How to build a cybersecurity strategy for your SME

The number of small businesses is growing. In fact, at the start of 2017, small businesses accounted for 99.3% of all private sector businesses. Yet, with this growth comes the risk of security breaches: these breaches aren’t limited to the major companies.

Photo by Ricardo Gomez Angel on Unsplash

The UK Government announced earlier this year that more than two in five businesses reported a cybersecurity breach in the past 12 months. These data breaches aren’t limited to big brands, and it’s imperative that small businesses are well equipped to deal with the risk of a breach. To quote FBI Director Mueller, “There are only two types of companies: Those that have been hacked and those that will be hacked.”

SMEs face similar challenges to any other type of organization, whether that’s in the form of a brutal cyberattack, phishing attack, or the threat of GDPR fines. That’s why it’s so important for SMEs to implement strategies which at the very best prevent a breach, and in the worse case, minimize the consequences.

One key strategy is security by design. This is a simple concept that allows a business to mitigate or even rectify a breach, and is based on the framework of people, process and technology. Having these elements in place will provide customers with the vital reassurance that the organization is capable of dealing with breaches and is striving to prevent future attacks.

Just like sunscreen and cake, security is best when it’s layered

There are a number of technology solutions available to help SMEs and startups protect their networks as well as their customers’ data. There is no one magic answer, instead a layered approach to security is the best line of defence – think malware detection, email security, encryption, anti-phishing technologies, where you simply assure customers that any emails they receive from your domain is guaranteed to originate from you, not a spoofed account sending out phishing emails. Each level of protection reduces the attack surface and encourages criminals to look elsewhere for softer targets, meaning that each layer provides another boost to the confidence of your customers.

People power

Developers and leadership teams within startups must be able to understand the issues, in order to build layers of security into systems. To do so, education, training and security awareness are three key components. Nevertheless, basic cybersecurity education is vital for all employees and will stress how easy it can be for a breach to take place.  In smaller teams, clear roles must be assigned for those responsible for security in an organization and will thus ensure that the required knowledge and influence is achieved.

Think of cybersecurity as a process

We have to think about cybersecurity as an ongoing process, rather than a checkbox to be ticked off. Implementing security frameworks such as the Information Security Management Systems is a good starting point. Although obtaining this standard is a significant lift, by demonstrating the importance of security to the business, you can’t underestimate the change it can bring to the culture and mindset of a startup. When a full ISO is simply too resource-intensive for a small business, you can take elements from the approach to expand the internal policies: this could be as easy as nominating a security committee to steer the organization or drafting incident response plans.

The GDPR requirements on a data breach are fairly straightforward – the processor notifies the controller and the controller notifies the data subject unless the processor had implemented and applied appropriate technical (encryption) and organizational measures (ISO27001) to make the data unintelligible to unauthorised viewers. This notion of making data ‘unintelligible’ emphasizes the significance of designing systems with security in mind to protect the reputation of your company.

There’s always the possibility of a breach, however rigorous your security is; but what’s most important is how you deal with it publicly in order to reassure customers and regain their trust. Regardless of the nature of a crisis, its well known that transparency and honesty helps to regain trust. Take clear steps to rebuild defences, provide the level of security necessary to avoid future breaches, and you will begin to regain customer confidence in your brand. Ultimately, it’s the SMEs’ responsibility to deliver the level of protection that customers, partners and investors deserve. If not, we risk losing their confidence to larger, established competing brands who are all too often perceived to be the safer option.

PUBLISHED BY

Deepak Prabhakara

29 Aug. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more
Certificates

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more
DMARC

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more
DMARC

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more