Checklist "Cybersecurity for SMEs": Valuable tips - Part 1
by Tina Siering
In terms of IT security, 2023 begins as 2022 ended: The threat situation does not allow companies and organisations any breathing space. On the contrary: all forecasts for 2023 point to a further intensification of the development. The primary goal of all corporate decision-makers should therefore be to strengthen the resilience of their own IT infrastructure as best as possible, permanently and sustainably under the given framework conditions. In this first part of our two-part series of articles, we present five of a total of ten essential measures that help to deal with the issue and prepare for various attack scenarios.
Measure 1: Determine who is responsible for cybersecurity
In times of increasing cyber threats, the question of responsibility for cyber security in companies is central. The answer is clear - and applies to every company: It lies with the company's top management. It is essential that top management is aware of the risks and dangers that can arise from cyber attacks. Therefore, the topic of cyber security should - or rather must - be regularly on the agenda of business management meetings. Senior management should be involved in the development and implementation of security strategies and measures, drawing on expertise from the IT department or external security experts. It is important to make decisions regarding the level of security and the acceptance of any residual risks in a well-considered and informed manner.
In order to establish clear responsibilities, management must determine who is responsible for operating the information system and who is responsible for protecting information security. In small companies, this can be the same person, but care should be taken to ensure that the person responsible is adequately trained and supported. Establishing a strong security culture in which every employee takes responsibility for protecting the company's data and systems is an essential step in minimising the risk of cyber attacks. Management should lead the way and ensure that cyber security is embedded throughout the organisation.
Measure 2: Inventory - how well do you know your IT systems?
Cybersecurity for SMEs requires an overview and in-depth understanding of one's IT systems. A fundamental step is for companies to conduct a comprehensive inventory of their hardware, software, data and processing operations. This analysis makes it possible to identify potential vulnerabilities and derive appropriate protective measures. The inventory should include all components used, such as computers, smartphones, servers and peripherals. Software used, its functions, versions and user licences should be inventoried. Also consider the effect a successful cyber attack would have as a "worst case scenario". What data loss and corruption would put you at risk of having your business operations impacted or even interrupted?
It is also critical to list and categorise all access permissions: Who (e.g. administrator, user or guest) has what type of access (local or remote) to which information systems? In this way, companies can prevent unauthorised access and further reduce the attack surface for threats. The inventory should also list any internet access to a provider or partner. On the one hand, this helps to select suitable IT solutions for the company and to identify necessary security measures. On the other hand, this overview is very helpful in order to initiate appropriate countermeasures in the event of a successful cyberattack.
Measure 3: Data backup and security updates - are you up to date?
Regular data backup and regularly applied security updates are crucial for the cyber security of SMEs. Companies should carry out regular backups to be able to quickly resume business operations after security incidents. The frequency of backups and the choice of storage medium (physical or cloud) depend on individual requirements. Encryption is strongly recommended, especially for cloud storage. Security updates should be carried out promptly in order to quickly close known vulnerabilities. Up-to-date hardware and software solutions are just as important as activating automatic updates. Responsibilities for the update process must be clearly defined and recorded in any existing contracts with IT service providers. To ensure that important security updates are not forgotten, we recommend a carefully prepared patch management.
Measure 4: Does your organisation have a strong password policy?
Strong passwords are essential to ward off brute force attacks. Therefore, companies should implement a comprehensive password policy that encourages all employees to use strong and unique passwords for any service that requires authentication. Password managers can help generate complex passwords and simplify their management. These tools store passwords in encrypted form and allow access only with a master password set by the user.
The use of multi-factor authentication (MFA) further increases security by adding additional layers of authentication. This can be done, for example, through physical tokens such as smart cards or USB/FIDO2 tokens. Single sign-on (SSO) is another technique that simplifies logging into multiple services within the organisation by only requiring one-time authentication. To control and verify compliance with the password policy, companies should conduct regular audits and implement security measures. These include locking accounts after multiple failed login attempts, disabling anonymous login options and setting up strict password policies on authentication servers.
Measure 5: How do you sensitise your employees?
Employees in SMEs need to be sensitised to the dangers of cybercrime through regular information dissemination and a culture of 'computer hygiene'. Companies can do this by creating an IT charter that outlines IT usage policies and incident reporting procedures, and regularly make employees aware of these policies. A casual approach to reporting IT security incidents encourages employees to report incidents. Free membership in the "Alliance for Cyber Security" initiated by the BSI provides further information resources. Regularly conducted social engineering audits with phishing simulations raise awareness of the dangers of cyber attacks among employees.
Because the threat of cyber attacks is steadily increasing, the issue of cyber security is crucial for SMEs. In order to strengthen resilience under the given framework conditions, companies must take a comprehensive approach based on both technical measures and organisational guidelines. A clear definition of responsibilities for IT security and the involvement of the company's management are fundamental.
In-depth knowledge of one's own IT systems, ensuring data backups and the consistent implementation of security updates form the technical basis for protection against cyber attacks. The implementation of secure password policies and authentication procedures additionally minimises the risk of unauthorised access to sensitive data and systems.
In addition to these technical measures, it is essential to sensitise employees to the dangers of cybercrime and to establish a security culture within the company. This includes the regular communication of IT usage guidelines, encouraging the reporting of security incidents and the continuous training of employees.