Despite their prevalence, SMBs have traditionally been under-served when it comes to cyber security options, especially in comparison to what’s available to larger organisations.
Historically, cyber criminal activity has focused on consumers and large enterprises as the most lucrative targets. And while these audiences continue to be a focus, the number of security solutions available to these groups has helped to contain the threat.
However, hackers are always looking for easy targets and SMBs can find themselves falling prey as they typically lack the resources and skill sets necessary to implement effective cyber security programs and policies on their own.
When a cyber attack hits the headlines, business owners might be left thinking ‘I’m glad it wasn’t my business’ or ‘it will never happen to me’. But in reality, the lack of impact is down to Lady Luck rather than anything else.
One of the smartest things a business can do in order to be cyber attack savvy is conduct a full IT health check. Many small businesses do conduct a full health check of their systems after a cyber attack is publicised, but of course at that point, it is too late. And even then, many don’t – according to our research, only 45% will conduct a full IT health check and only after an attack has happened.
With the number of attacks increasing, it is time SMBs conduct these health checks far more frequently and take action if their systems and processes are not up to scratch.
SMBs need to put in place a process for doing this regularly so that they are not just responding to manufacturer update cycles, but proactively checking they and their employees are following best security practices.
It’s time to ‘Check and Change’
Check for security gaps
Every SMB should regularly check four areas of its business to ensure that any security issues have not been overlooked.
The first is the office router. This is the gateway to all the connected devices in your business and could compromise them if the password isn’t secure. If an online service your business is using was breached in the past, there is a chance that the password is no longer secure, so it’s important to change the passwords for all connected devices and users.
Secondly, it’s important to apply software updates in a timely fashion as these usually contain security updates. Whether you have two staff or 100 staff, you need to ensure all devices connected to the business networks are updated when software patches are issued.
This includes computers, mobile devices, webcams and connected office equipment such as printers or POS systems. Many devices can run updates overnight so there is no excuse for employees to ‘snooze’ the updates until a more convenient time.
Thirdly, check that you have an up-to-date antivirus solution installed across your network. This will detect and block malware, like ransomware, before it causes any damage. It will also detect and remove threats like keylogging malware which would track any new passwords created by employees.These threats need to be picked up through regular scans from antivirus software to help protect your business.
Finally, it’s important that work-related passwords are hard to crack. Encourage employees to pick a memorable phrase or series of words and tweak to add special characters to create unique and complex passwords that include numbers, characters and symbols.
Simple and memorable combinations such as using your name, ‘password’ or ‘1234’, should be avoided. Employees should also be encouraged not to use their personal passwords or personal information to create passwords to prevent the introduction of risk.
Make important changes
Change passwords regularly. Once an SMB has carried out the above assessment, they will also need to set in place a process for changing passwords every two to three months for all devices and employee accounts. Many people don’t realise that changing their passwords regularly could help prevent the most common security issues, such as cyber fraud, online data theft, and hacking.
Implement two-step authentication. If they don’t already have it, SMBs should also change the secure log-on process within their business. Two-step authentication adds an extra security step for logging in to the company network and websites, such as Google Drive.
Employees can use their mobile phone as a second security level so that it receives a code they have to enter, or a physical token to verify their login credentials. This extra step makes it very difficult for someone to access your network.
Finally, set out security practices for all employees to follow. For longer term security, SMBs need to change how they approach security awareness.Implementing proper security practices among employees is vital.
Businesses need to put training programmes in place to educate employees on the most common cyber security threats. Investing in anti-ransomware and anti-phishing training programmes can be a straightforward way to help you and your employees recognise suspicious-looking emails and hidden extensions will help reduce the risk of opening a ransomware-infected file.
You should also make sure that you are discussing and updating cyber security policy at least a couple of times a year with your employees.
All of these health check-up steps together will help every SMB get smarter about their own security and prevent them becoming another cyber attack stat.
Further reading on cyber security
Nearly one million UK SMEs suffer cyber security breach in the last 12 months
Arne Uppheim is director of SMB at Avast Business