An alarmingly high number of companies aren’t properly equipped to deal with cybersecurity. Despite the expanding list of high-profile and reputationally damaging data breaches (just yesterday it was both Dell and Dunkin’ Doughnuts), a recent survey from Hiscox Insurance found that an astonishingly high 70% of businesses aren’t prepared for cyberattacks.
SMEs are often far less prepared for cyber threats than bigger businesses. Larger companies have the money to hire full-time cybersecurity experts, while growing companies are funnelling any and all of their resources into product development and growth.
It’s an understandable allocation of money and effort. But no company, big or small, can afford to ignore the importance of cybersecurity. Least of all startups and SMEs, who are being increasingly targeted by cybercriminals because of their relative dearth in cybersecurity investment.
Celebrating World Computer Security Day, we’ve assembled five quick and cost-effective ways SMEs can strengthen their cybersecurity procedures and policies, and protect themselves against a litany of online threats.
- Codify Your Cybersecurity Practices
After you’ve picked a memorable name, a slick logo, and registered with Companies House, the next thing you should do is formalise your cybersecurity protocols. No, seriously. Taking a company live without proper cybersecurity procedures is like building a car without seatbelts. It’s needlessly dangerous, and just plain bad business. If you haven’t formalised your approach, make doing so your number one priority.
It doesn’t have to be a drawn-out process, either. And your policies don’t need to be legally airtight. But they should be comprehensive, and explain how you’re going to handle things like storing and transferring sensitive data, and what to do in the event of a coordinated attack. Once you’ve figured out your approach to cybersecurity, you can start enacting it.
- Educate Your Employees
Business can grow pretty quickly. One minute you’re two cofounders in a WeWork cubicle. The next, you’re twelve people in a corner office, with a fish tank shimmering with communal goldfish. As you welcome people to the team, your standard onboarding process must include your cybersecurity policies and overall best practices. It doesn’t matter if they’re a developer, a salesperson, or a social media guru. Everyone should get the same education.
It can take time getting new joiners up to speed. A handy time-saver is to produce a written guide containing your cybersecurity procedures. The guide can cover the fundamentals – like how to create a strong password, avoiding phishing scams, and using two-factor authentication – while you tackle the most important or complex issues face-to-face.
You can save even more time and effort by drawing on the range of free, reputable and readymade online resources; this easy-to-follow best practices guide from cybersecurity expert Norton, for instance.
- Keep Everything Updated
It’s a simple but important piece of advice: make sure all devices and systems are up-to-date with the latest software. This doesn’t just apply to laptops and phones. Printers, networking hardware and WordPress plugins should all be monitored. Software updates include defences against newly-discovered exploits. So it’s an important and effective way to protect your company’s data.
Hackers and software manufacturers are engaged in a constant, escalating game of cat and mouse. Hackers scour code for exploitable flaws, while developers race to resolve them. By regularly updating your hardware and software, you’re keeping up with the developers’ latest solutions, and immunising your systems against attackers’ latest ploys.
The simplest way to do this is make sure all company devices are set to auto-update. If you’re running software that doesn’t automatically update, you should instate a regular update schedule and commit employees to updating their devices as soon as a new patch becomes available.
- Follow Manufacturers’ Security Baselines
A security baseline is essentially a list of mandatory settings that devices and software are required to adhere to at all times. They’re designed to protect against commonly-faced threats, particularly those related to inherent flaws or vulnerabilities. As an example, a security baseline might dictate that all networked laptops must run a certain piece of security software.
In large companies and organisations, the baseline is written and enforced by a dedicated, in-house IT department. This is ideal, particularly when a company employs a complex network of varying devices and software. But most small and medium-sized companies don’t have the luxury of a dedicated IT team. Instead, they have to choose between devising their own (usually suboptimal) baselines, or using the one suggested by the manufacturers of their devices.
In this case, we strongly recommend using the baseline provided by manufacturers. These have been written and tested by an expert development team who know their device inside and out. Here, for example, is Microsoft’s page on recommended baselines. Most manufacturers produce them, so we suggest seeking them out and implementing them, wherever possible.
- When In Doubt, Outsource
Outsourcing is a great way to add cybersecurity expertise to your business. There’s an array of virtual and cloud-based security solutions, such as vSOCs (virtual security operation centres) which provide top-notch and round-the-clock cybersecurity protection for your company.
Similarly, vCISOs, or ‘virtual chief information security officers’ allow companies retain an on-call security expert, someone who can offer strategic leadership and emergency response counsel, without having to pay for the six-figure salaries and hefty benefits packages commanded by full-time executives. As this excellent article on CSO Online explains, vCISOs cost 60 – 70% less than a permanent security executive.
Experience and specialisms can vary between vCISOs, so it’s important to do your research and find someone who meets your particular needs. Different vCISOs will also offer different pay structures. Some will charge per hour, others will charge a monthly fee with a cap on how much work they can do.
To get the greatest bang for your buck, you should structure your payments based on your requirements. If you need a lot done in the short term – reconfiguring systems, developing new security procedures, writing response plans – it might make sense to front-load your agreement by hiring them on an hourly basis for the first three months, and then converting them to a smaller, fixed-hour retainer afterwards.
vCISOs aren’t for everyone, though. They satisfy a certain sweet spot of companies; those that need significant security experience – like those holding and managing masses of sensitive data – but that don’t have the means to bring in a full time CISO. If that sounds like you, retaining a vCISO might be the best approach.