Cyber-hygiene for SMEs

Jamie Akhtar at CyberSmart talks to Business Reporter about getting the basics of cyber-security right

• What would you say are the most common mistakes that SMEs make when creating and implementing their cyber-security strategy?

Historically, one of the most common mistakes we’ve seen SMEs make is simply believing they are too small to be a target of cyber-crime and cyber-attacks. In adopting this mindset, many implement few (if any) security measures; putting themselves at greater risk. Yet, unfortunately, it has become abundantly clear over the last couple of years that this belief isn’t grounded in fact.

SMEs are generally integrated into wider supply chains so that even if the business itself is not the intended mark, they provide cyber-criminals a crucial stepping stone to reach other organisations and reserves of data. Fortunately, or rather unfortunately, the onslaught of attacks on SMEs (according to Verizon’s DBIR report, 61% of SMEs were the target of a cyber-attack in 2021), has since improved awareness and spurred many into action. 

The issue, however, is that most don’t know where to begin and assume they need an elaborate security strategy, as well as expensive and complex technologies to defend themselves. Implementing these can be a daunting prospect, intimidating SMEs into inaction and bringing them back to square one. Essentially, they’re more aware, but no more protected.

The thing is, cyber-security doesn’t have to be complicated and most cyber-attacks can be thwarted by simple exercises. For example, regularly updating software and operating systems, using strong passwords and multi-factor authentication, developing clear policies for staff to follow, and ensuring security tools are configured properly.

On top of this, employee awareness of cyber-threats just isn’t widespread enough. An organisation can have the best cyber-security software around, but if an employee doesn’t know what a phishing email looks like and clicks a malicious link, it will be hacked just the same. Basic cyber-security training is the best way to counter this. It doesn’t have to be comprehensive, just enough to help your people make informed choices.

Regarding policies, they should be clear and easy-to-follow. Where possible, organisations should avoid technical jargon as this will only disengage people. Equally important, explain why the company has adopted the policies it has; employees will find it much easier to follow them if they know why.

Finally, store them somewhere that is easy to access from anywhere. There is little use in a policy if it is buried deep in a shared drive where nobody can read it.

• There are so many certifications and standards today, it’s hard to know where to start, what to prioritise and if it is right for a business. Can you break down the benefits and challenges of the certifications and standards available today?

 There are a couple of standards and certifications that are non-negotiable for the modern business, no matter its size or perceived importance.

The first of these is the UK Government’s “10 Steps to Cyber Security”. This should be the absolute minimum level of cybersecurity standards an organisation should adhere to, and it could even be argued this alone is not enough.

“10 Steps to Cyber Security” provides a top level understanding of cyber-security, aimed primarily at those with no-or-limited prior knowledge of cyber-security best practices. Its broad descriptions, objectives, and actionable advice should be easy for most organisations to implement.

The second is a Cyber Essentials certification. This is a UK-government-backed scheme that aims to protect organisations by showing them how to implement basic security controls.

Covering five key areas - boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management - the certification is generally seen as an indicator that a business is taking cyber-security seriously. To ensure you pass the first time, seek a vendor that will guide you through the certification process.

Cyber Essentials Plus isn’t necessarily non-negotiable, but is worthwhile for any business, and is the logical next step once a Cyber Essentials certification has been achieved. An independent auditor will carry out an assessment of your business’ cyber-security, giving you total peace of mind that your security is up to scratch.

Aside from these, there are more advanced standards and certifications that may be necessary for some businesses.

The Minimum Cyber Security Standards are a set of mandatory cyber-resilience outcomes that all government departments and their partners must adhere to. Meeting these outcomes will ensure that an organisation is capable of detecting, responding to, and recovering from a cyber-attack.

For companies with third parties or generally, working within a supply chain, the PAS 555 is incredibly important. This holistic framework does not dictate what actions organisations should take, but does help to “define the outcomes of effective cyber-security”. This takes into consideration the technical aspects, as well as the related physical, cultural and behavioural aspects of an organisation’s approach to addressing cyber-threats.

For organisations with an international reach, there are some other, more stringent standards and certifications. The various ISO standards ensure that organisations are sufficiently managing their information security, managing cyber-security risks, implementing security controls, protecting themselves from disruptions, and ensuring they have a level of business continuity preparedness. While all are worthwhile, these are generally for international or larger-scale organisations.

The CSA (Cloud Security Alliance) CCM (Cloud Controls Matrix) is an essential set of controls for any business reliant on the Cloud. As hybrid working increases in popularity, the CSA CCM is growing ever more important.

Finally, the NIST CSF (Cyber-Security Framework) is arguably the most advanced of this list. It helps organisations manage and protect their information systems from cyber-threats. Divided into three parts - the Core, Implementation Tiers, and Profiles - the framework coordinates security controls and the organisation’s approach to implementing them.

All in all, the first three standards and certifications in this list are all that is necessary for most businesses. However, some organisations will have their own unique needs and should look into more specific, stringent standards and certifications accordingly.

• Apart from preventing cyber-attacks, are there any other benefits to having good cyber-hygiene?

 Yes! While preventing cyber attacks and their associated costs is great motivation for good cyber-hygiene, there are other benefits. In fact, having a strong cyber-security posture can be a business enabler. Our society is increasingly mindful of cyber-threats, meaning that businesses and general consumers are demanding that the organisations they work with and/or frequent are taking cyber-security seriously and meeting certain standards.

By ensuring good cyber-hygiene, complying with best practices and achieving credible certification, businesses can demonstrate their commitment to existing and potential customers and partners.

Indeed, it can prove to be a differentiator to win new tenders and attract new customers. According to a survey by McKinsey & Company of more than 1,300 business leaders and 3,000 consumers globally, establishing digital trust is key to meeting consumer expectations and could promote growth.

Digital trust leaders are more likely to see annual growth rates of at least 10 percent on top and bottom lines.

Jamie Akhtar is CEO and Co-Founder of CyberSmart

Main image courtesy of iStockPhoto.com