As cybersecurity threats continue to become increasingly sophisticated, it might be tempting for business owners to consider investing in solutions that are more elaborate. However, while keeping your software solutions up to date is key, in most cases cybersecurity software is not at fault when hacks take place.
In the majority of cases, avoidable human error is the reason that hackers gain access to a network. Weak passwords, connecting to unsecured networks and opening phishing emails might sound easy to avoid, but they remain some of the most common reason for data breaches. In the quarter up to January 2018, the Information Commissioner’s Office (ICO) found that four of the five leading causes of a data breach involved human errors such as sending data to the wrong person, or accessing insecure pages.
Antivirus software, firewalls and VPNs are vital for the identification, removal and prevention of threats, but a security setup is only ever as strong as its weakest link. That means the most important step for SMBs is to ensure their staff are fully trained, that best practices are adhered to and that software is regularly patched. Here are a few more simple ways that SMBs can avoid lapses in security.
Stay updated
Just a few years ago, the number of endpoints in offices was far lower than today. Thanks to the evolution of technology, the office dynamic has changed dramatically. Now, individuals are completing their work using a combination of devices including smartphones, tablets and laptops as well as desktop computers. In 2017, 59% of US companies allowed employees to use personal devices for work, with another 13% planning to.
This change in how people can access their data has also resulted in mobile working becoming increasingly common, but with every new endpoint there is another potential opening for an attack.
It is vital that companies ensure that every endpoint has a high level of security and has the latest security updates installed, especially if it is not in the physical office. Implementing a bring your own device (BYOD) policy can ensure that staff are clear as to the expectations around their security responsibilities when accessing company data on personal devices – including using two-factor authentication and the process for flagging suspicious content.
Regular staff training
When human error is such a concern, it’s essential staff are proactive to ensure simple errors,which could be caused by prioritising convenience or simply a lack of awareness don’t result in a breach. To underline the importance of this and to identify potential security gaps, training should be provided on a regular basis. This should show staff how to update their devices, how to identify suspicious emails and what to do should a breach occur.
Staff training should not be a dry lecture, but a session that includes both updates and the sharing of skills and knowledge. Not every member of staff will be as confident with technology as others so it’s vital everyone maintains a suitable base level of knowledge and is aware of the process to follow in the event that they identify potentially suspicious activity.
This should be reinforced with a data policy that all employees agree to abide by. For a policy to be effective, it should be updated regularly to keep up with the latest developments in security. However, the key is to make sure it is transparent and enforceable. If the implementation feels impractical or unnecessary, staff may struggle to stick to it for more than a few weeks before reverting to old habits. If the policy is too demanding, it may simply be ignored.
Strong passwords
Passwords are a key example of why regular training is vitally important. Despite the risks of data loss and identity theft, it’s estimated that one in ten people still use one of the worst passwords of 2018 – including “123456,” “password, “qwerty,” “iloveyou” and “admin” – potentially putting account data and personal information at risk and justifying concern over the use of personal devices for accessing work-related documents.
But why do people choose to use weak passwords? Convenience is the most likely answer. A good example is expecting users to create unique, complex passwords and to also change them on a regular basis. Without training and support, staff may decide that convenience and efficiency are more important than security, resulting in desks covered in post-it notes, or overly simple passwords.
By understanding the needs of the people who will have to implement it, your policy will help to raise awareness and understanding among staff while cutting down on the simple mistakes that could see your company become a victim.
In this instance, providing a password manager to staff could go some way to resolving the issue. Many password managers not only store multiple passwords but also help to generate new, secure codes periodically. The result is that your staff now have secure access to everything they need, and just one password to remember.
Keep backups
Since the high-profile WannaCry attack in 2017, instances of ransomware attacks have continued to grow, becoming one of the most infamous types of cyberattack. Ransomware takes its name from what happens to your data. Once it has got onto your system it will encrypt your data, locking you out before demanding a fee for giving back access. Worse still, as many as 45% of SMEs who agree to pay still do not get their data back.
This sounds like a terrifying situation but simply by keeping comprehensive backups, this threat to your business can be reduced to an inconvenience. If you hold backup copies of your company’s data remotely or on another local server, simply restoring the affected devices and recovering from your backups will eliminate the ransomware threat. Of course, you should check your security software is patched and try to identify how the breach happened to prevent repeat occurrences, but your data will be safe.
In the same way that having an expensive home security system means little if you leave the front door unlocked, your SMB’s cyber security strategy will only be effective if it is comprehensive and does not neglect the simple things. While everyone is aware that passwords need to be secure, it does not mean that everyone in the company will consider this, resulting in passwords which are too simple, are used on multiple accounts or are shared with others, creating entirely preventable risks.
By ensuring that your company emphasises the importance of security and understands the practicalities of implementing measures, SMBs can minimise the risk of suffering a highly preventable breach. 
