Democratising SME Cyber Defence

by Josh Biggs in Tech on 14th November 2019

Cyber attacks are an ever-present threat to businesses big or small, increasing constantly in frequency and sophistication.

Protecting your business from cyber attacks is like protecting your physical staff or office. For instance, if a company has a largely female staff, it arranges taxi coupons or a staff minibus to take them home safely on late evenings. School principals teach students basic safety tips, such as staying together in groups or with a buddy, understanding ‘stranger danger’, walking along well-lit streets, and staying out of shadows. In these situations, those with authority or responsibility plan for and manage threats. It’s the same with cyber security.

Not just an IT problem

Cyber security is no more of an IT problem than road safety is the other person’s problem; it’s a collective responsibility. Good cyber security starts at the top of the organisation and needs to permeate every aspect of the business; it’s a cultural element of the business. The responsibility of handling cyber security is shared throughout the company, each person performing their role differently. The marketing team reassures clients of the company’s security stance, the legal team looks at generating security clauses into every contract with all clients and suppliers, and HR builds in cyber security as basic training for all employees, regardless of role. For example, an IT company like Prosyn can provide expert guidance on security, but every employee plays a daily role in keeping your business secure.

Another example is when a plumber or electrician visits the office: what information can they be given? Each employee needs to know what information is permissible to provide, and how that information will be safeguarded. Once it’s been digitised, it becomes a potential ‘open window’, as it were, for hackers to infiltrate.

Human error

While hackers and other agencies often rely on human error to wiggle their way into your data. A few examples of simple human errors are:

  • not checking the URL of an unknown company well enough
  • or clicking on an attachment from an unknown source
  • answering surveys and questionnaires online at work
  • repeating passwords in very weak and basic permutations of themselves, e.g. Smitho123, Smitho456, Smithy123.

HR and line managers have a duty to provide basic cyber security training. Some topics to include are: being able to determine if a URL is safe, ensuring automatic updates are implemented as soon as the update becomes available, reducing the number of pages open at any one time, etc.  On an elementary level, staff need to be told to look at the URL. The prefix ‘https’ is always preferable to ‘http’ because the ‘s’ indicates a secure site. All reputable businesses have https as part of their URL. Domain Validation is the lowest form of validation an organisation can obtain, and it’s notoriously difficult to spot a site with just Domain Validation. Therefore, staff need to check for the ‘https’ before going any further.

Company-wide training is encouraged as the first line of defence. On a managerial level, there are even more strategies to implement.


Information kept under the tightest security, is central to the company, and without which the company could not function – is obviously vital. The person responsible for security needs to identify what that data is and ensure its backed up. This data needs to be backed up far away from the computers on which it’s stored. If that crucial data isn’t particularly sizeable, a standard USB could be used as a backup. Again, there’s value in password protecting the entire USB or protecting each file with a password. Equally, a password-protected portable hard drive cold be used. Taking the same logic to a different level, the most important company data can be saved to the cloud, as there are many companies which provide a highly secure cloud environment. A good IT consultancy can provide guidance with this.

What’s important is identifying the most important data and backing it up off network where other employees don’t have access.  Even the most basic USB can be made tamper-proof relatively easily.

If you go through the trouble of backing up your data and securing the flash drive, then you may as well have that portable storage off-site, i.e. in a safe located in a different building. This guards against such accidents as physical theft or fire.


Any business can employ good IT support companies to build strong defences against external dangers. However, defences can be easily compromised, such as if a staff member unknowingly left clicks the mouse and opens a bad attachment.  Any IT defence is only as good as the people working behind it. Therefore, regular IT training on security is to be encouraged. That training needs to be extended to managers so they’re part of the response plan. A well-thought out response plan would include parts to be played by each department, as well as a positive message which needs to be conveyed to clients and suppliers. There’s also value in investing in certification to demonstrate to partners, clients, suppliers, and the whole chain of stakeholders, that your business has officially certified and compliant processing procedures in place. For external parties, such certificates establish that the data has been safeguarded. Who would want to work with a business that may be a threat to your own?

Creating strong passwords

Company training on password management should be an important element of your security strategy. It seems to be common practice to reuse passwords with minimal change – this is bad practice.  The ideal method of generating and securing passwords is to use a password manager. Basic managers are free, and subscription plans allow multiple people to use them.  The use of a password manager is highly recommended. If using a password manager isn’t for you, then consider using phrases which mean something to you, perhaps with a degree of substation. For example: Rag!ngF!res.Damn!ce. Any staff training needs to reiterate that passwords are not to be regurgitated.

Taking the idea a step further, for most newly set-up accounts there’s a set of account recovery questions.  There is neither purpose nor ease in answering truthfully. As they are usually based on you and your life, e.g. maiden name, first teacher, city of first job, etc, they can be guessed with ease.  Once a hacker has some information, it’s relatively easy to build a full picture and they can soon guess the answers. Therefore, use some creativity and ensure you keep a copy of your answers. A quick example could be: first teacher – Charles Dickens, city of first job – Timbuctoo. These would make it much more difficult for others to crack – but remember to always keep a copy!

Cyber security is everyone’s job

The security plan comes from the top, but everybody within the company is involved in cyber security. All data needs to be backed up regularly, and vitally important data needs to be both backed up and kept offsite. HR needs to formulate plans for security training of new staff members and on a regular basis for all employees. All staff need to know how to secure individual documents and whole USBs.  Staff from each department can demonstrate to all external stakeholders that the company is managing its cyber security to the highest standards.

Categories: Tech