Small Business Security Basics

Problem in Chair Not in Computer

SME Security is No Picnic: There are many issues that organisations can encounter when dealing with information security; from lost files and credential sharing, to protecting intellectual property and fending off outsider attacks. As anyone working with technology knows, more often than not, these issues stem not from the technology, but instead the user.

Hence, the acronym: P.I.C.N.I.C. Not an uncommon codeword within tech support circles, problem in chair, not in computer is understood to be a trouble particularly relevant to information security.

With 34% of all breaches involving internal actors, it’s estimated that of these breaches are contributed to via careless or negligent behaviour by employees. As we can see, though many human errors can be innocuous, under-trained and error prone staff regularly cost a business funds, intellectual property and often, their reputation.

Given that the cost of data breaches grows year on year, and that human error is often the culprit behind these information security issues, we must ask ourselves: what are a SME’s weak spots, and what can be done to address these threats?

Phishing Attacks

No matter the size of your business, multinational or SME, phishing is invariably going to be one of the methods of attack that will threaten your organisation. Though the click-rate for phishing emails has dropped significantly, it still remains somewhere around 3%.

Considering that all it takes is one point of failure to compromise an entire network, organisations cannot afford to put their viability at risk by ignoring the threat of human error and phishing emails.

Unfortunately for SMEs, the sophistication of these attacks has mirrored the incredulity of uses. The days of the blatant scams and Nigerian princes are largely behind us and phishing attacks can now not only be very convincingly designed, but also highly targeted.

Keeping up to date with the latest phishing trends and techniques is essential for developing and maintaining a secure culture. By enabling teams to recognise which signs to look for, and which to be suspicious of, you can help minimise the chances of losing credentials, controlled access and intellectual property.

Insider Threat

Though a successful phishing attack can count as an element of ‘insider-threat’, this information security threat also covers the expanse of all actions performed by insiders that threaten the wellbeing of an organisation.

There’s a great deal that can be technologically implemented to help minimise the opportunity of employees to exfiltrate, compromise or steal, such as access controls, data minimisation and stringent security policies, but what about P.I.C.N.I.C?

It’s an uncomfortable truth that businesses must face; but 23% of insider attacks are malicious in nature. More complicated to address than mere accidents, management and employees alike must be vigilant and attuned to the signs that precede a malicious insider attack.

Often, members of staff may not be able to identify suspicious behaviour, or even understand the procedures that must be followed when they do. Once again, when faced with the possibility of losing intellectual property, SMEs within any sector should consider implementing training to increase employee awareness of how to defend against this form of attack.

Login Credentials

Perhaps basic, but password security can often be an overlooked essential. Related to both phishing and insider threat, the confidentiality of login credentials is critical to the integrity of an SMEs information security.

Creating a strong password

When creating a password, best practices dictate that a random combination of four words produce a difficult to crack and, most importantly, memorable password. Although password generators are also very useful, this method allows users to create passwords that would take any would-be hackers many years to match a hash to.


Passwords should also be novel for sensitive accounts, and any password reuse should be discouraged. In the eventuality that one account is compromised through a breach, then it’s only the one password that is rendered insecure.


Somewhat contradictory to purpose, password sharing can in some workplaces be surprisingly common. Without this basic identifier of who is connecting to your networks, a business can leave themselves open to exploitation. Therefore, a single-user policy should be understood and adhered to by all members of staff.

No Problem

Common to all these points for improvement is the constant issue of human error, and though this persistent issue is often difficult to avoid, by creating a secure culture mindset any organisation is capable of reducing their information security vulnerability.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Data Protection Act for Businesses

How Does the Data Protection Act Affect Businesses?

How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.

Huawei Devices trigger a Google Warning

Google Warning Over Huawei Devices

Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security

Data Protection Act Compensation

How Much Compensation for Breach of Data Protection Act?

How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.

What is Phishing?

What is Phishing? In Computer Technology - It’s a Number 1 Threat

Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.

Phishing Basics

What Does Phishing Mean in Computer Terms?

What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.

Protecting your Digital Information

How to Keep Information Secure on a Computer - the Easy Way

Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.

Phishing Texts or SMSs

How to Block Phishing Texts

Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.

Security in the UK Education Sector

Information Security Attacks Threaten the UK Education Sector

How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.

Cloud Storage Security

Is Information Stored in the Cloud Secure?

There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?

Data Breaches 2019

The Biggest Data Breaches and Hacks of 2019

The Biggest Data Breaches and Hacks of 2019: As a new year begins, it's time to begin reflecting on what has been observed. Blog by Hut Six

Speak to us about your Cyber Awareness