10 ways SMEs can prevent cyberattacks
Richard Anning, Head of IT Faculty at ICAEW discusses how the digital age has brought the world closer in trade, innovation and accountability but has opened it up new and dangerous threats that do not recognise international borders.
Cyberattacks are becoming increasingly sophisticated and are affecting nearly all large organisations around the world. The GCC region is no exception. Cyberattacks are escalating and in some countries, they are above the global average. According to the undersecretary of the Ministry of Interior in Kuwait, the incidence of cybercrime in the country rose by 170 per cent from 2015 to 2016. In the UAE, cybercrime increased by 23.5 per cent year-on-year in 2015, according to the Dubai police. While in Saudi Arabia, 58 per cent of the population has experienced cybercrime, a rate 10 percentage points above the global average.
All firms are vulnerable to cyberattacks, regardless of size. SMEs are not immune; any data breach or incident could have a devastating impact on business operations and the company’s reputation. There is a common misconception that SMEs are rarely a target for hackers because of their smaller size and lack of valuable data. However, all data and information are of value to cybercriminals.
The good news is up to 80 per cent of security breaches can be prevented by having basic cyber security management in place. Here are the 10 basics steps to protect your digital assets:
As with any business activity, in computer security it’s crucial to identify what must be done and who will do it. Overall responsibility should rest with a senior manager who has a broad view of all the risks and how to tackle them. Management should identify the information and technology that is really vital to the business and where the big risks lie.
Protect your computers and your network
Malicious activity could come from outside or inside your business. Attacks from outside, for example by hackers or competitors, can be protected against by installing a firewall. You can set up (configure) the firewall to allow or prevent certain kinds of activity.
Keep your computers up to date
Suppliers of PCs, software, and operating systems such as Windows frequently issue software updates (patches) to fix minor problems (bugs) or improve security. It’s essential to keep all your computers up-to-date with the latest patches.
Control employee access to computers and documents
Although your computers should be guarded by a firewall, you should still protect user accounts (each person’s ‘identity’ with which they log on to a computer) and sensitive documents with passwords. Passwords should be difficult to guess but memorable, and never written down. Passwords should include a combination of upper and lower-case letters, numbers and symbols, and should not be used across multiple sites. Employees should be required to change passwords regularly. Security software can expire passwords after a set period, so that they have to be changed.
Protect against viruses
Malicious software or ‘malware’ may not always be as devastating as the headlines suggest, but can still slow down your systems dramatically, and passing them on to customers could seriously damage your business. Fortunately, there is plenty of protection available. Regular updates to head off new threats are key to antivirus software.
Extend security beyond the office
Today’s employees often work from home or on the road and use their own laptops, mobile phones, tablets and so on. It is difficult to extend to these situations and devices the same level of security that you can apply to office computers. However, you can reduce risk by requiring that any personal equipment used for work is approved. At a minimum, it should have anti-virus software, password protection and, where applicable, a firewall. To protect against unauthorised access to sensitive information when a phone or laptop is mislaid or stolen, it should be possible to delete all the information on it (‘wipe’ it) even when you do not physically have the device. This capability is built into some newer models; software can also be bought to perform remote wiping, but of course this must be installed before the device is lost.
Do not forget disks and drives
Removable disks and drives such as DVDs and USB sticks pose security risks in two ways. They can introduce malware into your computers, and they can be mislaid when containing sensitive information. Ensure that as far as possible, only disks and drives owned by your business are used with your computers.
Plan for the worst
No system is 100 per cent secure, so it’s worth planning what you’d do if things went badly wrong. First, define what is ‘major’ for you. Establish how you will know that there is a problem. Plan your next steps. Finally, ensure that it’s clear who is responsible for doing what in an emergency. Your plan can be laid out in a document and delivered in training sessions.
Educate your team
Tell everyone in the business why security matters, and how they can help, using training sessions and written policy documents. This will encourage them to follow practices such as regular password changes.
Keep records and test your security
Security is an ongoing process, not a one-off fix. So it’s important to keep clear records. They will help you regularly test all your security measures, and ensure that you have functioning, up-to-date software. Any business is only as secure as its weakest link, and testing will make sure that no weaknesses are overlooked.