Research has shown that over 60% of the cyber attacks in the last five years were targeted at SMEs (small and medium scale companies). This negates the notion that cyber attack is majorly targeted at large and famous companies. In fact, a Start-up company’s data was mischievously deleted by an angry ex-employee. So it is important that more than ever before SMEs should invest and pay more attention to cybersecurity.
In this article, I will point out some important things for SMEs to know in securing the data in their hands.
There are different data a business would have. They include :
- Trade Secrets, company’s internal communication, transactions and other important details which may or may not be available to the public.
- Employee’s data, Recruitment process data(cv and cover letters)
- Personal data from clients, customers and dealers gathered in the day to day activities of the company.
We must know that the majority of the Data protection regulations is applicable to 2 and 3 above. i. e. NDPR, GDPR and others do not regulate number 1 above. That is to say that the data protection regulations compel you to secure the personal data in your hands as a business.
However, some sectors of the economy enforce the security of the company’s data e.g. the financial sector in Nigeria, regulated by the Central Bank of Nigeria, has a cybersecurity regulation.
Now, SMEs cybersecurity is aimed at securing all the data in SME’s hands whether personal or not. Let’s look at simple cyber security tips for SMEs.
- Infrastructures : No matter how small the business is, it sure will have devices where data are stored whether artificially or manually.
If manually, shelves and locker rooms must be properly secured and access should be given to only trusted employees.
If artificially, whether cloud based or on devices, access should be limited. Remember to backup all folders offline and possibly off-site.
- Use updated devices.
- Restrict devices to be connected to office PCs (Install security softwares on the devices if to be connected to PC)
- All softwares in use should be up to date.
- Install strong Antivirus and Anti-malwares. (Don’t go for free products, nothing is free even in Freetown)
- Have a good internet firewall
- Do periodic assessment of devices
- Have proper password management practices.
There may be sector specific cybersecurity policies in your business sector, find out and comply. Nevertheless, there is a need to have internal information security policies. These policies include but not limited to the following:
- Password Protection Policy
- Software Update Policy
- Clean Desk Policy
- Technology Equipment Disposal Policy
- Email Policy
- Data Breach Response Policy Etc.
Contact your infosec lawyers for more info on policies.
- Human Resources
Cyber security awareness of the employees is of utmost importance. Since employees are the ones who interact with data both online and offline, employees must be well informed on proper steps to discover phishing emails, identify fraudulent links and take other cyber precautions while online. Remember, If you build a strong firewall don’t forget to build a strong human wall. Continuing education of employees is key!
Note the following points:
- Remove ex-employees access to facilities, devices and accounts.
- Have policies on how employees deal with data, softwares, password management etc.
- Having an internal IT (infosec) team (you may outsource the same to a reputable company) is key.
- Ensure employees sign a non disclosure agreement in order to prevent future leak of trade secrets.
- Managerial Decisions
Management must be properly aware of the importance of cyber security. They must be ready to make technical and financial decisions with cybersecurity of the business in consideration. Ensure compliance with information security policies
Management must also ensure that threats and breaches are handled technically and properly. Be ready to spend on cybersecurity because you will pay more in case of cyber breach.
- Cyber Insurance
Cyber insurance covers business risk in event of network failures and breaches of personal data. This may be a new area in most insurance companies but if your work is mostly online, you may need to insure against cyber risks you never can tell. This may sound like an expensive plan but talk to your insurance company, they can work out something for you.
Note that if it is a risk it is insurable, cyber risks are insurable. Get a cyber insurance cover today.
Finally, there are so many things to be considered in cybersecurity and one of it is time. You can’t postpone attending to a threat. Neither should you postpone updating of software. Be on time.
Cybersecurity is not about the length of the business but Cyber Strength