5. Back up data
Businesses of all sizes should be doing this, says Whittingham, who explains that one low-tech way of doing it is to take manual backups to a secure storage device at regular intervals. “No matter how you do it, backups should not be connected to the network you use for work as they could then be at risk of being compromised in an attack,” he says. “There are lots of solutions available, many of which take the pain out of doing it and use encrypted cloud storage – they’re often very affordable, too.” With suitable backups in place, a business can recover much more quickly from an attack such as ransomware.
6. Keep software and devices up to date
Javvad Malik, of cyber-security awareness training company KnowBe4, says that after social engineering (manipulating people into revealing confidential data online), one of the most common ways companies are breached is through unpatched software, apps, or devices. “Because of this, SMEs should ensure all of their assets are kept up to date whenever the manufacturer releases a new patch,” he says. “In most cases, companies can set operating systems, phones, computers, and apps to automatically update to ensure this.” When older tech becomes unsupported by manufacturers, Malik says companies should consider replacing it.
7. Lock down privileges
Companies often have to let third parties into their systems to install new software or for development reasons, says Malik. With this in mind, your corporate policy should ensure that access is revoked once this external work stops or is completed. “It's all too easy to have ‘orphan’ accounts that could be compromised at a later date,” Malik says. On a related note, companies should also limit the privileges some of their staff have on their accounts. “Normal, day-to-day activities such as checking emails should not need high-privilege accounts to do so,” he says.
8. Pay special attention to sensitive data
Business leaders need to realise it’s not a case of ‘if’, but ‘when’ a company is breached, says Gary Marsden at digital security specialist Thales. Their most critical data needs to be handled with extra care. Under GDPR (General Data Protection Regulation) rules, customers’ PII (Personally Identifiable Information) is considered especially sensitive and, if compromised, is one of the main reasons companies get fined under the new regulations. “A key way to protect this extra-sensitive data,” says Marsden, “is through controlling admission to allow only authorised users to gain access and strong key/certificate management, too.”
9. Evaluate and repeat
SMEs should be reviewing their cyber-security policies on an ongoing basis, says Marsden. “It requires constant examination and oversight to combat the ever-increasing number of threats out there,” he says. “Those that can’t dedicate the time or do not have the in-house skills to do this should consider outsourcing to a specialist third party – as a growing number of SMEs already have.” He adds that SMEs need to ensure they’re compliant in protecting all customer data in the future as well as the data they already have in their system.
10. Develop a doomsday plan
“When the worst happens and a company is targeted, you need a response and recovery plan that can be actioned quickly,” says Pitman. “Do contact the police and report the situation – but they’re not going to be able to help you continue business as usual.”
What will be more valuable, he says, is a recovery plan that enables the team to carry on working – probably using a cloud-based system, rather than your own, compromised, internal network. “Pay attention to your technology experts when they say they want to spend time and money on the setup of your system,” says Pitman. “Ultimately, it’s about not having all your eggs in one basket – and it takes a little extra investment and education upfront to save potentially significant revenue loss later.”