Small Business Security Basics

Problem in Chair Not in Computer

SME Security is No Picnic: There are many issues that organisations can encounter when dealing with information security; from lost files and credential sharing, to protecting intellectual property and fending off outsider attacks. As anyone working with technology knows, more often than not, these issues stem not from the technology, but instead the user.

Hence, the acronym: P.I.C.N.I.C. Not an uncommon codeword within tech support circles, problem in chair, not in computer is understood to be a trouble particularly relevant to information security.

With 34% of all breaches involving internal actors, it’s estimated that of these breaches are contributed to via careless or negligent behaviour by employees. As we can see, though many human errors can be innocuous, under-trained and error prone staff regularly cost a business funds, intellectual property and often, their reputation.

Given that the cost of data breaches grows year on year, and that human error is often the culprit behind these information security issues, we must ask ourselves: what are a SME’s weak spots, and what can be done to address these threats?

Phishing Attacks

No matter the size of your business, multinational or SME, phishing is invariably going to be one of the methods of attack that will threaten your organisation. Though the click-rate for phishing emails has dropped significantly, it still remains somewhere around 3%.

Considering that all it takes is one point of failure to compromise an entire network, organisations cannot afford to put their viability at risk by ignoring the threat of human error and phishing emails.

Unfortunately for SMEs, the sophistication of these attacks has mirrored the incredulity of uses. The days of the blatant scams and Nigerian princes are largely behind us and phishing attacks can now not only be very convincingly designed, but also highly targeted.

Keeping up to date with the latest phishing trends and techniques is essential for developing and maintaining a secure culture. By enabling teams to recognise which signs to look for, and which to be suspicious of, you can help minimise the chances of losing credentials, controlled access and intellectual property.

Insider Threat

Though a successful phishing attack can count as an element of ‘insider-threat’, this information security threat also covers the expanse of all actions performed by insiders that threaten the wellbeing of an organisation.

There’s a great deal that can be technologically implemented to help minimise the opportunity of employees to exfiltrate, compromise or steal, such as access controls, data minimisation and stringent security policies, but what about P.I.C.N.I.C?

It’s an uncomfortable truth that businesses must face; but 23% of insider attacks are malicious in nature. More complicated to address than mere accidents, management and employees alike must be vigilant and attuned to the signs that precede a malicious insider attack.

Often, members of staff may not be able to identify suspicious behaviour, or even understand the procedures that must be followed when they do. Once again, when faced with the possibility of losing intellectual property, SMEs within any sector should consider implementing training to increase employee awareness of how to defend against this form of attack.

Login Credentials

Perhaps basic, but password security can often be an overlooked essential. Related to both phishing and insider threat, the confidentiality of login credentials is critical to the integrity of an SMEs information security.

Creating a strong password

When creating a password, best practices dictate that a random combination of four words produce a difficult to crack and, most importantly, memorable password. Although password generators are also very useful, this method allows users to create passwords that would take any would-be hackers many years to match a hash to.

Reuse

Passwords should also be novel for sensitive accounts, and any password reuse should be discouraged. In the eventuality that one account is compromised through a breach, then it’s only the one password that is rendered insecure.

Sharing

Somewhat contradictory to purpose, password sharing can in some workplaces be surprisingly common. Without this basic identifier of who is connecting to your networks, a business can leave themselves open to exploitation. Therefore, a single-user policy should be understood and adhered to by all members of staff.

No Problem

Common to all these points for improvement is the constant issue of human error, and though this persistent issue is often difficult to avoid, by creating a secure culture mindset any organisation is capable of reducing their information security vulnerability.