5 Steps to take on Cyber Security for SMEs

I don’t know about you, but I go to a LOT of networking events, and at these events, I’ve learnt a thing or two about myself, about networking and about cyber security.

Firstly, I’ve learnt that I’m actually quite comfortable walking up to a complete stranger and starting a conversation. It’s a skill I wish I had when I was a lot younger! I also learnt that networking events are great ways to meet a diverse group of people (if you choose the right event), and finally I’ve learnt that cyber security is still a topic that many people misunderstand.

Cyber security is not all about IT

Ok, I know that may sound like a bit of a sweeping statement, and some may disagree, but if you think cyber security is all about IT, then do you also believe that road safety is all about cars? Yes, vehicles can cause serious damage, but is it the vehicle or the driver that is at fault? Sometimes of course it’s the environment, and neither the vehicle nor the driver that causes the accident.

Thinking that cyber security is all about IT is missing the point entirely and can leave you and your business at serious risk.

When Agenci look at cyber security, we’re looking at it from the perspective of the ‘asset’ that you’re trying to protect; the information. Information can exist in all forms, from verbal through to written (both in physical form and virtual).

What should you do?

This is just a brief post to simply remind you that good cyber security is about more than IT, it’s about looking at your data differently and protecting it in each area. So here are five very simple things to do, that once followed, you will be better secured than you were when you started reading this post;

1 – Protect the physical

Take a look around your desk/office and look at the information you hold. What filing cabinets do you have? What’s in them? Who has access to them? Think about that note book you write in everyday and ask what would happen if that was lost? Would that create a breach? Would you be able to continue your business? What about the building you’re in? How is that protected?

Once you’ve considered this, simply write it down and identify areas you can improve.

2 – It’s about people

Who has access to the information you process? Have you set clear rules and responsibilities in connection to information they can access? Have you explained what they can and cannot do with the data they access? Have you explained it in a way that makes sense to them?

Write a simple policy that makes sense to them, and make sure you explain what you expect of them in any training you provide.

3 – It’s a process

Everyone follows a process. It doesn’t matter if you’re an accountant or a zoologist! When it comes to the day-to-day activities you will follow a process. When was the last time you looked at your process to see if there are any areas of risk that you have introduced? Perhaps looking at your processes will identify areas of improvement and cost savings? Take a close look and you’ll see both risk and reward.

4 – Let’s talk tech

Ok, so you DO need to look at the systems that you rely on. What systems do you use? Who has access to them? Where does the information physically reside? (Remember the cloud is just a word meaning someone else’s computer). If you’re unsure, then get a specialist in to help or speak to the person who set up your computer/systems.

5 – Who is the weakest link?

Many people we speak to will tell us they are confident in their own security, but when we ask about the people they share data with, their confidence ebbs away. So ask yourself: who do you share data with and what kind of data are you sharing? Perhaps you share employee payroll information? Perhaps it’s customer banking details?  How confident are you that they are doing the right things with the data you share with them?

Ask them to provide some assurances of their data security and what steps they have taken to protect you. This should be documented in contracts so you have some evidence (should you ever need it) that you at least asked the question.

5 steps to take

As an SME ourselves we understand that it’s not always easy to keep on top of ‘admin’, perhaps because we’re attending so many networking events! So we know how important it is to keep things simple. We’ve approached ISO27001 (the security standard) in a way that allows us as a small business to be certified, but without the headache and deluge of paper work that many get involved in.

The five steps to take are embedded above for you to review and turn into an action plan, but my advice is to a) Keep it simple, and b) Don’t make the mistake of thinking that IT is your only concern.

Remember the car analogy…it’s not about the safety of the vehicle, it’s about the care and attention the driver is taking. Sometimes you’ll head into stormy weather and you’ll need to drive a little more carefully, but the car remains the car. Take steps now to improve your driving!

Written by Gary Hibberd, Managing Director of Agenci.

Agenci provide Cyber Security consultancy services and assistance on GDPR compliance