When it comes to the threat of cyberattack in today’s digital landscape it’s dangerous to still believe that ‘it won’t happen to me.’ According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 43% of breaches involve small businesses, a worrying statistic which also represents the largest share of all the attacks within the report.
A lack of in-house capability to respond to such threats leaves your SME vulnerable to potential attack, while the likelihood and sophistication of attacks continues to increase. On top of more understood dangers such as data breaches, vandalism and extortion, emerging risks include C-suite attacks, AI-driven malware and assaults from the computing cloud.
The impact of these incidents is felt most by smaller companies, who lack the funds and resources to recover when they fall victim compared with larger, well-established brands. Whether reputational or financial, the damage can sometimes threaten the continuity of the business.
SME owners should work to mitigate these threats to optimally protect their operations, employees and, above all, the customers who entrust you with their data. Investing in the right technology, as well as establishing and maintaining appropriate processes are necessary safeguards.
However, the most crucial area of defence is often overlooked: in the ever-evolving world of cyberattacks, your staff are your biggest security asset.
Cybercriminals commonly target individual employees, using fraudulent tactics like phishing emails. Just one person can easily become a backdoor into your SME’s entire network. Such attacks require human interaction to succeed, which makes investing in human defences the most important part of your business’ cybersecurity strategy.
A documented cybersecurity policy is the foundation of building resilience here. By implementing and maintaining suitable controls, your SME will become less susceptible to breaches – and better positioned to withstand the repercussions of an incident should one occur.
Of course, the success of this is heavily reliant on your staff. Each team member must understand your policy and follow best practice guidelines. It’s also important to encourage an open dialogue that keeps staff informed and engaged – for example by making it a regular part of meeting agendas and sharing new learnings, so security is always front of mind.
Standards can help you to embed a positive cybersecurity culture in your SME. ISO/IEC 27001 provides a framework to build an information security management system (ISMS) unique to your business.
The standard takes a holistic approach that puts effective education and awareness training front and centre. This enables employees to readily understand risks and embrace controls as part of their everyday working practices. Also, ISO/IEC 27002 helps organizations develop information security guidelines that meet international standards.
Another security area to address is Bring Your Own Device (BYOD) working. BYOD makes business sense for SMEs. It provides employees the flexibility to work from home or abroad, at any time of day, resulting in huge productivity boosts, as well as obvious cost savings. That said, BYOD comes with its own security risks and SME owners must consider the full implications of allowing corporate data to be accessed on personal devices that they have little to no control over.
Implementing an effective BYOD policy, in line with ISO 27001 requirements, lets you and your team enjoy the benefits without compromising security. This should include guidelines for acceptable use of devices in and out of the workplace, password updates, encryptions and downloadable software, as well as procedures for device or data loss and onboarding and exiting processes.
Keep in mind that BYOD usually works with a cloud computing setup, which must also be managed appropriately. ISO/IEC 27017 outlines guidelines for information security controls around the provision and use of cloud services.
While striving for robust information security, SMEs also need to consider privacy management. ISO 27701 is a privacy extension to ISO 27001 and ISO 27002, designed to help organizations protect and control the personal information they handle. It can be used to demonstrate compliance with global privacy regulations, including the General Data Protection Regulation (GDPR).
The standard necessitates appropriate training for all staff that have access to personally identifiable information, again demonstrating that people are just as important as technology in the protection of data.
With a top-down, consistent approach to cybersecurity, your SME will be better positioned to protect itself and build resilience. With the appropriate standards in place, you can establish a security-conscious workplace culture, one that educates and empowers employees while letting your business thrive.
