7 Essential Cyber Security Controls for Small Businesses

The average worker at a company with less than 100 employees receives 350% more social engineering attacks than staff at larger enterprises.

And yet, according to the government’s latest Cyber Security Breaches Survey, these smaller businesses often fail to identify attacks on their systems — suggesting that smaller organisations aren’t prioritising cyber security despite their heightened risk.

To help SMEs understand their threat level and necessary protections, our in-house Security Operations Centre (SOC) has compiled the following seven questions to ask IT teams or providers…

1. Do we have a defined incident response plan?

When you experience a cyber attack on your cloud-based systems, recovering business-critical data from servers over the internet can take days — which is time that many businesses can’t afford to be without their crucial tools and processes.

There are many aspects to responding to a breach, ranging from identifying and containing the threat to analysing and reporting its impact. So, every SME must have a pre-defined incident response plan to avoid unnecessary delays.

This document should be accessible by everyone and cover roles and responsibilities, with a list of priorities that defines the assets your business can’t function without to ensure they’re recovered first.

2. Are we using behaviour-based technologies to prevent malware?

Most small businesses will use a legacy antivirus app like Microsoft Defender or an alternative off-the-shelf solution that blocks known threats.

Unfortunately, these basic antivirus solutions can no longer comprehensively protect organisations against modern-day attacks. That’s because they can’t block unknown ransomware or malware — leaving your systems vulnerable to cyber breaches.

So, it’s crucial to go beyond these simple protections and deploy behaviour-based technologies such as Endpoint Detection and Response (EDR) to prevent previously unseen viruses from entering your network.

3. Do we carry out patching of third-party applications?

You might think you’ve covered this by enabling auto-updates for your Microsoft systems, but your teams will be using plenty of third-party software applications you need to be patching.

For example, business-critical resources like Firefox, Chrome, Java, Sage and the Adobe suite aren’t covered by your standard Microsoft updates and require additional patch management to address bugs or vulnerabilities and prevent data breaches.

4. Are we conducting security awareness training for staff?

Even the most sophisticated cyber attacks often start as a social engineering scam, such as a phishing, pretexting or spear phishing attack.

As a result, reducing human error (which 95% of cyber security issues can be traced to, according to The Global Risks Report 2022 by IBM) should be a top priority for all SME leaders.

Raising awareness about cyber crime and teaching staff how to identify and respond to common threats is the first step in achieving this goal.

This training might involve sharing password hygiene tips, enforcing mobile device security best practices or running phishing testing to assess employees’ response to simulated attacks — anything that helps build a more cyber-aware culture at every level of your business. 

5. Do we use multi-factor authentication across our cloud services?

Microsoft 365 offers multi-factor authentication (MFA) for your admins and user accounts, requiring users to provide two or more verification factors to prevent unauthorised access to your network.

If you haven’t enabled MFA for Office 365, it’s easy to set up in Microsoft’s admin centre. And like patching, installing it on all the other systems you use is crucial.

Whether you use a file hosting service like Dropbox, a project management platform like monday.com or an alternative tool built into Microsoft 365, having MFA working will reduce your attack surface, limiting your business’s risk.

6. Do we use network segmentation?

Network segmentation splits your network into smaller sub-networks to compartmentalise devices, systems and data. It controls the flow of communication within your network and prevents a successful breach from impacting your entire IT environment.

Without this risk mitigation measure, one compromised device could become a single point of failure for your entire technology estate. So, if you don’t already use network segmentation, introducing it could significantly improve your security level and support regulatory compliance.

7. Are we checking our emails for anti-spoofing?

Domain spoofing involves using a company’s email address to impersonate the organisation or one of its employees. This strategy can lead victims to unknowingly share personally identifiable information (PII), financial credentials or other business-sensitive data with a malicious third party.

There are three different types of email domain anti-spoofing configurations: Sender Policy Framework (SPF), DomainKeys Identified Email (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

Business email systems need all three configurations to achieve adequate anti-spoofing protection; just harnessing a single authentication protocol leaves gaping holes in your email domain defences.

As a result, it’s crucial to find out which configurations you currently use and invest in any you don’t already have.

Secure your IT systems

If your business is already doing everything listed by our Cyber Security experts above, your overall cyber risk is significantly lower than most other SMEs’.

However, if one of these protocols isn’t in place, a successful attack is more likely. Plus, there’s a higher chance of a breach spreading within your IT infrastructure, risking sudden downtime and irreparable damage.

So, if you want to reduce your attack surface and gain better visibility of your systems, ask your IT provider these seven questions today and get started on making improvements — before it’s too late…