Policy Monitor

Eight smart strategies to help SMEs protect themselves against cyber-attacks

Report after report and survey after survey is highlighting the ongoing and increasing cyber threats facing organisations, especially SMEs. Therefore, what practical steps can your business take to protect itself and increase operational resilience?

How big are the threats?

This year the World Economic Forum identified cyber security failure as one of the top 5 global risks. The UK’s annual Cyber Security Breaches Survey uncovered that 39% of UK businesses identified a cyberattack in the last 12 months with the likelihood that ‘cyber immature’ organisations are significantly underreporting. Other reports show that:

  • 43% of all data breaches involve small and medium-sized businesses
  • 83% of SMEs are not financially prepared to recover from a cyber attack
  • 90% of security breaches are due to mistakes by users

Cyber threats are real, increasing and ever evolving in their sophistication. Here are six smart strategies to help you stay ahead of cyber criminals and state-sponsored bad actors.

  1. Make the most of the help and advice that is available
    We are very fortunate in the UK that there is a national approach to cyber security spearheaded by the National Cyber Security Centre. The NCSC, launched in October 2016, understands cyber security and stays on top of current and emerging threats. It turns this knowledge into practical guidance that is made freely available to all. For example, the NCSC website currently features advice and guidance on over 40 topic areas including Access Control, Authentication, Cloud, Devices, Internet Of Things, Remote Working and Supply Chain among many other hot topics.

    Cyber Essentials is the NCSC’s assurance product which aims to help protect UK organisations from the most common cyber threats. Following this advice helps an organisation demonstrate its commitment to cyber security and this can be further bolstered by gaining Cyber Essentials certification from NCSC’s partner organisation the IASME consortium. Certification is a good way to demonstrate a commitment to cyber security to customers and supply chain partners. Some Government contracts require Cyber Essentials certification.

  2. Formalise your ongoing approach to cyber security
    Once you have gained an awareness of the issues, threats and your potential vulnerabilities it is important to document your approach so that it is methodical and repeatable – and can be proven to be so. The best results will be achieved by focusing on the three main areas of people, policy and process and utilising tools which can help monitor your cyber security defences and responses.

Cyber security is not a topic which can ever be ticked as complete. It needs an ongoing process which is fine tuned and changed over time as the threats evolve. It is not a one-off exercise or something that can be diarised like annual PAT testing of office equipment.

  1. Scan for vulnerabilities
    Vulnerabilities are potential issues in the code that supports an organisation’s underlying operating systems and business applications. Cyber criminals can exploit such vulnerabilities to gain access into systems, data and supply chains. Once in, they can steal the data, block access by encrypting information systems to demand a ransom, jump between systems or lay low waiting to exploit a future opportunity for money or mayhem.

    There are tools which can scan an organisation’s systems to identify areas of potential vulnerability, assess the threat levels and highlight what remedial actions can be taken to increase protection. It is good practice to scan for vulnerabilities regularly and/or when threat levels have increased to protect your organisation from being breached.

  2. Focus on your people
    Many security breaches are people-related and so focusing on cyber security awareness and ongoing employee training is essential. Employees need access to systems to do their jobs and as hybrid working becomes more established, this is increasingly done from outside the relatively safe boundaries of company premises.


Employees may themselves be bad actors seeking to steal data or defraud an organisation but it is more likely that lax security procedures and training will lead to staff ‘leaving the door open’ for cyber criminals. Strong passwords provide the first line of defence against unauthorised access to systems and information. NCSC offers great advice on how to use passwords most effectively and this is regularly updated as threats change.

One of the most popular pages on the NCSC website explains the ‘three random words’ concept. Combining three random words can create a password that is ‘random enough’ to keep out the bad guys, yet still easy enough for employees to remember.

  1. Stay up to date
    When security incidents do occur or threats evolve, the NCSC website provides up to date information and suggests effective incident responses to minimise harm. It is worthwhile regularly checking the site and also have employees keep an ear out for security-related items in the news. For example, the NCSC features updates on using Russian technology, increased cyber threats after the invasion of Ukraine and how to protect against the record numbers of online scams.

    It is also good practice to listen to what advice IT suppliers are offering and to apply the regular security patches and system updates which they recommend.

  1. Ongoing review and action

As part of an organisation’s ongoing cyber security procedures, it is important to document, audit and regularly review threats and security at senior levels right up to the board. A cyber security breach is not an IT problem it is a potential threat to the whole organisation. Problems can lead to ransom demands, loss of sensitive data, system downtime and destruction of brand value and reputation.

  1. Be prepared

Practice how the organisation would respond in the event of a cyber-attack. Have in place the third parties that you would need to call on in the event of an attack, for example lawyers, your PR team, forensic data analysts to help identify the attack source, business continuity (BC) and disaster recovery (DR) facilities. Above all have in a separate storage place copies of all the information you need to put your plan into action.  It’s no good if the recovery plan is lost as well.

  1. Liability

There is a trend for C-level executives to be held accountable by the courts, public and shareholders for major breaches in security. Executives can be personally fined or lose their jobs and reputation. Proof that everything possible has been done via comprehensive documentation, regular audits and relevant certifications can protect against legal action, fines and the invalidation of insurance terms.  It can also allow SME leaders to sleep at night.  

Policy Monitor has cybersecurity experts and practical tools which can help your organisation implement these eight smart strategies to keep it safe from threats. For more information visit www.policymonitor.co.uk  

References: