How SMEs can improve their data protection practices

SMEs (small and medium-sized enterprises) tend to be the hardest hit by cyber attacks – and they only have themselves to blame.

A 2018 InsuranceBee survey found that 83% of organisations didn’t have any money reserved to recover from a cyber attack, and a quarter were unaware that security incidents had significant financial consequences.

Even more frustratingly, 52% of organisations didn’t think this was a problem, because they considered it unlikely that they would be the victim of a cyber attack. Another 6% were confident that they would never be hit.

Let us be clear: your organisation will be breached sooner or later. There are simply too many cyber criminals and too many vulnerabilities to make your organisation impenetrable. SMEs must do a better job protecting their personal data or breaches will continue.

Why SMEs are targeted

More often than not, cyber criminals target vulnerabilities rather than specific organisations, meaning your susceptibility has nothing to do with your size or reputation and everything to do with your level of security.

So it’s not as though there’s something inherently attractive about SMEs to cyber criminals; it’s that they tend to be the easiest organisations to break into.

Although SMEs may feel that their information has little value to criminals, that’s not the case. Most organisations possess personal data – whether that’s names, addresses, financial information or something else – which can be used to commit fraud or sold on the dark web.

How are SMEs being hacked?

There are no special techniques that cyber criminals use to target SMEs. Most attacks are conducted using common techniques such as phishing, in which scammers imitate a legitimate communication and ask the recipient to click a malicious link or download an infected attachment.

Phishing attacks are often used to deliver ransomware, which locks users out of their system until they pay money, often in bitcoin, to regain access. However, experts generally urge organisations not to negotiate, because there are no guarantees that the crooks will keep their word, and your payment helps fuel the cyber crime industry.

Infected organisations should instead wipe the infected files and use backups to restore their systems.

Another way SMEs are breached is through brute-force password attacks. Cyber criminals don’t need to hack their way into an organisation’s account if they can steal someone’s login credentials.

That’s much easier than it sounds, because so many of us use simple, easy-to-guess passwords or reuse the same credentials for multiple sites. That’s a problem because when one organisation’s database is breached, criminals will use the same email and password combination for other sites.

Preventing data breaches

Here are five things SMEs should do to mitigate the risk of cyber attacks and data breaches:

1. Secure wireless networks

Cyber criminals often plant ransomware and other malware on organisations’ systems by exploiting security weaknesses in wireless networks.

To prevent this, you should avoid WEP encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Wireless network penetration tests can help you spot the cracks in your network.

2. Keep software updated

Software providers regularly release updates to fix security flaws that they’ve discovered. You must download them as soon as they’re released, otherwise you risk criminals – who have now been notified of this weakness – using it to attack your organisation.

Pay attention to notifications about updates to your operating systems or antivirus software. Ignoring them can leave cracks in your defences.

3. Control access

Administrative access to your systems should only be granted on a need-to-know basis. Keep sensitive data, such as payroll, out of the hands of anyone who doesn’t need it to do their job.

4. Back up data

Small businesses can lose data as well as money in a cyber attack. Conducting regular backups will make sure you can still access your data in the event of a breach or event.

Backup services such as Dropbox offer a cost-effective solution, with plans starting from as little as £10 a month.

5. Train staff

Human error is one of the leading causes of data breaches, so you must teach staff how to recognise potential threats, like phishing and ransomware scams, and get them into the habit of exercising good data protection practices.

Our Certified Introduction to Data Protection Training Course is the perfect place to start.

Designed by the team that introduced the world’s first certified GDPR (General Data Protection Regulation) training programme, this one-day course introduces your staff to the UK’s data protection and privacy legislation, as well as overall best practices for keeping data secure.

Find out more