of targeting a small company? In truth, SMEs are more likely to suffer a cyber-attack as they are seen as softer targets.
A recent report from insurer Hiscox, revealed a sharp increase in reported cyber-attacks year-on-year among small firms (from 33% to 47%) and medium-sized businesses (36% to 63%) across UK, Europe and the US.
Cyber-criminals are motivated by financial gain and for that reason, they cast their net as wide as possible to reel in multiple victims. According to government business population estimates for the UK,[i] SMEs (defined as companies with 0-249 employees) make up over 99 per cent of private sector firms in the UK.
For organised cyber-crime gangs that’s an enormous ocean worth fishing in. However, SMEs can turn their size into a benefit. With a small workforce it’s possible to innovate security awareness strategies in a way many large companies often can’t due to logistical difficulties and costs.
Here are five steps to building a security awareness programme.
- Identify your top human risk factors
In cyber security, human errors are far too often overlooked. According to a study by IBM[ii], human error is the main cause of 95% of cyber security breaches. There are many reasons for this, however the main one is lack of training and awareness. Many companies are more comfortable spending money on hardware and software but forget that good cyber hygiene starts with a trained and educated workforce.
- Educate your employees on the risks
The three most common risk areas are phishing attacks, weak passwords and unsecured devices. Defend against these by:
- Educating employees to identify phishing emails including urgency or authority cues that apply pressure to act quickly without double-checking
- Attackers will try the most common passwords (eg password1), or use publicly available information to try and access accounts. If successful, they can use this same password to access other accounts. Urge employees to create a strong and memorable password for important accounts and to store the passwords securely
- Smartphones, tablets, laptops or desktop computers can be exploited both remotely and physically but they can be protected from many common attacks. Software updates should be applied regularly as they contain patches that keep devices secure. Employees should always lock the device when not using it, this makes it harder for an attacker to gain access. Lastly, discourage employees from downloading dodgy apps or those not from an approved app store.
- Know the importance of data security and GDPR
Many business owners still lack knowledge about the consequences of not adequately protecting personal data. GDPR isn’t an optional requirement, it is enshrined in UK law in the Data Protection Act 2018. Employees need to understand what is personal data, how it should be collected, processed and stored. More importantly, they need to be able to identify if a leak has occurred. It is not a matter of eventually getting around to it, GDPR is a legal requirement and failure to comply comes with a hefty fine from the Information Commissioner’s Office (IOC).
- Highlight social media dangers
There used to be a phrase that ‘loose lips sunk ships’. In this day and age, it could be updated to ‘loose tweets sink businesses’. Many SMEs use social media as a powerful and cost-effective tool to build a brand and generate online sales. Unfortunately, social media also opens the floodgates and can lead a company towards a potential disaster. In order to maintain a positive brand image and protect confidential information, SMEs should develop simple social media guidelines for employees. Ensure people are careful in the apps they use and websites they visit and don’t individually respond to negative posts or comments about the company.
- Pave the path to security awareness with certification
Becoming certified with a credible scheme provides a practical framework for an SME to assess its current cyber security and compliance levels. It lays the foundation for developing policies and procedures to mitigate against threats that can impact business operations. In the UK, certification can be achieved through Cyber Essentials, a government and industry backed scheme to help all organisations protect themselves against common cyber-attacks.
Developing a security awareness programme can seem a daunting task. As well as highlighting the need for training employees, it also reveals gaps in processes, policies and compliance. However, there are solutions to support businesses through the process that are affordable.
Using an online information security management system (ISMS) that incorporates GDPR and Cyber Essentials Plus, is a simple and cost-effective way to carry out a gap analysis and highlight the areas that your business needs to focus on. A good ISMS delivers a staged approach to compliance and certification, guided by a virtual online security officer (VOSO).
A good compliance solution should come pre-packaged with all of the necessary policies, plans and training videos an SME needs to be certified and GDPR compliant. It should also deliver regular reminders of what needs to be done and when.
To read more, download CySure’s latest white paper entitled “Small business and cyber security: The importance of being cyber ready in an online world” by visiting www.cysure.ltd