Why people are the key to SME security

By Tabby Farrar

While the headlines around data security primarily warn us of malicious hackers, this type of crime only accounts for 48% of data security breaches, with the rest being the result of either human or system errors.

Having a strong security setup is a good starting point, but its benefit is severely reduced when data that security is intended to protect can be accessed due to weak passwords, phishing scams or via infiltration of unsecure networks.

Though the importance of endpoint security to any business cannot be understated, the key to successful corporate data security is making sure that employees are not your weak link. Whether your business is twenty-five people or two hundred and fifty, with established policies and a culture of education and awareness, your staff can become a cornerstone of your data security strategy. The particular importance of thorough training in SMEs should certainly not be overlooked – where one person’s lack of security awareness might mean that 10% of your staffing is a weak point.

Engagement and support

While staff training can certainly have a good initial impact, if it is not built on with regular follow-up sessions there is a risk that old habits will creep back in as time moves on. Similarly, a dull training course is unlikely to stick in anyone’s memory, so make sure that your staff education is well designed for its audience.

SME Publications/ SME XPO 2024

A good method to help sustain participation is to incorporate elements of gamification. This can be done by recognising positive steps with rewards, and interactive sessions that demonstrate the consequences of poor security.

One issue that may need to be tackled for SMEs in particular is the idea that you are too small to be targeted, which can sometimes cause complacency. The reality is that around two thirds of small businesses have been victims of cybercrime, and the average SME is attacked four times every two years.

While carelessness or complacency can be a barrier to getting staff on board with a proactive security policy, so can a lack of confidence around security measures themselves. To make sure that staff are confident about their responsibilities, teams should be educated on what constitutes a security red flag and how to identify and deal with potential threats, from weak passwords to suspicious emails.

By the people, for the people

A good training system cannot just be for IT specialists and department heads, implementation must be universal across all levels of the business, including freelancers, contractors or others who are not in the office full-time.

Responsibility for business security is not just the domain of the IT manager or a single IT expert, and it should be clear that everyone needs to be involved. An attack could come from a multitude of directions and your company will only be as well-defended as its weakest link. By making security a whole-team effort and underlining the consequences of a breach, you can help to create support for a policy that might otherwise be considered bureaucratic – and sustain the implementation of best practices between training sessions.

Apply common sense

To construct a successful policy, SMEs should consider how realistically that policy can be implemented. Adding a list of complicated demands to the workload of a small team is likely to cause resistance, and to reduce the chances of guidelines being adhered to. For this reason, security policies should focus on underlining the importance of common sense practices:

  • Strong passwords and two-factor authentication
  • Regular data backups
  • Awareness about what makes a suspicious email
  • BYOD and not using unsecured networks

There’s no need to dedicate extensive time and resource to writing up lengthy policy documents that nobody will read; instead, a concise set of guidelines that can be referred back to should suffice.

Keep up to date

Because cyber security is ever-changing, it’s important to keep staff up to date with any changes to best practice. A good recent example is the rise in popularity of bring your own device (BYOD) and the Internet of Things. While these recent trends can be helpful for productivity, anything from a smart assistant to a webcam could be an easy point of entry for an attack.

To manage this, policies need to be in place to ensure safe and responsible use of any devices that store, or connect to networks storing, sensitive data. Staff will appreciate the flexibility of using their devices, but this benefit must come with a caveat, that best practice is strictly followed so as not to inadvertently create an avenue for data theft. As well as changes in working practices, employees will need to have their training continually updated to account for new threats and advance phishing.

Build a culture

Cultivating a successful ‘security culture’ helps colleagues to feel confident that they are acting to best practice guidelines, and that they know what to look for when identifying a potential security risk. Feelings of insecurity can easily spread among small teams, so a sense of collaboration is key.

The simplest way to create this is by making security training a regular, but also concise, fixture on the company calendar.

“The key to SME security is your people.” Says Arne Upheim of AVG Business. “By educating staff and supporting the implementation of security practices, one of the largest potential weaknesses in SME security – employees themselves – will become one of the strongest factors, and the risk of a breach can be greatly reduced.”

SME Publications/ SME XPO 2024