Cybersecurity basics: a guide to how SMEs can protect themselves

In 2019, the World Economic Forum declared cybersecurity to be one of the top ten things likely to threaten businesses in the future. However, for many businesses, cybersecurity can often seem confusing, complex, and a task that does not easily sit with any single role in the business. With a significant volume of information available on the internet already, knowing which path to take, where to allocate resource and when to invest money can be a challenge.

What is cybersecurity and why is it vital?

Cybersecurity, when considered in its simplest form, is the practice of protecting systems and networks from digital-based attacks. When attacks happen they are usually aimed at removing or changing information or disrupting working processes, and they are not always focused on large organisations. In the last year, almost half of all British businesses have suffered a cyberattack.

Cybersecurity is a vital consideration regardless of the size of the business, the sector it operates in or the products a business sells. However, if this is the case, why do so many businesses struggle to implement a cybersecurity plan that works for their organisation?

Some of the biggest challenges SMEs face when considering cybersecurity are:

• Understanding and keeping up with cybersecurity jargon can feel like a full-time job: terms like malware, phishing, Trojan horse, worm, pen-testing, botnet, and BYOD (Bring Your Own Device) can be confusing and off-putting when trying to upskill in this area. Alongside keeping up to date with the terms, trying to approach an advisor or a third-party security provider can be a challenge when you may not fully understand their advice (which in turn may lead to unnecessary or incorrect investments).

• Understanding how cybercrime happens isn’t straightforward and can be confused by what is reported in the media: whilst cybercrime is frequently portrayed as a complex process in films and televisions, the reality is that 90% of cybercrime happens via email. Understanding the likely points of attack for a business can be challenging without a clear understanding of the different types of attack your business may be subjected to.

• Lack of ownership for cybersecurity in the business: frequently, businesses consider cybersecurity to be the responsibility of the IT manager, when in fact cybersecurity is a business risk not a technology issue.

• Assuming cybersecurity requires significant investment: getting the basics right frequently relies more on education and staff buy-in than it does on investing in an elite cybersecurity fighting squad to manage your risk.

Next steps to protect your business from cybercrime

Whilst not a complete to-do list, the following steps provide easy guidance on where to start when considering cybersecurity:

• Spend time reviewing business practices to understand the areas that could be at risk: do you store customer data, how, and how is it protected? Without understanding the current picture it can be hard to make the necessary amendments. Try and put yourself in the mindset of a hacker and do not forget: humans are a target too. Hackers will frequently try the path of least resistance, which may be through the email account of a staff member. Training staff can be one of the cheapest and quickest ways to reduce cybersecurity risk.

• Become familiar with the National Cyber Security Centre: the NCSC provides advice and guidance on what measures to take that are relevant to how your business works and provides specific advice on topics like phishing, devices and personal data. Alongside this, the NCSC offers the Cyber Essentials programme; a government-backed scheme that allows you to conduct a self-assessment of your current practices. It reassures customers that you are working to secure your business against cyberattacks.

• Review industry standards and regulations to understand where you must be actively working to protect systems: GDPR, ISO 27001 and the Cyber Essentials programme are a good place to start.

• Start viewing cybersecurity as a part of business operations instead of something that takes extra resource or gets in the way of business practices. By incorporating processes, culture change and ensuring compliance is everyone’s responsibility it will become part of daily life in your business.

• Sign up to alerts from recognised advice services to stay up to date on threats locally and nationally. The Action Fraud Centre is the national centre for reporting cybercrime and collects data and shares update reports.

• Take advantage of local schemes such as the Greater Manchester Cyber Foundry. These schemes are typically set up to support SMEs, are free of cost and frequently provide both guidance and technical support.

• Finally, make it clear at all levels that cybersecurity is everyone’s responsibility. Not only will this help embed good practice across the business as part of daily operations, but it will ensure everyone remains vigilant and is aware of the role they play in protecting your business.

Whilst the points above provide the advice on the first steps, GC Business Growth Hub can support you throughout your cybersecurity journey, helping ensure your business is protected. Contact us today to get started.