SME Security Tips
6 Business Critical Information Security Tips for SMEs: Regardless of whether you’re part of an international corporation or an up-and-coming SME, information security should be considered an integral part of not only IT, but as critical to management strategy and all ongoing operations.
The first thing to mention is that an effective approach to information security doesn’t have to be overwhelming for SMEs or any organisation, and will in the long term save time, money and even your business’s reputation.
We’ve put together a helpful guide containing information security tips to assist any SMEs wishing to begin or improve upon their information security, with six simple training tips you can help safeguard your SME against a broad spectrum of information security attacks.
Beginning with the basics, our first information security tip is regarding passwords. password security is often a sorely overlooked element of proper information security practice. From single word passwords to reuse across multiple accounts, weak and ineffective password security makes up a significant portion of account compromises, data breaches and information security attacks.
Passwords should be novel, and for best practice, follow the four random word format. By combining four random words to generate a password, this generates enough entropy that any would-be hacker would be kept waiting decades before cracking your code.
For significant accounts, two-factor authentication should also be considered, as well as thinking about the possible use of password managers for members of staff dealing with a plethora of regular accounts. It should also be stressed from the outset that these passwords should be kept entirely confidential – you’d be surprised how trusting employees can be, and how easily people give up their details.
Back Up Your Data
Every SME should firstly consider what information is critical to their continued operations. Most likely, if you're working at an SME you’re going to be sitting on a whole host of customer information, orders, payment details and possibly (depending on your business) personal data.
All of this information should be regularly backed up in formats and locations that can be accessible in the eventuality of a theft, flood, a fire or increasingly often: a ransomware attack. IT professionals are now commonly relying on cloud storage, which allows data to be stored off-location, as well as providing quick access availability.
If you are storing data locally, this information needs to be kept in a state that is confidential, secure and available. Also, with all data handling, professionals should also keep in mind the classifications of the data they are controlling and processing, and comply with the specific regulations regarding various categories; protecting not only data subjects, but organisational integrity. In short, backing up should be an everyday part of your business operations.
Phishing attacks are now an undeniable fact of life. Nearly every organisation in the world will at some point face incoming phishing attacks, and although they will vary in sophistication, there are some basic precautions that can be taken to help minimise the chances of falling victim to the internet’s most common scam.
Whether the objective of a phishing email is to direct you to a unsecure webpage, to steal log in credentials, prompt an unauthorised transfer, or introduce malware into a network, this form of attack is rarely without flaw, and with only a few simple methods, users can protect themselves and their organisations.
Staff training should ideally include the suggestion that users check firstly for spelling and grammar, as well as the address from which the email came. Links can be inspected before being followed, certain file types can avoided or treated with particular suspicion, and any form of transaction can be verified via a different means of communication, i.e. over the phone.
The Essential Anti-Phishing Training Guide for SMEs
Companies across the world loose millions every year to this form of attack. Organisations have no option but to educate their staff about these simple methods of avoidance. Without understanding how to avoid a phishing attack, an organisation will be inherently at risk.
This malicious form of software can come in many forms, from viruses that spread throughout your system and wipe data for no apparent reason, to highly targeted ransomware attacks which render your local data inaccessible whilst attackers demand cryptocurrency payments in exchange for encryption keys.
Although backing up will help protect you against the disruption caused by malware, prevention is always going to be an integral part of your information defence strategy.
Finding the correct antivirus software for your organisation is paramount, though this is not the only necessity. Security professionals within an SME should also consider using firewalls, access controls and data segmentation. As well as this, ensuring all software and equipment is up-to-date and adequately patched needs to also be included on any checklist.
When considering malware protection, phishing isn’t the only source of infection, and physical security practices should be a matter of policy understood by all members of staff. Just consider the damage that could be done by a careless co-worker who is curious about the contents of a found USB drive.
With organisations frequently relying on out-of-office work, and mobile devices commonly containing sensitive information, adequate attention should be paid to the vulnerabilities inherent to tablets, phones and even smartwatches.
Firstly, though it may sound basic, password protection and encryption should be enabled on any device that carries sensitive information. Also, as with any security related software, the operating systems of mobile devices, and apps, should be kept up to date, as to minimise your SMEs vulnerabilities.
Remote tracking and wiping are also highly recommended as in the eventually the device is lost or stolen, it allows for data to be rendered inaccessible. Finally, members of staff should also be educated about the dangers of connecting to unknown Wi-Fi Hotspots and the dangers related to traffic monitoring and man-in-the-middle attacks.
Create a Secure Culture
We hope these information security tips will prove useful, however, there is no easy, quick fix to all your information security problems. Achieving a positive, sustained and measurable change in the behaviour of staff is about implementing and moving towards a secure culture mindset.
By conducting comprehensive information security training, any SME is not only investing in the education of their staff but also strengthening their viability and trustworthiness. By integrating information security as a part of an organisation’s culture, they are better protecting themselves against a whole host of potential threats, including phishing attacks, data breaches and even insider threats.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.
In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?
Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.
SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.
How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.
Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.
What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.