How to build a cybersecurity strategy for your SME

The number of small businesses is growing. In fact, at the start of 2017, small businesses accounted for 99.3% of all private sector businesses. Yet, with this growth comes the risk of security breaches: these breaches aren’t limited to the major companies.

Photo by Ricardo Gomez Angel on Unsplash

The UK Government announced earlier this year that more than two in five businesses reported a cybersecurity breach in the past 12 months. These data breaches aren’t limited to big brands, and it’s imperative that small businesses are well equipped to deal with the risk of a breach. To quote FBI Director Mueller, “There are only two types of companies: Those that have been hacked and those that will be hacked.”

SMEs face similar challenges to any other type of organization, whether that’s in the form of a brutal cyberattack, phishing attack, or the threat of GDPR fines. That’s why it’s so important for SMEs to implement strategies which at the very best prevent a breach, and in the worse case, minimize the consequences.

One key strategy is security by design. This is a simple concept that allows a business to mitigate or even rectify a breach, and is based on the framework of people, process and technology. Having these elements in place will provide customers with the vital reassurance that the organization is capable of dealing with breaches and is striving to prevent future attacks.

Just like sunscreen and cake, security is best when it’s layered

There are a number of technology solutions available to help SMEs and startups protect their networks as well as their customers’ data. There is no one magic answer, instead a layered approach to security is the best line of defence – think malware detection, email security, encryption, anti-phishing technologies, where you simply assure customers that any emails they receive from your domain is guaranteed to originate from you, not a spoofed account sending out phishing emails. Each level of protection reduces the attack surface and encourages criminals to look elsewhere for softer targets, meaning that each layer provides another boost to the confidence of your customers.

People power

Developers and leadership teams within startups must be able to understand the issues, in order to build layers of security into systems. To do so, education, training and security awareness are three key components. Nevertheless, basic cybersecurity education is vital for all employees and will stress how easy it can be for a breach to take place.  In smaller teams, clear roles must be assigned for those responsible for security in an organization and will thus ensure that the required knowledge and influence is achieved.

Think of cybersecurity as a process

We have to think about cybersecurity as an ongoing process, rather than a checkbox to be ticked off. Implementing security frameworks such as the Information Security Management Systems is a good starting point. Although obtaining this standard is a significant lift, by demonstrating the importance of security to the business, you can’t underestimate the change it can bring to the culture and mindset of a startup. When a full ISO is simply too resource-intensive for a small business, you can take elements from the approach to expand the internal policies: this could be as easy as nominating a security committee to steer the organization or drafting incident response plans.

The GDPR requirements on a data breach are fairly straightforward – the processor notifies the controller and the controller notifies the data subject unless the processor had implemented and applied appropriate technical (encryption) and organizational measures (ISO27001) to make the data unintelligible to unauthorised viewers. This notion of making data ‘unintelligible’ emphasizes the significance of designing systems with security in mind to protect the reputation of your company.

There’s always the possibility of a breach, however rigorous your security is; but what’s most important is how you deal with it publicly in order to reassure customers and regain their trust. Regardless of the nature of a crisis, its well known that transparency and honesty helps to regain trust. Take clear steps to rebuild defences, provide the level of security necessary to avoid future breaches, and you will begin to regain customer confidence in your brand. Ultimately, it’s the SMEs’ responsibility to deliver the level of protection that customers, partners and investors deserve. If not, we risk losing their confidence to larger, established competing brands who are all too often perceived to be the safer option.

PUBLISHED BY

Deepak Prabhakara

29 Aug. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Mail Check is Changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more