4 cyber security quick wins for SME business owners

What does ‘good’ look like?

SME-specific cyber challenges need SME-focussed solutions. Despite over 90% of the world economy powered by SMEs, much of the cyber protection available is catered towards bigger organisations. This has traditionally made SME security an expensive and difficult proposition. But it doesn’t have to be this way.

We’re going to look at 4 cyber security services that, when taken together, cover the key SME requirements:

• Increase visibility of cyber risks
• Are highly applicable to SME security weaknesses
• Easy to procure
• Make an immediate improvement to your security posture

4 quick cyber security wins

1. Recon scanning

Hackers begin their path to breaching your organisation long before sending a phishing email or exploiting a security flaw. In fact the first step any cyber criminals takes is reconnaissance. Every business leaks a surprising amount of sensitive information that hackers find useful, such as what web assets, domains and ports are exposed, along with risks from web-based third-parties. Recon scans uncover this hidden information, allowing you to see through the eyes of a hacker and help you calculate your cyber risk. Recon scans are quick to run and are included in all Defense.com™ packages, so even the smallest start-up can get visibility of this unseen but important information.

2. Pen testing

No list of quick wins would be complete without penetration testing. It’s simply an essential cyber security service that no business, big or small, can afford to ignore. For SMEs in particular, penetration tests are low-touch and high value. It’s no wonder pen testing is mandated or recommended by every security standard and best practice guide you can think of.

SME infrastructure is usually much less complex than mid-market or enterprise environments, and also tends to use more cloud services. This brings two key benefits to SMEs: it not only makes pen testing easier and quicker to complete, but it also means the remediations are easier to implement. SMEs: 1, Enterprise: 0.

The risk weighting applied to each uncovered vulnerability combined with the threat tracking dashboards in Defense.com™ make it easy to see at-a-glance which remediations need to be prioritised to get quick value – and effective defences – from your pen tests.

3. Vulnerability scans (VA scanning)

Sometimes SME business owners and IT managers think that because they’ve done a pen test, their scanning days are done for another year. These people couldn’t be more wrong. This actually ignores one of the biggest attack vectors: that of unpatched software. Missing security patches accounts for up to a third of all critical security vulnerabilities identified in penetration testing, so keeping on top of your patching is vital to keeping hackers at bay. Whilst annual penetration testing is a no-brainer, they’re point-in-time assessments, and new security patches come out each and every week.

The best SME tactic here is to pen test annually and scan monthly – or weekly for the highest priority systems. This keeps on top of missed patches and shores up any security vulnerabilities until your next penetration test. This is another example of where SMEs have an advantage over larger organisations: scanning and patching is easier to do. And if you implement good patching regimes now, they’ll scale as your business grows.

4. Training

The last item in this list might surprise you. It’s not a technical service, management system or compliance standard. What it is, however, is easy to deliver and mitigates the risk of the largest attack surface in your organisation: your workforce. Human error is responsible for more cyber attacks than anything else. And the way to secure the human is through training.

Many cyber attacks start with phishing, and even advanced cyber controls can be compromised by simple human error. This makes training your employees in the direct security consequences of their day-to-day actions a powerful cyber defence. It helps them contextualise and prioritise cyber security in their daily work life.

The word ‘training’ can conjure images of boring presenters with enormous PowerPoint decks, but modern security training is much more engaging – it has to be to be effective. Defense.com™ includes a series of online training videos covering key information your staff needs to know. With SME staff multi-role-ing and stretched thin, online video delivery gives a range of advantages:

• Flexible, 24/7 access from multiple devices
• Easy for staff to fit training around their everyday jobs
• Unlimited access means the training scales with your growth