What are the mistakes to avoid in companies and startups regarding cyber security? We show 7 areas where SMEs are vulnerable to cyber criminals and where you can easily do something about it.
SMEs often lack effective strategies for end-to-end cyber security. Cyber criminals are aware of this fact, which is why SMEs have become the most popular target for cyberattacks. Many companies are aware of the potential dangers posed by these cyber risks. But many SMEs are unaware of the security vulnerabilities that exist in their own corporate IT.
7 mistakes that indicate a lack of cyber security in SMEs
Risk 1: lack of network protection
The access points to the IT network and the interfaces to the Internet are not protected in SMEs.
All IT in SMEs is networked: servers, printers, scanners, desktops, notebooks, smartphones as well as external systems from suppliers or partners are interconnected. Countless connections run over the Internet or access Internet-based applications. But it is precisely on the Internet that a multitude of threats to corporate cyber security lie dormant. The SME exposes itself to high risks if it does not sufficiently protect the interfaces to its IT network and to the Internet.
To prevent unwanted data traffic or unauthorized access, data traffic at the various interfaces must be permanently monitored and controlled. SMEs must therefore have correctly configured and regularly maintained security solutions such as firewalls and proxy servers. This also includes intrusion detection and intrusion prevention systems.
Risk 2: Missing updates
Operating systems, applications, virus scanners and firewalls are not up to date.
Cybercriminals use vulnerabilities in hardware, software, operating systems or applications to attack corporate IT. The manufacturers of these IT components monitor the threat situation closely. If they discover new security gaps, they provide patches and updates for their products to close the vulnerabilities. In many SMEs, however, it can be observed that they only apply these updates with a long delay or not at all. This creates a dangerous cyber risk, because attackers speculate in their attacks precisely on the fact that SMEs have not made the current security updates. This makes it easy for them to install their malware, such as viruses or ransomware, in order to inflict damage on the company’s IT.
The updates from the manufacturers only have their protective effect if the SME transfers them to its IT promptly. In particular, client systems and servers must be equipped with current virus scanner versions so that they recognize the latest malware signatures.
Risk 3: No or sporadic backups.
Regular backups of relevant company data do not take place on a regular basis.
A data loss can be painful for an SME. If data is lost, then many hours of work have been in vain or operational processes that are important for daily business can no longer be implemented. The consequences range from loss of revenue, time delays in important projects to damage to the company’s reputation or liability claims from aggrieved customers.
Many incidents can lead to data loss:
- Natural hazards: fire, floods, storms or earthquakes.
- Hardware and software crashes
- Hardware failures
- Attacks by hackers
- Malware such as ransomware, viruses, worms or Trojans
- Incorrect operation of systems by employees
- Accidental alteration or deletion of data
Data belongs to the important working capital of the company. Therefore, it must be protected against loss, theft or destruction. In particular, this means that companies must back up their data regularly and correctly. Only then are they protected against data loss. In addition, they should also continuously store the relevant data at defined, not too long intervals on external backup media outside the company premises. In this way, the SME is also protected against data loss in the event of natural hazards such as a fire in the company building.
Comprehensive and careful backup planning is also important so that all important folder structures, directories and files are backed up. In addition, regular monitoring of the data backup processes is important – this can be used to identify backup errors or missing backups due to incorrect settings.
Risk 4: WLAN not secure
The WLAN does not meet current security standards.
The wireless network (WLAN) enables users to easily access corporate IT with their mobile devices such as notebooks, smartphones or tablets. In industrial companies, it also wirelessly integrates production machines and components into processes. If the WLAN in the SME does not meet current security standards, it serves as an open gateway for cybercriminals.
To prevent malware from entering the company’s IT system via the WLAN or to prevent hacker attacks, WLAN access points must be equipped with the latest security standards. This includes encryption with a secure standard such as WPA2, separation of WLAN access for guests from the actual company network, secure authentication of authorized users via the company’s own server structure, or identification of fraudulent access points (rogue access points).
Risk 5: Lack of personnel training
Staff is not sensitized to cyber security.
If your own employees lack IT risk awareness, they pose a considerable potential threat. Through clumsy misconduct, they can consciously or unconsciously severely compromise IT security in SMEs.
Employees must be familiar with attack methods such as social engineering or phishing and be able to deal with them in a risk-conscious manner. They should also know what precautions to take with e-mail attachments or external software. They must be familiar with the company’s IT security guidelines and should know and be able to apply the criteria for a secure password. SME employees must therefore be trained at regular intervals on the potential cyber risks and the importance of cyber security.
Risk 6: No disaster recovery plan
No disaster recovery plan exists in the SME.
If a disaster recovery plan is missing in the SME, the continuation of business operations is at risk in the event of an IT failure. A recovery plan describes all the necessary activities that need to be implemented in the event of an emergency in order to ensure that the IT is ready for operation again – if necessary with an emergency operation for the initial phase. It also names the responsible persons and the disaster recovery team. With a disaster recovery plan, the SME creates important prerequisites for being able to quickly resume daily business after an IT failure and to keep any losses to a minimum. A well-prepared SME tests its defined recovery processes with periodic emergency exercises.
Risk 7: Lack of IT security responsibilities
There are no clear responsibilities for IT security in the SME.
In the absence of clearly assigned responsibilities for cyber security in SMEs, IT security cannot be guaranteed in the medium and long term.
Effective protection of IT requires that the responsibilities and accountabilities for IT security are clearly defined within the company or via external IT partners. The responsible persons must ensure that IT specialists continuously monitor the systems and derive immediate measures from the weaknesses identified. The responsible persons organize the control of the implementation of the security measures and the regular review of the guidelines for the access authorization of the employees. They nominate a disaster recovery team that creates an effective recovery plan, tests it regularly and updates it on an ongoing basis.
Concluding remarks on cyber risks in SMEs
If SMEs identify one or more of these flaws in themselves, their cyber security is at risk. Each additional day with an IT vulnerability increases the likelihood of a cyberattack. The SME should therefore act quickly when risks are identified or suspected. If the company lacks its own resources due to its size, external IT partners specializing in SMEs can provide support. Competent providers of managed IT services, for example, have comprehensive expertise in all aspects of IT security.
Author: Philipp Hollerer, CEO of care4IT.ch GmbH