Even though they are now more cognizant of their vulnerability, many small and medium enterprises (SMEs) still find themselves hesitant to invest, worrying about the cost in time and resources.
By Sumit Bansal
Senior Director, ASEAN and Korea, Sophos
Data privacy and protection concerns have recently been making headlines, reminding us to be even more vigilant than ever in protecting data, whether it is of our organizations, our customers, or even our own.
However, even though they are now more cognizant of their vulnerability, many small and medium enterprises (SMEs) still find themselves hesitant to invest, worrying about the cost in time and resources.
“When it comes to IT security, SMEs are in a tight spot. Potential attacks on SMEs are on the rise, as they do not have the wherewithal to pro-actively combat the unknown,” said Sumit Bansal, senior director for ASEAN and Korea at Sophos. “Whenever a data breach or a cyber-attack happens, there is often a lot of legwork being put into examining the root cause of data breaches. For SMEs, they simply do not have the time, budget, or expertise to threat hunt, nor do they always understand why they need to do it. Even if SMEs see the value, their budgets do not come close to having a dedicated in-house team.”
The good news is that SMEs now have more options that will bolster their ability to defend themselves from the evolving threat landscape. They no longer have to think of data protection and cybersecurity as massive cost centers they begrudgingly invest in for purposes of legal compliance, seeing them instead as business enablers that ensure smooth and optimal operations, facilitate organizational savings, and guard profit-centers. They can start with a set of easy to implement protocols and IT solutions – what is important is getting every member of their organization to embrace a focus on cybersecurity as an integral part of their day-to-day work life. Sophos, a global leader in network and endpoint security, has listed some of these practices.
1. Upgrade your endpoint protection
With more SMEs using laptops and mobile devices that connect everywhere, and most attacks happening using “legitimate” http and email communications that can often pass happily through gateway protections, better defenses on computers are needed now more than ever. Traditional anti-virus based endpoint protection products just aren’t keeping up, with hackers and ransomware in particular very visibly getting past these products. They do this by exploiting legitimate software instead of just using “malware”, by using multiple techniques and by either avoiding executable code at all, or where it is being used changing it frequently and automatically so that it can get past reactive signature-style approaches.
There are many new “next generation” endpoint protection products now available that can provide more comprehensive protection against exploits and ransomware, as well as helping detect and remediate compromises when they do happen.
2. Improve login hygiene and practices
It’s important for SMEs to come up with a cybersecurity basics checklist that they get every member of their organization to observe. They also need to ensure that guests requesting remote access to their networks also abide by these procedures. It is not enough to trust the person; one also needs to trust their computer, because a PC with malware on it that connects to an office network is essentially letting cybercriminals in with it.
It is also worth considering requiring employees to have two-factor authentications (2FA) on devices used for work. While it costs a little more and is slightly less convenient, it helps to prevent egregious attacks where a criminal steals (or guesses, or buys) a user’s passwords today, and then uses it at their leisure to raid whole networks.
3. Use encryption
Just as you won’t leave your home or car without locking your doors on your way out, you should also think of encrypting important or sensitive files as a matter of practice. Encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves, and other cybercriminals. Regardless of geography, size or industry sector, organizations can find themselves targeted by cybercriminals. These practices will help organizations ensure they won’t be easy targets and are able to defend themselves from cybersecurity nightmares that result in expensive problems and massive reputational damage that they may never recover from.