Information Security for SMEs: Doing the basics need not cost the earth

By Paul Simmonds

Not all of us are lucky enough to have in excess of 100 full time staff working on Information Security, let alone a budget to match! But that’s no reason to stick your head in the sand and assume that no-one will be interested in hacking you – there are many things you can do – often free or low cost – that could provide an incremental level of protection on where you are today.

So here is my “starter for 10”, in a rough order, though as the old caveat says “your mileage may vary”.


Do the basics

1. Patch everything and patch fast

The bad guys out there are lazy; why bother crafting a specific attack when you can simply walk in using a known exploit that has been around for years. The fact is that the time to patch 50% of systems in a typical company is around nine months, so simply don’t be one of them.
• Switch on automated patching for every system you can, especially Windows systems.
• For all your key systems, understand the patch cycle for your software vendors (most have a monthly patch cycle), and put those dates into a diary to review and action.

2. Understand what assets you have within your business

The old saying “if you can’t measure it, you can’t manage it” is truer today in a world where we use more outsourced and cloud services (Gmail, Office 365 etc.) than ever before. There are free services that allow you to gain a global insight into your assets; such as Qualys Asset View ( [full disclosure: I am on the Qualys advisory board]

3. Regularly check your systems for patch level and misconfiguration

There are many tools available that automatically scan your systems, check for their patch level and look for misconfiguration. You should be demanding from your IT Manager (or CIO) a full report from such an automated tool, on a regular basis. Experience says that the first time you run such a tool/report, two-thirds of your systems will have a vulnerability or misconfiguration that allows exploitation by a trivial attack.

4. Ensure all your systems, especially user devices, are running without Admin privileges.

If you are using a standard “out of the box” Windows PC, there is a good chance they are running with full administrator privileges. Simply create a separate “admin” account and change the users account to only having “user” privileges. While you are at it, produce a simple help-sheet so people can also do this to their home PC’s.

Think about your data

5. Understand where your data is – and back it up

Data is the life-blood of any organisation, whatever the size. But do you have a robust strategy for backing it up? As well as a tested recovery strategy. You need to consider how the data is protected not only from loss (say, hard disk failure) but also corruption (say a ransomware attack which encrypts your data). Could you transition back to data that was two days old or even from a week ago?

6. Invest in email security

Most threats will probably come into your business from people clicking on links, or downloading attachments in email. Best-in-class email security will not only protect you from spam, but also eliminate rogue attachments and links.

7. Also look at your strategy for web security

Access to the web is probably essential for large parts of your business, so a good strategy for how you let your people have the access they need while remaining protected is essential. But, as we found during the pandemic, this should not mean everyone that is working remotely needing to connect to the company, only to go straight back out to the Internet. There are lots of “cloud-based” solutions available that allow people to work from wherever, yet still remain protected.

Take it to the next level

8. Look at Cyber-Essentials

When you’ve done the basics, then the UK Government’s cyber essentials program is a good place to start. There is a great resource on their website called “Cyber-Aware” for small businesses, and “10 Steps to Cyber Security” for larger SMEs, as well as loads of other (free) resources and downloads. There is also “Cyber Essentials Plus” and the opportunity to get certified; though many will choose to use the program to do-it-themselves, or get some external help to guide them through it, without the rigour (and cost) of a full external independent assessment.

And don’t forget training and awareness

9. Your staff are the front line of protection

Human targeted attacks, whether through email, phone, social media or web are on the rise, and the quality of them is increasing to the point that even professionals find it hard to determine whether it’s real or fake. A good, simple, awareness campaign on what to look out for will augment the technology that is cleaning your email and web and need not cost too much. There is some great free guidance on running such a campaign and a good place to start is and search for “Embedding Security Behaviours: using the 5Es”.

Training on the basics, in a way that your staff can also adopt at home to keep their families safe, is a great way to embed a security culture; – for example, a (Google or Microsoft) authenticator app on their personal phone can be used to keep personal accounts safe, as well as be used to secure work accounts.


10. Rinse and repeat

Just remember, good information security is about embedding it into your culture. This not only means leading from the top in your expectations, but processes and procedures that are institutionalised. Reports that make sense for your business that are expected (and reviewed) by the board and (simple) metrics that can demonstrate progress.

Paul Simmonds is the CEO of the Global Identity Foundation. He was formerly global Chief Information Security Officer (CISO) of AstraZeneca, and prior to that the global CISO of ICI and global CISO with Motorola Cellular Infrastructure. He was awarded the first “Chief Security Officer of the Year” as well as “Best Security Implementation” at the [Secure Computing] SC Magazine Awards and is twice listed as one of Network World’s “most powerful people in networking”. He is also a director of the Cloud Security Alliance (Europe) and an editor of the Cloud Security Alliance’s “Guidance” document at version 3. Paul co-founded the Jericho Forum in 2003 and is also on the advisory boards of several global tech companies.