How to build a cybersecurity strategy for your SME

The number of small businesses is growing. In fact, at the start of 2017, small businesses accounted for 99.3% of all private sector businesses. Yet, with this growth comes the risk of security breaches: these breaches aren’t limited to the major companies.

Photo by Ricardo Gomez Angel on Unsplash

The UK Government announced earlier this year that more than two in five businesses reported a cybersecurity breach in the past 12 months. These data breaches aren’t limited to big brands, and it’s imperative that small businesses are well equipped to deal with the risk of a breach. To quote FBI Director Mueller, “There are only two types of companies: Those that have been hacked and those that will be hacked.”

SMEs face similar challenges to any other type of organization, whether that’s in the form of a brutal cyberattack, phishing attack, or the threat of GDPR fines. That’s why it’s so important for SMEs to implement strategies which at the very best prevent a breach, and in the worse case, minimize the consequences.

One key strategy is security by design. This is a simple concept that allows a business to mitigate or even rectify a breach, and is based on the framework of people, process and technology. Having these elements in place will provide customers with the vital reassurance that the organization is capable of dealing with breaches and is striving to prevent future attacks.

Just like sunscreen and cake, security is best when it’s layered

There are a number of technology solutions available to help SMEs and startups protect their networks as well as their customers’ data. There is no one magic answer, instead a layered approach to security is the best line of defence – think malware detection, email security, encryption, anti-phishing technologies, where you simply assure customers that any emails they receive from your domain is guaranteed to originate from you, not a spoofed account sending out phishing emails. Each level of protection reduces the attack surface and encourages criminals to look elsewhere for softer targets, meaning that each layer provides another boost to the confidence of your customers.

People power

Developers and leadership teams within startups must be able to understand the issues, in order to build layers of security into systems. To do so, education, training and security awareness are three key components. Nevertheless, basic cybersecurity education is vital for all employees and will stress how easy it can be for a breach to take place.  In smaller teams, clear roles must be assigned for those responsible for security in an organization and will thus ensure that the required knowledge and influence is achieved.

Think of cybersecurity as a process

We have to think about cybersecurity as an ongoing process, rather than a checkbox to be ticked off. Implementing security frameworks such as the Information Security Management Systems is a good starting point. Although obtaining this standard is a significant lift, by demonstrating the importance of security to the business, you can’t underestimate the change it can bring to the culture and mindset of a startup. When a full ISO is simply too resource-intensive for a small business, you can take elements from the approach to expand the internal policies: this could be as easy as nominating a security committee to steer the organization or drafting incident response plans.

The GDPR requirements on a data breach are fairly straightforward – the processor notifies the controller and the controller notifies the data subject unless the processor had implemented and applied appropriate technical (encryption) and organizational measures (ISO27001) to make the data unintelligible to unauthorised viewers. This notion of making data ‘unintelligible’ emphasizes the significance of designing systems with security in mind to protect the reputation of your company.

There’s always the possibility of a breach, however rigorous your security is; but what’s most important is how you deal with it publicly in order to reassure customers and regain their trust. Regardless of the nature of a crisis, its well known that transparency and honesty helps to regain trust. Take clear steps to rebuild defences, provide the level of security necessary to avoid future breaches, and you will begin to regain customer confidence in your brand. Ultimately, it’s the SMEs’ responsibility to deliver the level of protection that customers, partners and investors deserve. If not, we risk losing their confidence to larger, established competing brands who are all too often perceived to be the safer option.


Deepak Prabhakara

29 Aug. 2018



Recent Posts


Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more