SME’s are a prime target for cybercrime.
They have reduced expertise, minimal money, and an attitude, we are too small to be a target, that leaves them wide open to a cyber event.
Our industry, the people who know and think we understand the bad guys have been pushing for an attitude change for the last 10 years. In a large number of ways, we have failed, especially in the SME space.
In some, we have failed significantly.
By the time we get called in, after a cyber event, it is way too late.
To late to recover, too late to respond and definitely too late, in a number of organisations, to get back to business as normal.
Most SMEs, after a cyber event and especially after a ransomware attack, have but 3 choices,
- pay the ransom,
- recover from backup and hope you have a decent backup (a decent, tested backup is vital, no matter the situation)
- or go out of business.
Here are 3 cybersecurity strategies that every SME should implement to be more secure and avoid that devastating cyber event.
Increased awareness of business security in a workplace is vital in today’s business world.
Not many businesses know where to go to get that training.
Training needs to be done as an ongoing process.
Once or twice a year is inadequate. But training and education has to be easy, bite-size pieces, easily digested, easily implemented and easily followed.
In addition to ongoing training, you also need to incorporate business security into your onboarding process to instill the required cultural elements into new people on staff.
Want some free cybersecurity training, here is something that will definitely help
Risk management and gap analysis
SME’s have a limited understanding of the new risks delivered to the business via our digital components.
The game has changed significantly in the last 10 years and we, as small and medium businesses, are constantly playing catch-up.
We are significantly hampered and handicapped by the impact and scale of our digital usage.
It is everywhere, used in every component and used all of the time.
To understand the risks without understanding the systems you need some help.
Here is some help for you.
With the report, you can now implement a gap analysis and work out what you need to do to increase security around your organisation.
The report also ties in well with:
Implemented a framework
If you are looking for a better way to manage security within your Organisation, you need to look no further than a framework.
A framework is a documented system that allows an organisation to follow the bouncing ball and tighten up the security in a regimented way.
The more the components of the framework are implemented the more secure and mature the organisation.
Frameworks are easy to follow and implement and the one I recommend is the National Institute of Standards and Technology (NIST) cybersecurity framework.
Answer the 98 questions, honestly, and you now have a road map to implement cybersecurity in a significant way.
The NIST cybersecurity framework also gives you a number.
Between 0 – 4, it can be used as a comparison between businesses, supply chain components, and government departments so you can do business with like-minded organisations.
What can SME’s do?
It is not too late to implement any of these strategies. The bad guys are getting more and more clever, so time is running out.
They are targeting everyone who is connected to the digital world, the internet, with more sophisticated systems, a number of them are now fully automated.
Some of those automated systems have minimal human involvement after the initial set up.
From initial social engineering attack, all the way through to payment of ransom everything is automated and driven by machine learning.
Every SME should be implementing a training and education process, doing a risk and gap analysis and implementing a cybersecurity and business security framework.
With that everything else will follow.
The business will be more stable, the culture of the organisation will change and getting back to business as normal after an attack can be significantly easier.
The impact of a cyber event for an organisation implementing these 3 components or not is significant.
If you haven’t implemented these 3 strategies in the last 12 months, 2 years or 5 years then 2020 is going to be a bad year.
But it’s not too late.