Changing the mentality on cybersecurity issues, SMEs.
Small and Medium-sized Enterprises (SMEs) or PYMES in Spanish.
PYMES, are small and medium-sized companies, which have a limit on their number of jobs and capital.
While it is true that there is great progress in the awareness of companies, IT leaders, directors, employees, third parties such as clients and suppliers, a slowdown has been noticed in the sector of SME companies, recently they asked me: Have you seen more interest in cybersecurity from industries that previously seemed a little less concerned? Of course they have, however, it is a small number.
We know that compliance-driven industries have had to upgrade their cybersecurity and accelerate their digital transformation, as their compliance requirements are starting to get serious.
I think that, in general, people are realizing that anyone can be breached or attacked, however, I still encounter companies that have the mentality of thinking that cybercriminals are not interested in them, when in reality they are not. It's like that.
Personally, I have spent years with the objective of raising awareness and trying to introduce and educate people and companies in a general way, this is very important, "without sowing fear", of course uncertainty or doubts are always generated, in the same way, I have achieved in In many cases, changing the way you see what you invest in cybersecurity, since I consider that it makes commercial sense, if you consider the losses that can be avoided, I cannot deny that it is the impact it can have on the business.
Cybersecurity for SMEs
Today, companies are no longer completely new to cybersecurity, I have seen that there are some cases in which they need help to visualize their digital state and develop business continuity plans, I say it this way to encompass their general requirements in their digital transformation, progress is noticeable.
What is very feasible and very common is that when it comes to cybersecurity, we often have to start from scratch, many of us grew very abruptly, in a very bumpy way since the pandemic, where digitalization processes had to be accelerated or, where appropriate, acquire solutions to meet market demand, remote work and information security, in many cases the critical process path in some companies had to be redesigned, due to trends and changes in technology.
I mention this, since personally I always start by evaluating all the client's technology beyond cybersecurity and then, based on the best practices and industry standards, we create a plan that guarantees business continuity, based on the management of risks and establishing critical assets, costs for operational stoppage, among many factors that interrupt and impact the business.
When it comes to cybersecurity in particular, there are many more steps that fall into the categories of Do I Really Need To Do? and Is it necessary to do it?, this part undoubtedly involves the economic aspect, look we have to identify when, how and why each investment in cybersecurity should be applied and we must ensure that the investment makes sense from a business point of view.
In my experience, I consider that integrating technology and cybersecurity critical roadmaps with business strategy is key to success, if it does not happen this way and is not integrated, it can solve the problem now, however, in the long term it will not It will help the business.
This undoubtedly impacts and dismisses efforts in cybersecurity, specifically the cost is definitely a problem for SMEs because their budgets are smaller, their ability to invest in multiple tools is restricted or limited, in addition, many providers initially serve large companies, with large equipment and on the other hand, technology arrives late to SMEs, this was a reality when the chip shortage occurred at a global level.
In almost all the cases that I had the opportunity to verify that due to this, operating expenses increased, considering that the smallest companies do not have the skills or the staff to meet internal needs, where one person does many tasks, whether they are or not in their field of action or profile.
Network Visibility
Well, from a technical point of view, it gives a lot of peace of mind to have visibility of the company's assets, to have better control and administration, initially of course, as we all know, everything flows through the network, especially because nowadays everything is more driven by SAAS, for example (There are more technologies currently in use), it helps a lot because there are fewer problems related to the device itself and you will be able to review how information flows through the network, in particular I like to appreciate a topology map, network performance and how we can improve and optimize things.
Obstacles in cybersecurity for SMEs
I think that it is on the contrary that they empower themselves and think that they are not a possible target due to their size or because in their opinion they do not have many services outside the company, what I have also realized is that the biggest problem is not that SMEs They feel that they cannot operate cybersecurity competently, but rather that they do not know how to start.
It creates a lot of uncertainty, for example; that all antiviruses are now marketed as XDR, that all technologies say they use artificial intelligence and machine learning, definitely for some, it is possible that their digital transformation plan is not giving the planned results, or on the other hand, that they are excellent sales that suddenly have to grow their staff and caused a butterfly effect in the increase of equipment, licenses of all types, training, policies, nodes in the network structure, distribution capacity, and many aspects that arrive unexpectedly and impact , not immediately clear, however, the cost-benefit will always be against.
Therefore, as a symptom, business leaders tend to have no idea where to start and often rely on word of mouth to inform a starting point, instead of taking a strategic approach, there are for example finance staff carrying out cybersecurity tasks, there are IT personnel who not only see the structure of the network, they also turn them into application developers, as I mentioned there is no budget and one person has to be responsible for several roles.
“People underestimate how easy it is to use social engineering, brute force, or just guess a password to access someone's computer.”
Where to start?
If the management of an SME suddenly realizes that they need to start taking cybersecurity seriously, what would be my recommendation to them? First an observation, they had already taken too long, to be honest, we must take this situation head-on , talking with the management of the company, review its objectives, mark its assets and establish business operation priorities, I tell you again to prepare a business continuity plan, the date does not matter, the relevant thing is you have to start somewhere.
Beware of those who respond, “I don't know where to start, I have no idea if the investment will pay off, I don't know, therefore I won't do anything,” especially if it is one of your business partners, be alert, this opens a huge door. security breach to those who have already been working on their business continuity and risk management plan.
Basic cybersecurity recommendations for SMEs.
1. Broadband and information technology are powerful enablers for small businesses to reach new markets and increase productivity and efficiency, however, businesses need a cybersecurity strategy to protect their own business , their customers, and their data. of growing threats to cybersecurity.
2. Employee awareness and training in security principles, establish basic security practices and policies for employees, such as requiring strong passwords.
Establish appropriate Internet usage guidelines that detail penalties for violating company cybersecurity policies.
Establish rules of behavior that describe how to handle and protect customer information and other vital data.
3. Passwords and authentication , require employees to use unique passwords and change them every three months, according to the determined policy, consider implementing multi-factor authentication that requires additional information beyond a password to gain entry.
Check with your providers that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
4. Physical and logical control , protect information, computers and networks from cyber attacks, keep machines clean, having the latest security software, web browser and operating system are the best defenses against viruses, malware and other threats in online, configure the antivirus software to run a scan after each update, for the operating system Install critical updates and security patches as soon as they are available, this can be centralized on a Windows network very easily.
5. Infrastructure , provide minimal firewall security for your Internet connection, a firewall is a set of related programs that prevent outsiders from accessing data on a private network, if employees work from home, make sure their home systems are protected by a firewall.
Recommended by LinkedIn
6. Policy , create an action plan for mobile devices, these can create significant security and management challenges, especially if they contain sensitive information or can access the corporate network,
Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.
Be sure to establish reporting procedures for lost or stolen equipment.
7. Up important business information and data.
Regularly back up data on all computers, if possible, consider critical data including word processing documents, electronic spreadsheets, databases, financial files, human resources files and account files receivable or payable.
Such data backup should be done automatically if possible, or at least weekly and store copies off-site or in the cloud.
8. Control physical access to your computers and create user accounts for each employee, do not drag settings and profiles from other users.
Prevent access or use of business computers by unauthorized persons.
Laptops can be a particularly easy target for theft or can be lost.
Limit employee access to data and information, limit authority to install software, similar to minimum access and activity role profiles.
Be sure to create a separate support desk user account for each employee and require strong passwords
IMPORTANT: Administrative privileges should only be granted to trusted IT personnel and key personnel.
9. Your Wi-Fi networks , which are secure, encrypted and hidden , to hide your Wi-Fi network, configure your wireless access point or router so that it does not broadcast the network name, known as the Network Set Identifier. services (SSID), password protect access to the router.
10. Employ payment card best practices, work with banks or transaction processors to ensure the most trusted and validated anti-fraud tools and services are used.
You may also have additional security obligations under agreements with your bank or bank security provider.
Isolate payment systems from other less secure programs and do not use the same computer to process payments and browse the Internet.
11. Do not provide any employee with access to all data systems , it is a very bad practice, just because your operation requires it as they have been working, does not mean that it is appropriate, it causes many internal conflicts and responsibilities.
Although it may seem very repetitive , employees should only have access to the specific data systems they need for their jobs and should not be able to install any software without permission.
12. Implement antivirus software , provide 3 antivirus software options before purchase and choose an antivirus software that can protect all your devices from viruses, spyware, ransomware and phishing scams.
Ensure that the software not only offers protection but also technology that helps you clean devices as necessary and restore them to their pre-infection state, it is important to keep your antivirus updated to stay safe from the latest cyber threats and fix any vulnerability.
13. Use a virtual private network (VPN), this network provides another layer of security for your business, VPNs are proven to allow employees to access your company network securely when working remotely or traveling.
They do this by funneling your data and IP address through another secure connection between your own Internet connection and the actual website or online service you need to access.
They are especially useful when using public Internet connections, such as in coffee shops, airports, or Airbnb, which can be vulnerable to hackers.
A VPN offers users a secure connection that separates hackers from the data they hope to steal.
Conduct a risk assessment
This option must be carried out after implementing the basic security measures for SMEs, in the sense that the business continuity plan will be taken up and the configuration, policies and procedures will be established to reach an agreement on resilience of the business. business.
Evaluate the potential risks that could compromise the security of your company's networks, systems and information. We must identify and analyze possible threats. This information can help you design a plan to close security gaps.
It is crucial that you base this plan on, as part of your risk assessment, determining where and how your data is stored and who has access to it , identifying who may want (authorized by a higher level) to access the data and how they can try to get them.
If your company's data is stored in the cloud, you can ask your cloud storage provider to help you with your risk assessment.
Establish risk levels for potential events and how breaches could potentially impact your business.
Once this analysis is complete and you have identified threats, use the information you have collected to develop or refine your security strategy, reviewing and updating this strategy at regular intervals and whenever you make changes to the storage and use of information. , I assure you that this ensures that your data is always protected.
If you have reached this point, I want to thank you for taking the time to read me, I also hope it is useful, I want to tell you that in other articles we will see by domain the cybersecurity to be implemented, based on some methodology.
I would like and appreciate your comments, and know: How, among all the cybersecurity specialists, can we create a guide for those companies that DO NOT have large economic or human resources to protect themselves?
Likewise, offer awareness talks with a panel of experts, suggestions are accepted, I will respond to all your questions or comments.
Without further ado for the moment, I greet you from Mexico.
His friend,
Asistente de Socios en Muñoz Manzo y Ocampo S.C.
10moIt is important to realize that a systems person does not see everything, but that each one has his specialty and the importance of each specialty.