SMEs want the best cybersecurity possible, but it’s not always affordable, easy to implement or access.
Adding to the complexity and expense of cyber resilience for SMEs is the fact that many operate in supply chains that interact closely, meaning those that aren’t secure or resilient become “weak links” in the chain.
Raising awareness of the risks that could potentially impact your business can help change behaviour to ensure all staff are “levelling-up” from a security perspective, and improve the security posture for all businesses.
The government’s strategy announcement was a good first step. There are also clear opportunities to take things a step further and partner with others in the security industry to increase cybersecurity awareness.
With the digital environments and platforms we have available, there is a massive opportunity to execute such a campaign at scale in a fun, interesting, gamified fashion to encourage businesses and people to ‘level-up’ their risk scores.
In order for SMEs to succeed and be fully cyber resilient, there is a clear need for more incentives to be rolled out. Just as critically, there are also a number of other measures that SMEs themselves can take to improve their cyber defences, without necessarily breaking the bank.
Training
Technology alone won’t cut it. It must be augmented with a human firewall. Often your biggest threat can come from inside your team, but not in a malicious way. About 90 per cent of ‘insider threats’ come from employees who just aren’t security savvy. They’re busy people focused on their current priorities – laundry, their day jobs, taking care of their kids. Without realising it, they’ve clicked on a malicious link or attachment, or have replied to an email impersonating one of their genuine contacts and now have shared potentially sensitive information with that individual.
While there’s a cost involved, training doesn’t have to break your budget. Investing a bit now is much cheaper than losing sensitive information, funds, and/or access to your systems. View it as putting a fence at the top of the cliff instead of paying for the ambulance at the bottom.
Engage external advice
Most small business owners aren’t IT security experts, so they may be content to protect their business with an internet security package from the local electronics store. In this new work-from-home world, this is unlikely to cut it.
External experts analyse IT infrastructures every day. Just as you’d use an accountant for tax and a solicitor for legal matters, treat cybersecurity the same fashion and get expert advice.
Audit
A security audit can identify where the weak links and back doors are. This enables you to focus your spend on where it is needed, rather wasting money on the wrong technology or missing a gap in your security infrastructure that costs a lot more to fix down the track.
BYOD
BYOD can help SMEs reduce costs but those devices need to be secured, so you need to have checks in place to verify that all network-connected devices meet your minimum security standards. This is where a virtual private network (VPN) is absolutely critical.
Refresh
Cybersecurity isn’t a set-and-forget. Software updates are essential, as is regular staff refresher training and new employee onboarding training. It’s easy to get lax, especially in a pandemic era where you have little or no face time with your team.
By investing early on in prevention, SMEs can save a lot of heartache in the long run scrambling for a cure.
Garrett O’Hara, Principal Technical Consultant, Mimecast Australia
