39% of UK businesses identified a cyberattack in 2022 (Source: Cyber Security Breaches Survey 2022, Gov.uk). This means that now more than ever, small and medium-sized enterprises (SMEs) face an increasing risk of data breaches and cyberattacks.
By following the 10 steps outlined below, SMEs can save precious time and money and also safeguard reputation. The recommendation is also to begin with a comprehensive risk assessment to gain a deeper understanding of the data, services, systems, portals, assets, and networks being accessed, as well as the associated value, sensitivity, and risk in the event of unauthorised access.
While the guidance listed cannot guarantee complete protection against all cyber attacks, the steps outlined* will significantly reduce the risk of falling victim to cyber crime.
1. Training and awareness for staff: Educating employees about cybersecurity is the very first line of defence. Regular training sessions should be conducted to ensure that staff within all departments of the business are aware of the latest threats, phishing techniques, and best practices. The more they understand the importance of their role in data security, the more responsibility they are likely to take.
2. Access Controls: Implement strict access controls to ensure that only authorised team members have access to sensitive data. Businesses should also regularly review and update access rights to prevent unauthorised individuals from gaining access to critical information.
3. Strong Password Policy: Enforce a strong password policy that requires employees to create complex passwords. Passwords should be changed regularly, and multi-factor authentication (MFA) should be enabled wherever possible.
4. Anti-virus/firewall protection: Install and regularly update anti-virus and anti-malware software on all devices within your network. These tools can detect and remove malicious software that can compromise data security.
Set up robust firewalls to filter incoming and outgoing network traffic. Firewalls can help prevent unauthorised access and filter out potentially harmful data.
5. Keep devices and software up-to-date: Ensure that all devices and software are kept up-to-date with the latest security patches and updates. Hackers often target vulnerabilities in outdated software. Establish a patch management system to stay current with security updates.
6. Carry out regular backups: Regularly back up your data and store it in a secure location. In the event of a ransomware attack or data loss, having up-to-date backups can be a lifesaver.
7. Incident response plan: Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Due to time being critical in mitigating the damage, having a plan in place can help minimise the impact on operations.
8. Phishing Awareness: Phishing attacks are a common entry point for cybercriminals. Train staff to recognise phishing attempts and suspicious emails to help prevent attacks.
9. Secure Wi-Fi Networks: Secure your Wi-Fi networks with strong passwords and encryption protocols. Separate guest and internal networks to minimise the risk of unauthorised access.
10. Regular Security Audits: Conduct regular security audits to identify vulnerabilities in your systems and network. These audits can help you proactively address potential weaknesses before they are exploited by cyber criminals.
*Steps/guidance 1-10 are not listed in any particular order.