Seven steps for an SME to create good cyber habits

Eleanor Bradley, chief operating officer at Nominet, reveals how companies can take measures to prevent becoming victims of online criminals
Habits are hard to break. Our brains prefer to learn behaviours and stick to them; walking a well-worn neural network is much easier than trying to create a new one. This serves us when it comes to routine tasks like brushing our teeth or making tea, but it can cause us to maintain habits that are damaging or could leave us vulnerable.
Small- and medium-sized enterprises (SMEs) have their own habitual activities. This can be important, helping to deliver consistency and reliability to the customers. It can also be a necessity when operating on tight margins and with limited resources.
That said, there is one area of operations within which habitual behaviours can be damaging: the new and evolutionary landscape of digital. Operating online has brought many benefits for the SME, but has also introduced the risk of cyber attacks, which are ever-changing and demand a business be agile and dynamic in their efforts to stay secure. 
That isn’t to say that SMEs are unaware of these risks. According to Allianz1 research, SME owners listed fears of data loss, misuse and theft as the biggest threats for 2018 – higher even than Brexit.
However, fears are not necessarily turning into action. New research from Business in the Community (BITC) found that one in three small businesses in the UK don’t have any cyber security strategies in place if things go wrong. In the past 12 months, 40% say they have not taken any cyber security actions at all, and more than three-quarters (77%) have no policy for controlling access to systems. With the average cyber breach costing up to £8,000 to recover from, not taking cyber security seriously is a mistake that SMEs literally cannot afford to make. 
Insurance is just one aspect of a cyber resilience plan that all SMEs operating today need to have in place. Good cyber security needs to become a habit of any company – it should be built in at every level of the business and be part of everyone’s job description, no matter what their role. Only with a company-wide effort towards cyber resilience can an SME be ready for whatever cyber criminals may try, and stand the best chance of avoiding a damaging attack.  
Encouragingly, basic cyber security is easy to implement. SMEs that feel they lack appropriate experience, or the money to hire an expert, need not despair. There are also lots of free online resources to help create good cyber habits, one of which is the BITC website, with advice and resources to help SMEs feel ‘cyber ready’.
So how to make it happen? Here are seven steps for an SME to start creating good habits and make the move from fearing a cyber attack to being as prepared and as ready as possible to face it:
  1. Know your enemy: Read online about the different types of cyber attack and the ways in which criminals commonly try to infiltrate systems. Then consider your own business and identify your vulnerabilities: for example, how security conscious are your suppliers? Do they represent a risk to your business? 
  2. Get your staff involved: Educate all your employees on the importance of cyber security and involve them in the process of keeping the business safe. They don’t need to be experts, but if they can recognise and flag a fraudulent email, and practice good password management, they can better secure your company. For example, create a company culture around security and encourage different departments to compete in a security ‘league’ as an incentive. Applications such as LastPass can also help staff keep their passwords secure, while passphrases that include letters, numbers and symbols can often be less vulnerable than predictable words – for example 1Reallyh8Apples. Also consider requiring passwords of more than 14 characters, which are much harder to crack. 
  3. Plan for the fallout: Set aside some time to imagine the worst-case scenario with key personnel from across the business. You should discuss how you would react, what steps you would take, and how you could maintain business continuity in the event. Create a plan and review it regularly.
  4. Back up your data: Make sure that all your data is backed up in another location so that you would be able to recover any data stolen in a breach. Make sure you then update the recovery data often to keep it as accurate and useful as possible. 
  5. Anti-virus and firewalls: Invest in good quality anti-virus protection and install firewalls to keep all networks and devices safe. Then keep your software updated to ensure that criminals can’t exploit old faults or systems. 
  6. Bring-your-own-device issues: Ensure that all the devices your staff are using for their work are secure, including personal phones, tablets and laptops. Make it company policy that staff have their laptops scanned and checked before they use them for work or to connect to the company network. 
  7. Insurance: Consider cyber risk in the same way you approach fire risk or the risk of bankruptcy. Taking out insurance could be a sensible way to ensure you can financially recover in the aftermath of a breach.  
Taking cyber security seriously is now a necessity for any business, no matter the size or the industry. SMEs have the most to lose, simply because of their small size; large organisations can usually swallow the cost of a data breach, but a hack can topple an SME.
Now is the time to turn the anxiety and fear of cyber attack into a proactive security strategy, and for SMEs to create new habits and routines to keep their businesses safe. Just as our brains like things easy, so do the criminals – don’t be the easiest target in 2019.  
Read Business in the Community's new report Would you be ready for a cyber attack? or find out more about Nominet’s cyber security services  
  1. Top five biggest threats facing SMEs by Allianz