Cyber Security for SMEs: How to Achieve Effective Safety Standards
Current Cyber Risks for SMEs
What began with digitisation was reinforced by the Covid pandemic: Cyber attacks have reached an unprecedented level in recent years and can affect any company. But while global corporations have been working on the implementation of IT and cyber security for some time, small and medium-sized companies are still breaking new ground in this regard. Too often, there is a perceived lack of financial budget and human resources to be adequately armed against hacker attacks. The good news is: Even under these conditions, you can already take some precautions and check how vulnerable your business is to hacker attacks.
Our article Cybercrime 2021: Online Crime at Record Level Thanks to Covid summarised the facts and figures for online crime and provides advice on how you can protect your company from cyberattacks.
IT Security for Companies Of All Sizes
As different as companies, business models and production chains are, every company should adhere to certain standards. These include, among others:
- Virus protection
- Firewalls
- Regular updates
- Management of access rights
- Trained employees
- And very important: Regular data backups!
Ultimately, the measures are not just about prevention, but also about limiting costs in an emergency and being able to quickly restore the ability to work. In the following, we highlight the most important points for establishing cyber security permanently in your business.
Humans As a Security Risk
Employees are an important capital for every company - and unfortunately also a big risk when it comes to cyber security. They often endanger security unknowingly through carelessness or simple ignorance. But you can help! Raise awareness and train your staff regularly about possible threat scenarios. This also includes explaining possible attack methods and dealing responsibly with email attachments and external software. The methods used by cyber criminals are constantly changing, so regular training is required. Make sure you always convey the applicable security guidelines to your workforce. This also includes choosing a good password.
Passwords are highly coveted by hackers! Read about how good password management can help in the article 5 Tips for Good Password Management in Business.
There are also cyber-prevention offers from service providers such as perseus, which educate and sensitise employees at low costs via online training courses, and regularly use phishing simulations to check whether the knowledge is actually being used by the employees.
Clear Responsibilities for Secure IT
Few things make work more difficult than an organisation where the right hand doesn’t know what the left hand is doing. When it comes to cyber security, this is not only annoying, but it can also cost you dearly. So make sure that you regulate responsibilities in this area very clearly and communicate them unambiguously. This applies both internally and externally! Because whoever you entrust with this task, he or she must have the ability and the skills to continuously check the company’s systems, derive measures from discovered weak points and ensure compliance with security guidelines. This also includes investigating possible violations. An external IT security audit can also be useful. IT should not see this as a lack of trust, but as a form of support. That’s because the more deeply involved IT is in a project, the larger their blind side might be. And what may “just” sound ugly in a text could lead to major damage when it comes to IT security...
Back Up Data
Data is foundational for many processes in a company, so it’s an important corporate asset. But despite its importance, this data still faces a lot of dangers.
- Fire, water, storm etc.
- Hardware and software crashes or errors
- Hacker attacks
- Malware (ransomware, viruses, worms, trojans, ...)
- Human error, for example, in which systems are operated incorrectly, accidentally changed or data records are even completely deleted
Regular data backups on external storage media protect against such losses. Of course, you should store the backups in such a way that they are not exposed to any damaging influences and are separated from the rest of the network.
The recovery point objective (RPO) determines the time periods between data storage. This value shows how much data loss a company can cope with at most. This results in the maximum time span between two data backups. In simple terms, the RPO determines the scope of security measures and the recovery plan. A few steps are necessary to calculate the RPO. ComputerWeekly, for example, shows how it works.
When backing up data, make sure to keep an eye on all folder structures, directories and files so nothing escapes the backup process and you can constantly check the processes. Even automation doesn’t protect against errors.
Disaster Recovery Plan (DRP) – When Disaster Strikes
If an emergency does occur, only a complete, up-to-date backup of the data allows you to restore the original state. A DRP describes exactly what has to be done by whom - because when in doubt, every minute counts. It’s worth testing data recovery in practice sessions to be prepared at all times.
Monitor Interfaces
A variety of devices and systems are networked with each other in companies. Computers access websites, servers provide data, and external systems from partners are used every day. This results in many different interfaces to the outside, which form a potential gateway for harmful attacks. Regular controls prevent unwanted access. Firewalls, proxy servers, intrusion detection (IDS) and intrusion prevention systems (IPS) help with this.
A proxy server acts as a communication interface in the computer network. For example, it accepts inquiries and then uses its own address to establish a connection to the desired page. This secures communication with a web server. An IDS recognises attacks directed against your computer network, while an IPS not only recognises attacks, but reacts to them according to predefined rules.
Cyber Security = Topicality
All measures are of little use to you if you don’t keep your tools, from the operating system to various applications to the virus scanner, up to date. New vulnerabilities are discovered every day and criminals are only too happy to exploit them for their attacks. In order to put a stop to this, the manufacturers constantly provide patches and updates, which you should definitely download as soon as possible. Current virus scanners also prevent malware from penetrating client systems and servers.
Unfortunately, some well-known manufacturers react relatively slowly. But depending on the hardware and software used, there are useful websites and newsletters that often uncover possible security gaps much more quickly and provide countermeasures. Research into this is strongly recommended for every IT manager.
WIFI – The Deathblow for Secure IT?
WIFI is standard now when it comes to accessing the company network via mobile devices or integrating machines into processes via radio technology. To ensure this useful technology doesn’t open the floodgates for hackers, you should encrypt your WIFI with a secure standard such as WPA2, separate access for guests from the production network, and carry out authentication via central servers.
Cyber Security for Your Business – Prevention Is (Almost) Everything
The risks associated with digitisation affect companies of all sizes and industries. So don’t go around thinking “My business is far too small/too uninteresting for cybercriminals...” - because this fallacy can cost you dearly. If the measures here sound time-consuming and costly, consider the enormous damage that data loss, for example due to a hacker attack, would mean for your business.
Absolute security doesn’t exist in the world of bits and bytes anyway, right? That’s absolutely right, but we won’t just leave you hanging here. With a Professional Indemnity Insurance from exali in combination with the add-on First-Party Cyber and Data Risks Insurance (FPC) a, you’re protected in the event of a cyber attack, for example in the form of a ransomware attack or social engineering. In the event of a cyber incident, the insurer assumes, for example, the costs of data recovery, the costs of restoring your IT systems and the commissioning of experts for IT forensics or legal issues. In the event of cyber blackmail, the insurer can also cover monetary claims (ransom).