SME Security in 2021: What to Expect
SME Security in 2021: What to Expect
I speak with many SME’s every day, reminding them continually that they are not operating under the radar of serious cyber-attacks because they are not a bank or PLC. A very common response to security advice is: “We are just a small business, with a few employees”, but the threat from cyberattacks is real and immediate for SME’s, as much as for large corporations and charities in 2021.
Your digital assets are under siege
Through your PC’s, malicious actors can gain valuable information about you and your habits, which includes:
- Stealing Files
- Logging your keystrokes, gaining access to passwords and financial information
- Running software, so your computers become zombies, sending out spam to others
Worse, this is happening right now as you read these words.
You must secure your PC’s and your employees from these attacks. A proactive strategy is the best strategy when it comes to keeping your devices safe. But what does computer security mean?
Ultimately to secure computers, you need both a sound strategy and proper tactics.
Part of the big picture is knowing what policies, software, and hardware to put in place to stop those threats.
Not only do you need to install anti-malware programs on your computers, for example, but you also need to update those programs regularly to keep up with the constant barrage of new malware. Yes, this does require continual investment, but the time spent preventing a breach is just a fraction of what you would be expending post-attack.
Administrative accounts are vulnerable to attacks
Do not leave these accounts unchecked.
Administrative access enables full control over just about every aspect of the computer. This increased control means these accounts can do vastly more damage when compromised, amplifying the danger of cyber threats. A convincing spear-phishing attack could leverage that control to access files, install software, and change settings a typical account couldn’t touch.
Offboarding previous employee IT accounts is a key part of security and is often overlooked for long periods of time after the employee has left the company – this should be done immediately after the employee has left the company. You wouldn’t let a flatmate keep a key after they have moved out and keeping an ex-employee on company accounts threatens security in a similar fashion.
Does someone in your company have access to systems they shouldn’t have?
Does your IT environment still contain user accounts of employees, who no longer work at your company?
Ensuring that the administrative accounts are properly managed is paramount when keeping your business safe from cybercrime.
The recent SolarWinds Cyber Breach
It has been announced that SolarWinds has been the subject of a major attack over the past 9 months through which hackers have seized control of computers which have the software installed.
What happened, and does this affect you?
I can answer this quickly, this attack isn’t of any concern unless you have used Orion.
What advice we would recommend on what precautions we would advise. This attack was almost certainly state-sponsored, would have penetrated several Governments, many FTSE 100 companies, and a world-renowned cybersecurity company. Basically, you cannot protect against these kinds of attacks. But they are not targeting SME’s.
What is essential though, is that all businesses protect themselves appropriately. At Lucidica we recommend the following:
- Full ATP and 2FA across all accounts
- 3rd party backup on all accounts outside Office 365
- CloudApp security and AI alerting across your files, data & user activity
- Individual automatic file-level encryption on specific files based on their content
- A proper password manager that can securely share company passwords
As 2020 fades into history, it is important that SME’s do not feel they are operating under the radar of serious cyber-attacks and ensure their security is up to date.
Tim Mallinson is a client services representative at Lucidica who supports the client services department and engineering department.