If you are the CEO, owner or manager of a small business (SME), you need to be very aware of the fact that you are a target for cyber attacks. Your business may be less valuable than a corporate behemoth like Tesco, but remember that astute corporate behemoths devote significant resources to cyber security…
The good news is that there’s still plenty of steps smaller companies can take to put themselves in a position where attacking them is more hassle than it’s worth for cyber villains. Here are three points to remember to make this happen.
When you think of cyber security, you probably start thinking about anti-virus programmes, firewalls and such like and these are all very important. They are, however, completely useless if a thief can just walk into your office undetected, sit down at a computer and start working on breaking down your defences from the inside. Or, alternatively, if they can steal a device and take it away with them to break open at their leisure. This is why your members of staff should never write down their password on a piece of paper and store it under their keyboard. (We all know that happens but it must not happen on your premises.)
To stay safe, you need to think like a potential intruder and go through all options from blatant forced entry (e.g. smashing windows) to sneaky approaches such as posing as a legitimate visitor.
The thing is, you are going to have legitimate visitors, such as delivery and maintenance personnel, so you need to think about managing them. Receptionists can be valuable security assets but, if you don’t have a dedicated receptionist, have a single nominated individual and back-up with responsibility for managing visitors.
Forming effective IT-management policies generally starts with knowing the laws with which you must be in compliance (like the forthcoming General Data Protection Regulations) and working out what steps you need to take to be in compliance with them.
This forms an absolute minimum standard in order to operate in a legal manner.
After this, it is strongly recommended that you analyse the current state of your digital landscape in terms of key areas of IT security, including secure configuration, boundary firewalls and internet gateways, access control and administrative privilege management, patch management and malware protection.
Essentially, you are looking to see where you stand against current threats and threats which can realistically be foreseen for the future. This will highlight your strengths and weaknesses and show where improvements need to be made and programmes like Cyber Essentials and Cyber Essentials Plus can be invaluable in helping you to identify where you need to pay extra attention.
It’s also wise to make a commitment to conducting a review of your IT policies on an annual basis to ensure that they are adapted to changing legal requirements and updated threats.
Once you’re clear about what you need to do to ensure cyber security, you need to make your employees aware of this and put steps in place to promote desirable behaviours.
One obvious example of this is having a robust password policy so that employees are clear on the need to choose strong passwords. Employees also need to be made aware of the importance of physical security, particularly with regard to mobile devices both in and out of the office. Finally, your staff should be provided with whatever they need to implement physical and online security, for example cable locks for laptops and passport management systems.