Business Basics: The cybersecurity fundamentals SMEs should have in place

Safeguarding your organisation is an essential element when it comes to running an SME. Jonathan Whitley talks security best practices in our latest instalment of Business Basics.

10 June 2019

Each month, we feature insights and advice from industry experts on the all-important issues that could give small businesses the essential growth they need to progress to the next level.

For this month’s instalment, we’re talking to Jonathan Whitley, Director for Northern Europe at WatchGuard, a business focused on developing security solutions for SMEs. With a wealth of experience and knowledge on the subject, Jonathan touches on everything from cloud-based capabilities to protecting against hackers in the process of strengthening any SME’s cybersecurity.  

jonathan whitley watchguard

SMEs differ from bigger businesses in many ways, but is there any overlap between the two when it comes to cybersecurity concerns? 

Compliance has always been a headache for larger businesses, but as smaller organisations increasingly embrace technology this brings with it more regulations such as PCI (Payment Card Industry) and GDPR (General Data Protection Regulation). Hoping the problem will go away is really not an option, as the penalties for non-compliance are too great.

Then, if we look at more complex malware, ransomware, etc., these used to be a problem for large networks, but in recent years the ease with which this type of malware can be created has made this as much of a problem for small and midmarket players.

Two IT people fixing an IT problem

What simple, cost-free measures can an SME take to immediately strengthen its security?

Ensure there is an acceptable use policy within your company; make sure your users understand what it is, why it is there, and that they’re educated on the basics of what they can do to keep safe. There are lots of free resources available online from cybersecurity companies – including our own resource, Secplicity.

Employee education should cover things like: 

  • Phishing: the basics of what it is, and how to spot an attack. Always be suspicious.
  • Passwords: best practices on storage, re-using them and how to make them stronger.
  • Wi-Fi security: the types of networks you should not connect to.

Also, consider things like ensuring your corporate Wi-Fi is separate from your guest Wi-Fi.  Plan for the worst as well, accept that your network may become compromised, and look at what you can do to limit the damage. Things like effectively segmenting your network will help with this, for example. 

How can a small business make its employees more aware of web safety and ensure that it’s maintained in the mid-to-long term?

People can sometimes be the weakest link in any security setup, so give them enough knowledge so they can be an asset.

Educating the team about cyber security

When selecting the IT providers you work with, check they’re cybersecurity specialists who can provide some training on the basics of what needs to be done. Make sure your provider has the accreditations on the solutions they manage and maintain an ongoing relationship with them, so they keep you up to speed. 

There are multiple layers of security products that should be deployed, so where appropriate ensure that the solutions offer a level of education. For example, with anti-phishing solutions, the user might be directed to an educational web page that will help inform the user of the risks of phishing attacks. In the long run, this will be much more useful than a simple ‘blocked’ warning. 

How important is a formal security strategy for a small business? Is it something all SMEs should take time creating? 

Having a security strategy for any size of business is important; spending the time on it now could save the business in the future. Any kind of cyber breach has the potential to cost hundreds of thousands of pounds, from GDPR fines, brand damage and any remediation work.

Many small businesses simply could not afford the costs associated with recovering from damage caused by a major breach, so it’s critical for all businesses to have a security strategy in place.  

Doing the maths behind security

If your business allows remote working, what can be done to maintain security and protection when transmitting sensitive data?

Firstly, have a strong MFA (Multi-Factor Authentication) solution on your machine. This will ensure that access to the machine is secure in case it is lost, stolen or your passwords have been compromised. To further protect against these issues consider using a secure access portal. This will minimise the amount of information stored on your machine. 

Be mindful of the Wi-Fi networks employees are using if they work remotely; can you be sure that these have not been compromised? If not, discourage employees from using them since they could be bogus.

Consider setting up a VPN (Virtual Private Network) client for remote workers too; encrypting any data that you transfer will in most cases make it highly unlikely that it can be accessed. Following good practices means off-premise workers are no more at risk than office workers.


Like what you’re reading? There's even more content on our social media – why not follow us to keep up to date with all things Gazprom Energy?

gazprom energy twitter gazprom energy facebook gazprom energy linkedin

What can a business do to ensure it stays protected against threats such as hackers and malware?

A Firewall will not only protect the network by utilising multiple solutions, but it will also provide an end user client that will correlate network traffic with the endpoint, allowing you to be protected against zero-day threats and ransomware, for example. This along with strong authentication can be the best solution.

Businesses should also consider how their security is managed. Over the last year, we’ve seen midmarket customers increasingly looking for a partner who will not only recommend but also provide a managed security service. A managed service for midmarket businesses is often the best solution as these customers typically do not have security specialists in-house. Businesses should seriously consider leveraging the expertise offered by accredited MSPs. 

What benefits are there to using a cloud-based security program? Are there any drawbacks businesses should know about?

The cloud can be a great tool, keeping total cost of ownership down and performance up. For example, there are cloud-based security tools that instantly turn raw network data into visible and actionable security intelligence – in the big data visualisation style today’s users have come to expect.

But as your cloud data is hosted in a third-party environment, it is important to check the data is being stored and managed appropriately and access is secured to meet compliance requirements and your business needs.

Massive thanks to Jonathan for his insights. If you found his advice helpful, please check out some more of our related Business Basics guides and Q&As below:

For more of the latest news, articles and features from Gazprom Energy, visit our blog and newsfeed. Alternatively, visit the homepage to find out more about our business energy solutions, or call us on 0161 837 3395.

The views, opinions and positions expressed within this article are those of our third-party content providers alone and do not represent those of Gazprom Energy. The accuracy, completeness and validity of any statements made within this article are not guaranteed. Gazprom Energy accepts no liability for any errors, omissions or representations.

 


Share this


You may also like...

}