Information security and SMEs: the effectiveness of simple measures

As large companies improve their information security, the eye of cybercriminals is increasingly falling on SMEs. Among the SMB segment, 75% have now experienced cybercrime. A logical shift. The Alert Online 2023 Cybersecurity Survey showed that 19% of small businesses take no action to be safe online and that awareness is often lacking. This is a shame because the effectiveness of simple measures is quickly underestimated.  

A limited risk perception and knowledge challenge 

According to ThreadStone research ranks "limited perception of risk" within SMEs at No. 1 in their Top 3 Cyber Vulnerabilities. Clearly, this has implications, as people are not arming themselves against something they believe will not happen to them. To take action and free up budget, the urgency must be clear.  

The Cybersecurity Survey Alert Online 2023 shows that one-fifth of small businesses take no action at all to be safe online, and that cybersecurity knowledge is deteriorating. Employees of small businesses report that, relative to larger companies, they have less access to tools to improve their safe online behavior. Three in 10 employees also do not know what cyber measures their own organization has taken. 

Effective measures for information security SMEs 

While it is important for SMEs to have a realistic risk perception of the threats and budget for information security, even a small investment can have a big effect. SMEs have limited resources, making it necessary to make the best use of them. The following measures can have a big impact: 

• Train your employees
  A data breach or hack often starts with human error. Employees need to be aware of the threats they may face at work. That's why there are online awarenes training courses employees can take, such as from Awaretrain. Also phishing campaigns can increase the awareness of your staff.  
   
• Mandatory Multi Factor Authentication at login  
  Multi-factor authentication uses a second authentication method in addition to a password to access an account, such as with a text message or app. This ensures that accounts are extra well protected. Common examples of Multi Factor Authenticator apps are Google Authenticator and Microsoft Authenticator. 
   
• Install available software patches immediately 
  Datalekken ontstaan vaak doordat cybercriminelen misbruik maken van kwetsbaarheden die nog niet bijgewerkt zijn. Door software regelmatig te updaten, worden deze kwetsbaarheden 'gepatcht’. Hierdoor kunnen hackers deze kwetsbaarheid niet meer gebruiken om in uw systeem te komen.  
   
• Least Privilege Principle
  Adhere to the least privilege principle. This means that employees only have access to the files needed to perform their jobs. By not giving your employees unnecessary privileges, you reduce the possibility of risk to your organization. 

• Automate backups 
  Ransomware is used to hold systems hostage, preventing you from accessing your system or data. Backups ensure that you do not lose your data in such a case. The Cloud offers good options for making backups. Just make sure they are properly secured as well. Cloud services you can consider are: Google Drive, Microsoft OneDrive or Dropbox. 

Prevention is cheaper than cure 

Investments in cybersecurity are not very popular in SMEs, but prevention is cheaper than cure. Just the cost of one day of not working due to a cyber-attack is many times greater than the cost of improving your company's digital security. ESET security incident investigation shows that the cost of an incident among SMEs is estimated to average €270,000. Simple measures such as those described above can already provide protection. If only you are a less attractive victim than companies that have not taken these measures. Every little bit helps. Spending one day a year on information security is better than nothing.