Various technical and organizational measures are required to protect against cyber attacks.
Some of these can be implemented by SME managers themselves, while others should be discussed with internal or external IT managers.
This article summarizes the protective measures you need to take.
Organizational measures against cyber attacks
Settle responsibilities
Appoint someone in your company to be responsible for the various tasks relating to IT systems security.
Clarify roles and responsibilities for emergency and crisis management, as well as their respective areas of competence.
Before doing so, you need to identify the interfaces with your partners, so that you can coordinate processes.
Define with your IT manager the security incidents you absolutely want to be informed about.
This includes incidents affecting your own infrastructure or that of your IT service provider.
Take stock of your IT environment
Draw up a detailed list of your IT infrastructure.
You only know what you need to protect and monitor if you know your IT infrastructure, services, computers, users and so on.
Take precautions against cyber attacks
A good strategy against cyber-attacks begins before any incident occurs: well-honed processes and escalation channels are essential to maintain control.
Define which log files are saved and for how long.
It’s best to centralize them.
Detailed log files help you to understand the origin of the attack, to obtain information about infected systems in your own network, and to take corrective action.
Given their importance, the data protection aspects of log files should never be neglected.
Clarify questions concerning log files and attack detection with your IT manager.
Pre-emergency strategy
- Communication and crisis plan adapted to the size of the SME and agreed with the service provider.
- Contact list (internal and external departments, service providers).
- Reflections:
- relating to the total loss of the IT landscape (replacement, resumption of activities, loss of data, etc.),
- on the means of communication used if computer systems are no longer available.
- IT emergency scenarios, exercises and infrastructure vulnerability reviews.
Find out more about Business Continuity Planning.
Regulate the handling of sensitive information and data
Draw up an inventory of your data and information, and define sensitive elements.
Design a protection plan for these elements.
Think carefully about the information you publish on your website or social networks, as this information is harvested by hackers.
The person responsible for financial affairs with access to e-banking should not be mentioned on your website.
As a matter of principle, no confidential information or data should be transmitted via impersonal channels such as the telephone or e-mail.
Confidential information intended for an external service should be systematically encrypted or sent by post.
Be cautious when using the cloud services employed by many programs.
Ask yourself which data should be stored locally and which in the cloud.
Sensitive data should never be entrusted to a cloud without being encrypted.
Before using a cloud service, please read the provider’s general terms and conditions (GTC) and observe the legal provisions on data protection, as data may not be passed on, for example for commercial purposes.
Use secure passwords
Define binding rules for passwords, apply them systematically and ask your staff to do the same.
Passwords should be at least twelve characters long and include upper and lower case letters, numbers and special characters.
Ideally, it is generated arbitrarily and does not relate to personal information such as name or date of birth.
Never give out passwords, access data or banking information over the phone, by e-mail or on a web form you can open via a link.
Avoid using the same password in several places. Two-factor authentication provides additional protection.
Avoid using the same password in several places!
If it’s difficult to remember several passwords, it’s worth using a password manager.
By following these rules, you don’t have to change your passwords periodically.
However, you should change them as soon as a third party becomes aware of them, or a member of staff leaves the company.
Raising employee awareness
Protection against cyber attacks is the responsibility of SME managers.
This includes raising staff awareness.
Small business secretaries take on a great deal of responsibility within the company, and are increasingly required to make decisions of an IT nature.
It is advisable to train SME secretaries specifically in this area, and to invest in security awareness programs for staff.
Be careful with e-mails
Malware often lands on your computer through attachments, disguised as pseudo-bills or application files.
Block the receipt of dangerous attachments.
Make sure that no macro of uncertain origin can be executed in Office documents.
Discuss this with your IT manager.
Define the means of communication by which your staff can report suspicious events (e-mail, computer, telephone call, etc.) and, if possible, activate a function for reporting suspicious e-mails.
Be vigilant when communicating with customers.
Send e-mails in plain text only, and be sparing with attachments.
Avoid Office documents with macros, preferring PDF documents.
Provide links, but don’t send to sites requiring usernames, passwords or other data.
Most fraudulent e-mails are not personalized, so if possible, address your customers with their first and last names.
Those who know their system’s vulnerabilities can protect it from cybercriminals.
Protect your online banking accounts
Use a separate computer for your payments, without surfing the Internet or receiving e-mails.
Talk to your IT manager about the possibility of making your online payments in an area separated from other applications (sandbox technique), or in a specially protected virtual system.
Clarify all payment traffic processes.
These must be respected by staff in all cases.
For example, the principle of double control and/or collective signature: in this case, payments must be approved by an additional e-banking user before they are initiated.
This is all the more necessary if several members of staff can make payments.
Discuss possible security measures with your bank.
Technical measures against cyber attacks
Save your data
Define a process for regular data backup (back-up) and stick to it.
Estimate the amount of data, in days, that you can afford to lose, and store an extra copy of your backup separately (offline) and offsite.
Practice restoring a backup from time to time, so that you and the person you’re standing in for are familiar with the process.
Be sure to keep previous backups for several months.
Carry out security updates
Old software is a popular entry point for malware.
Make sure your systems are always up to date, including the Content Management System (CMS) for your web pages.
Most CMS offer an automatic update function that’s easy to activate.
Install antivirus software
Install antivirus software on every computer and activate real-time protection.
Make sure it is regularly updated and performs a full system scan every day.
Secure your remote access
Remote access to your network should never be protected by simple authentication (username and password).
At the very least, use two-factor authentication or install a secure link via a virtual private network (VPN).
This also applies to access by external IT managers.
If you’d like us to support you in your IT security initiatives, don’t hesitate to call on our experts.
