How SMEs can ensure cyber security

Many SMEs depend on their size to protect them from cyber criminals, assuming that hackers will only target large companies. But this is not the case.

Companies of all sizes are frequently targeted by competitors seeking an unfair advantage, by criminals who steal sensitive data and hold businesses to ransom, by malicious former employees, or even by nation state actors.

Organisations of any size are also susceptible to phishing emails, which are sent out indiscriminately to millions of individuals and businesses every day to solicit passwords and other secure information.

Even if you do not suffer a financial loss in a data breach or ransomware attack, such an incident could still shut down your operations, lead to data corruption or loss, and damage your business's reputation. It may also leave you open to an investigation and fine from the Information Commissioner's Office (ICO).

It is therefore important to have a system in place to receive, track and store both electronic and paper-based documents. This system should keep records of what has been shared, when and with whom.

Having such as system in place helps prevent sensitive information being accessed by those who should not. Similarly, staff and third parties should only have access to the resources required to do their jobs.

The creation of a common data environment (CDE) that is shared with relevant third parties may be useful on projects.

A CDE allows all involved parties to access the data that you want them to see, but without allowing them access to the rest of the company's data.

Digital equipment can itself be a target for thieves, either for its resale value or the data it holds. Even if the equipment is not intentionally stolen for the data contained, it could nonetheless constitute a breach of the company's duties under the General Data Protection Regulation (GDPR).

Equipment left on site may be less secure than it would be in an office, and may have limited or no connection to the internet. This makes it difficult or impossible to monitor devices if they are not in your possession. Businesses therefore need to be wary of keeping information on site, and check how devices are secured during the day and after working hours.

All details of installation, operation and maintenance should be recorded during the construction stage and handed over to the client or building operator, including details of the measures taken to secure the systems from attack.

Any of these can be vulnerable to attack if not properly secured or isolated from the main building management system. Facilities are often targeted because they tend to be less secure than, but linked to, the system on which more sensitive data is stored. For instance, the US retailer Target was the victim of a cyber attack in 2013 that accessed its payment data through the HVAC system.

The NCSC document outlines seven key measures that should be taken by staff responsible for IT. If you are an SME without a dedicated IT team, though, that responsibility likely falls on you.

Back up your data: Essential information should be regularly backed up in case of damage or an attack on your IT system or premises. Start by identifying the information that is necessary for your business to function and the data you are legally required to protect, such as personal details of staff and clients. Then create a back-up that is separate from your computer system so it cannot be compromised in the event of a data breach. If you are not familiar with backing up data or are unsure what platform to use, the NCSC provides information on these processes in Small business guide: cyber security and Cloud security guidance.

Protect against malware: There are a number of measures that you can take to protect against malware. These include simple processes such as locking your desktop when you step away, which ensures no one can access it, all the way up to the use of antivirus software, firewalls and encryption. The best products for these situations are not necessarily the most expensive and will depend on a number of factors, including who has access to your data, how sensitive that data is, and who you want to exclude.

Keep mobile devices safe: Just as desktop computers should always require a password to access, phones and tablets should have a password, PIN or other locking method to protect your data. Many phones and tablets come with apps installed that can help you track their location, retrieve a back-up and remotely erase the data, all of which are very useful in the event of loss or theft.

Use passwords to protect your data: Ensure that all default passwords are changed to something that is not easy to guess, and use different passwords for different accounts and devices. Two-factor authentication should be activated for services such as email and banking. This requires the user to sign in with their password and also answer their phone or enter a code sent by text. The additional layer of security this provides makes it much more difficult for someone to access data they shouldn't see.

Prevent phishing: SMEs may not have dedicated IT departments to investigate suspicious texts or emails, but some staff may take it on themselves to investigate instead, which can be dangerous as clicking on any links could lead to a cyber breach. Instead, you and your colleagues can relay suspect messages to the NCSC's suspicious email reporting service (SERS), while suspicious texts can be forwarded to 7726 free of charge.

Collaborate with suppliers and partners: Cyber attacks on your suppliers can be as damaging as a direct attack on your business, especially if it leads to your payment processes being compromised as well as the loss of your data or loss of client confidence. Moreover, an attack on a supplier could provide a way into your organisation if you have not implemented a CDE to cordon off information on a project from the rest of your company data. The NCSC suggests that you encourage suppliers to obtain Cyber Essentials certification. This scheme helps companies protect themselves against the most common attacks, and provides assurance to their partners. You can also test your business's readiness to deal with attacks using the scheme's questionnaire.

Prepare for and respond to cyber incidents: It is increasingly likely that every company will be targeted at some point in its lifespan. Developing plans to react to incidents and carrying out training and rehearsals can establish resilience, and ensure that individuals are less likely to panic when something happens. You are legally obliged to report data breaches and other incidents to the ICO, and a full list of such incidents can be found on its website. It is also important that you and your colleagues learn from the incident by reviewing what happened, identifying any mistakes and taking action where necessary to prevent it happening again.

RICS provides advice on client relationships and data handling which you can read here.  

Regardless of whether you are a sole trader or a large company, you have a duty to protect the data your business stores, and to keep both your records and your security up to date.