What Cyber Security Processes and Mechanisms SMEs Need

Irek Bagautdinov

Irek Bagautdinov

Head of Cybersecurity at Andersen

IT Security
Jul 21, 2022
Lesedauer: 7 Min.
  1. Briefly about cyber security
  2. Conclusion

Regardless of whether a company uses cloud technologies or only owns a website, cyber security should be an important part of its business plan. What is paradoxical is that more than 60% of SME owners are not worried about this issue, as they believe that hackers are targeting large enterprises. But the figures say the opposite: according to Verizon's Data Breach Investigations Report (DBIR) for 2020, every third data breach is associated with a small business. We will tell you about reliable data protection mechanisms that a company of any level should have in order to avoid unpleasant situations.

Briefly about cyber security

Cyber security protects computer systems, servers, applications, and end-user data from attackers seeking to steal information or money. In cyber security, there is such a concept as vulnerability. This is the Achilles' heel - the way a hacker can commit illegal activities on a computer system or network. For example, such a sensitive spot may be a bug in the program code, which gives a criminal direct access to corporate information.

As society goes digital, companies are increasingly using computers and the IoT. More than half of humankind is already online, and thousands of new users join them every day. At the same time, hackers are inventing new ways to steal data. In light of this tendency, in 2021, cyber attacks were included in the top five global threats.

Attackers have more incentives to search for vulnerabilities in computer systems than ever: to steal data, get money, or pursue political motives. More than 2,000 data breaches worldwide are confirmed annually, each of which costs an average of $3.9 million.

Unfortunately, business owners often turn to cyber security services and media security services after an incident has already occurred. But experts treat the protection of a company as a daily priority, as even casual transactions on websites may have vulnerabilities. Due to this attitude of business owners towards cyber security, the actions turn out to be less effective than they could have been.

CEO of BullGuard Paul Lipman describes the problem well, pointing to the fact that small companies are often targeted by cyber attacks because they neglect security issues. But even one attack is enough to "bring a business to its knees." This risk can be avoided by sensibly using the following seven data protection mechanisms.

1. Vulnerability management

Vulnerability management is a strategy, using which companies monitor, eliminate, or minimize “holes” in the system. Cyber security specialists find and identify the type of vulnerabilities and then decide how to remedy the situation and protect the company. But there are some nuances here - if the process is built incorrectly, the consequences will be terrible.

For example, most organizations use a vulnerability scanner (Nessus, Acunetix, Qualys, Openvas, and others) that is launched once a month. The program checks the infrastructure, finds vulnerabilities, covers some of them, and leaves some unsolved.

At the same time, problems with managing defects arise. One of the most common problems is that a newly-created virtual machine is not included in the vulnerability scanner. Hence this computer won’t be scanned by the program. At the same time, nobody can guarantee that it is flaw-free, has patches, and so on. As a company grows, the security issue complexifies, and detecting system sensitive spots becomes more difficult.

Even if an organization has the most expensive scanner that is recommended by experts, its vulnerability base will not cover even 85% of all defects. Alexander Leonov, Information Security Analyst at Tinkoff, prepared a report on this topic - "The Vulnerability Scanner Illusion," where he compared three scanners of the open CVE database. As it turned out, they see different types of vulnerabilities differently - one program can find a hole that others don’t detect, or all programs can’t see a certain type of problem. Therefore, not all vulnerabilities can be detected and closed in time.

2. Secure development

Although the concept of security in development has existed for about 15 years since Microsoft introduced it, not all companies are aware of its value.

In an Agile software development model, the Security Development Lifecycle (SDL) involves checks for vulnerabilities between regular sprints and a final security review before deploying the software. Recently, there has been more talk about a new way to prevent vulnerabilities - DevSecOps, where security testing is included in each stage of the CI/CD pipeline.

Nevertheless, business owners, even those developing mission-critical applications for the financial services sector, are not in a hurry to implement SDL or DevSecOps or order cyber security consulting services. Most of them confine themselves to pre-release reviews.

Why are SDL and DevSecOps important? The same rule applies to security testing as to the entire testing process - the sooner a vulnerability is found, the less it will cost a company to fix it. For example, if you reveal a pain-point in an application's architecture before writing the code, fixing it can cost you ten times less than solving the same problem in production.

3. Data backup

The backup of business-critical data will help you recover it in the event of an incident or computer problem. Therefore, it is recommended to get into the habit of saving priority information in a secure way (on a portable device or USB) and conduct weekly, quarterly, and annual server backups.

The US Small Business Administration recommends duplicating spreadsheets, databases, financial files, and cloud data. This will protect companies from the risk of hardware and software damage, viruses, hacks, power interruptions, and human errors.

4. Data encryption

Encryption is a useful security feature that helps authenticate and authorize a user and prevent unauthorized access to personal files. According to a survey by The Manifest, encryption is one of the top five common security measures, with 44% of small business owners voting for it. But the implementation of this protection method should be approached wisely.

The point is that devices have dynamic data (in motion) and static data (at rest). The former often moves from one place to another, for example, via the Internet; the latter does not "run" but is stored on a hard drive, in a computer, on a flash drive, and so on.

Business owners may mistakenly assume that only dynamic data, at risk of being stolen over the Internet, are worth protecting. But in reality, static data is no less vulnerable and valuable to malefactors. Attackers are inventing sophisticated methods of breaking into systems and stealing information directly from devices.

In this case, protection and storage of both static and dynamic data are ensured by encryption. Information is either encrypted before sending or sent via encrypted connections (HTTPS, SSL, FTPS, etc.), and this is done at all levels of the OSI model.

5. Firewalls

A firewall is a device or program that monitors security at the border between the corporate network and the Internet. It’s like a wall that protects a user from the adverse impact of the Internet. A firewall operates in accordance with a set of rules that determine what traffic to allow and what traffic to deny.

Therefore, the firewall is the first to face cyber attacks, creating a barrier between user data and a criminal. Despite the fact that the FCC recommends using firewalls, this technology has its pitfalls.

Firstly, administrators have to spend a lot of time looking for the information they need, and they don't always understand how to use all the features. Secondly, firewalls can’t ensure full transparency of all threats and risks. And thirdly, not every experienced system administrator is able to effectively configure and control firewalls.

Correct configuration and a clear understanding of firewall security diminish network risks and are useful for configuring its architecture, standards, policies and procedures, change management, and so on.

6. Configuration of web and email filters

As shown by statistics, about 94% of malware is delivered via email. Therefore, protecting corporate emails using filters is one of the mandatory security measures.

Filters are rules that can be set in the mail client or mail server so that they automatically filter out emails based on specified criteria. This way of organizing the mailbox can protect employees from spam and phishing threats.

Configuring web filters involves installing blacklist services that prohibit users from accessing suspicious websites. After all, one absent-minded employee who accidentally visits a dangerous resource is enough to infect a corporate system with malware.

7. Training staff in security principles

No matter how well the systems are protected, an employee who is not familiar with all the nuances of cyber security can jeopardize even a rock-solid structure. Human indiscretion is about using weak passwords, reusing credentials for different resources, clicking on malicious websites, opening phishing emails, and so on. And given the fact that a single employee often has access to numerous company files, hacking just one account may be enough for attackers to achieve their goal.

Therefore, it is important to not only be tech-savvy in security matters but also teach employees to safeguard their data. Tell your team members what to do with suspicious emails, how to handle corporate data in the office and at home, how to use passwords correctly, and what to do if information leakage occurs. This approach, combined with other security solutions, will reduce the threat of cyber attacks.


Data protection is crucial for the company's customers and hence for the business. Consumer confidence in a brand has a direct impact on profits. In addition, the number of legal documents that protect the confidential information of customers and employees is growing, and incompliance with them leads to penalties. Amidst the rapid increase in cyber attacks, SMEs need to make sure that their protection mechanisms are in a working state and capable of blocking all types of threats.

If your enterprise does not have a competent system administrator, it is better to leverage cyber security assessment services. A third-party expert will analyze your existing infrastructure, give an objective assessment of the protection system, and suggest the best options for improving it. They will draw up a policy for managing vulnerabilities, create regulations for training employees and develop a strategy for the enhancement of cyber security. Thus, by assessing the risk of threats, making changes, and improving the security culture, you can protect your business.