No organisation is immune from cyber attack but there are some steps which can be taken which will boost defences, according to Three's head of SME Padraig Sheerin and Jacky Fox, managing director of Security Practice at Accenture in Ireland.
“Cybersecurity isn’t something that happens to others; it’s a real and constant threat to businesses of all sizes and types,” says Sheerin. “It can also be an intimidating subject for many small and medium businesses because the threats are so varied, from email fraud and ransomware infections to data breaches. But behind the technical descriptions of the types of risks, there are actually some simple, straightforward actions you can take to help mitigate the risk of reputational or financial damage.”
“Some SMEs might mistakenly think their size puts them under the radar of attackers; others believe they may be more resilient than they really are,” says Fox, who is also vice-chair of Cyber Ireland, the organisation which brings together industry, academia and Government to represent the needs of the cybersecurity ecosystem in Ireland.
“The truth in today’s world is that no business is immune,” Sheerin adds. “Some small businesses fall victim to indiscriminate attacks, others are a target because of the information they hold, or because they could be the weak point that attackers can exploit to access a larger company which they do business with. In other cases, human error could expose the company to risk.”
Fox outlines five steps SMEs can take to improve their cybersecurity.
Good governance
“Governance starts with setting in place a framework of policies and procedures,” she explains. “For example, this might start with a statement like ‘we value the data that’s entrusted to us’, or ‘we value the intellectual property that we own’. These statements then guide policies. In any organisation today, no matter how small, you expect guidance about acceptable behaviour. This lets people in the business understand that, for example, they shouldn’t send emails with a customer database attached.”
Putting good governance in place in a business doesn’t need to be a huge undertaking – a small number of policy documents should be sufficient in most SMEs.
Understand your assets
Rather than physical offices, Fox says it is better to think mainly in terms of information assets, such as a customer database, or intellectual property that could be a formula for a product or the company marketing plan. “This is the ‘secret sauce’ that differentiates your business, along with any personal information you hold about your employees or your customers,” she says. “Do you have a system that handles credit card information, and what would happen if this was breached? Knowing what you have, and its importance to the business, determines the level of protection you need to apply.”
Awareness training
There are two strands to awareness training. One level is generic: to educate staff about common security risks that all companies face, like email scams, CEO fraud, or ransomware. “This exercise might involve a presentation to everyone in the company, but nevertheless it’s important to do this,” Fox explains. “The more people know about particular threats, the better they can recognise them and prevent them.”
The second layer is where an organisation customises its training. “This needs to reflect what’s valuable to the organisation and should include the procedures to follow in order to keep their data secure,” she says. “If employees need to transfer information from the business network to do their jobs, this training should show them the appropriate ways to do this safely, such as through encrypted email. It’s important to encourage the proper secure behaviour and give people choices of right things to do, rather than ending up in a situation where they try to circumvent controls.”
Protection
The most basic protection layer used to be known as anti-virus but now it’s more commonly called endpoint protection. “This software runs on laptops, PCs, servers and, increasingly, mobile devices, and will block many known attacks,” says Fox. “Having good back-up systems in place is another highly useful control. They ensure that if the business loses data for any reason, it can be restored from an older version of the information.”
But you shouldn’t stop there. “The business should also consider having the ability to monitor the network for intrusions and trigger an alert for any suspicious activity that could indicate malicious intent,” she adds.
Resilience and recovery
Protection is a key part of cybersecurity, but it’s not the only part. Businesses also need to focus their efforts around resilience – that is, ensuring they could survive a security incident, and how quickly they could recover full operations.
“Getting these plans ready is a process of asking questions like: how would we recognise when an incident has occurred? How long would it take us to get back to business as usual? What resources do we need to have in place if we were hit by a ransomware infection?” she advises.
“The time to do this exercise is before an event happens, not during or after,” Fox concludes.