As a small and medium-sized enterprise (SME) business owner in the UK, you may think that your business is not a target for cyber attacks because you are not a big corporation or because you do not store sensitive information. Unfortunately, that is not the case. Cybercriminals are increasingly targeting SMEs because they often have weaker cybersecurity defences and are seen as an easier target. In fact, according to the UK government’s Cyber Security Breaches Survey 2021, 38% of UK businesses experienced a cyber attack or breach in the last 12 months.
To protect your business from cyber threats, you need to be aware of the common cybersecurity risks and mistakes that SMEs make. In this article, we will highlight 10 common mistakes that many businesses make and provide practical solutions to mitigate these risks.
Many of these risks can be mitigated with the portfolio of security services offered by a managed IT provider like Cerberus Networks and by adopting the UK’s Cyber Essentials framework.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that sets out a baseline of cybersecurity measures that all organizations should implement to protect against common cyber threats. The scheme focuses on five key areas: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.
By achieving Cyber Essentials certification, your business demonstrates that you take cybersecurity seriously and have implemented basic cybersecurity measures. However, while Cyber Essentials is a good starting point, it only covers basic cybersecurity measures, and it may not be sufficient to protect your business against advanced cyber threats. This is where a managed IT provider like Cerberus Networks can offer significant additional benefits.
Common Cybersecurity Threats
Before we look at the common mistakes that SMEs make, let’s first review some of the common cybersecurity threats that businesses face.
1. Phishing
Phishing is a type of social engineering attack where cybercriminals send fraudulent emails or messages that appear to come from a reputable source, such as a bank or a colleague, to trick the recipient into disclosing sensitive information or clicking on a malicious link. Companies with lots of documents coming in and out via email are particularly susceptible to phishing attacks.
2. Ransomware
Ransomware is a type of malware that encrypts your files and demands a ransom payment in exchange for the decryption key. One of the most common ways that these attacks get onto the company network is when a user clocks on a link in a phishing email, so it is important to consider many of these areas together.
3. Advanced Persistent Threats (APTs)
APTs are sophisticated, targeted attacks where cybercriminals gain unauthorized access to a network and remain undetected for an extended period while stealing sensitive data. Understanding what represents “normal” traffic and being able to see activity on the network are therefore key.
4. Insider Threats
Insider threats occur when an employee or contractor with authorized access to your systems intentionally or unintentionally causes harm to your business, such as stealing data or introducing malware.
5. Distributed Denial of Service (DDoS)
A DDoS attack is where cybercriminals flood your website or network with traffic to overwhelm it and make it inaccessible to legitimate users. This is something that can prevent access to online ordering and causes huge reputational damage. It is generally something that affects larger organisations but should be considered for any business where online transactions are important.
Common Cybersecurity Mistakes
Now that we have reviewed some of the common cybersecurity threats that businesses face let’s look at ten common mistakes that many businesses are making now.
1. Not Implementing Two-Factor Authentication
Two-factor authentication (2FA), also known as multi-factor authentication (MFA) is a security process that requires two forms of identification to access an account. Many businesses only use a username and password, which is vulnerable to brute-force attacks. Implementing 2FA significantly reduces the risk of unauthorized access to your systems. Companies using systems such as Microsoft 365 should have this implemented as a default.
2. Not Patching Software and Systems
Patching your software and systems is critical to maintaining the security of your systems. Cybercriminals often exploit vulnerabilities in software and systems that have not been patched.
3. Not Backing Up Data
Backing up your data is essential to recover from a ransomware attack or a data breach. Many businesses do not back up their data regularly, which can result in significant data loss and financial impact. Most businesses are actually running regular backups but are not regularly testing whether the data they are storing can be restored. Regular testing is an essential part of this, as is regularly reviewing recovery time objectives to ensure that the backup strategy is in line with business needs as they change over time.
4. Using Weak Passwords
Many employees use weak passwords that can easily be guessed or cracked by cybercriminals. Weak passwords can be easily exploited by brute-force attacks, where a cybercriminal tries multiple password combinations until they find the correct one. Businesses should enforce strong password policies and use password managers to generate and store complex passwords securely.
5. Not Educating Employees about Cybersecurity
Employees are often the weakest link in cybersecurity, and many cyber attacks are successful because of human error. Businesses should invest in cybersecurity awareness training for their employees to educate them about the risks and best practices to avoid falling victim to cyber attacks.
6. Not Restricting Access to Sensitive Data
Many businesses do not implement proper access controls and allow all employees to access sensitive data, which increases the risk of insider threats. Businesses should restrict access to sensitive data only to employees who need it to perform their job functions. Where sensitive data is stored and regulatory requirements require record-keeping of access, various reporting and auditing tools exist to provide additional functionality in this area.
7. Not Implementing Firewalls and Antivirus Software
Many businesses do not implement firewalls and antivirus software, leaving their systems vulnerable to cyber attacks. Firewalls and antivirus software are basic cybersecurity measures that all businesses should implement to protect against common cyber threats.
8. Not Monitoring Network Traffic and Logs
Many businesses do not monitor their network traffic and logs, which can make it difficult to detect and respond to cyber attacks. Businesses should implement network monitoring tools and log analysis to detect and respond to cyber attacks in real-time.
9. Not Updating Third-Party Software
Many businesses use third-party software, such as plugins and extensions, that can introduce vulnerabilities into their systems. It is essential to keep third-party software updated to avoid potential security risks.
10. Not Having an Incident Response Plan
Many businesses do not have an incident response plan, which can result in confusion and delays when responding to a cyber attack. Businesses should have a documented incident response plan that outlines the steps to take in the event of a cyber attack to minimize the impact on their operations and data.
How Cerberus Networks Can Help
Cerberus Networks is a managed IT provider, offering a range of cybersecurity services to protect businesses against cyber threats. In addition to the basic cybersecurity measures outlined in the Cyber Essentials scheme, Cerberus Networks offers advanced cybersecurity services, including:
1. Vulnerability Scanning
Vulnerability scanning is the process of identifying vulnerabilities in your systems and applications before cybercriminals can exploit them. Cerberus Networks offers vulnerability scanning services to help businesses identify and remediate security vulnerabilities in their systems and applications.
2. Advanced Malware Prevention Software
Cerberus Networks offers advanced malware prevention software that uses artificial intelligence and machine learning to detect and prevent advanced malware attacks, such as ransomware and APTs.
3. Advanced VPN & Endpoint Security
Cerberus Networks offers advanced VPN and endpoint security solutions that enable secure remote access to your systems and applications while protecting against cyber threats. For companies with hybrid workers, having a coherent strategy in place to manage security is vital.
4. Managed UTM Security
Unified Threat Management (UTM) is a comprehensive approach to cybersecurity that combines multiple security features, such as firewall, antivirus, intrusion detection, and content filtering, into a single solution. Cerberus Networks offers managed UTM security services to help businesses protect their systems against a wide range of cyber threats.
Conclusion
As a SME business owner in the UK, you need to be aware of both the common cybersecurity threats and the mistakes that businesses make to protect your business against cyber attacks. While the Cyber Essentials scheme provides a good starting point for basic cybersecurity measures, engaging with a managed IT provider like Cerberus Networks can offer significant additional benefits. Cerberus Networks offers expertise and experience that allows the deployment of additional services. Developing a coherent security strategy requires buy in from all parts of the company, ongoing testing and reporting, as well as regular reviews. Having a dedicated team that manages security risks, with specialised engineers aware of the latest threats provides a level of defence that a company will often find impossible when doing everything on their own.