Research has it that over 60% of cyber-attacks in the last five years were targeted at SMEs. This negates the notion that cyber-attacks are majorly targeted at blue-chip or large companies. In fact, recently, a start-up company’s data was mischievously deleted by an angry ex-employee. Undoubtedly, it is important that, more than ever before, SMEs invest and pay more attention to cyber-security.
In this article, I will point out some important points that SMEs must take cognizance of in securing the data in their hands.
THE CYBER-SECURE SME
An SME would normally have the following categories of data:
- Trade Secrets, company’s internal communication, transactions and other important details which may or may not be available to the public;
- Employee’s data, Recruitment process data (CVs and cover letters); and
- Personal data from clients, customers and dealers gathered in the course of day to day activities of the company.
It is crucial to note that majority of data protection regulations are applicable to 2 and 3 above, i.e. the Nigeria Data Protection Regulations (NDPR), the European General Data Protection Regulations (GDPR), and others but do not regulate number 1 above. In essence, the data protection regulations consider the security of personal data as very fundamental.
However, some sectors of the economy enforce the security of the company’s data e.g. the financial sector in Nigeria, regulated by the Central Bank of Nigeria, has a cyber-security regulation.
The concept behind cyber-security of SMEs is premised on the fundamental rights and commercial need to secure all data at the storage or disposal of SMEs, personal or not. Let’s consider some simple cyber-security tips for SMEs.
- Infrastructures: No matter how small the business, it is certain to have devices where data are stored, electronically or manually. If manually, shelves and locker rooms must be properly secured and access should be given only to trusted employees. If electronically, whether cloud-based or on devices, access should be limited. Remember to backup all folders offline and possibly off-site.
- Use updated devices.
- Restrict devices to be connected to office PCs (Install security software applications on the devices if to be connected to PC).
- All software packages in use should be up to date.
- Install strong Antivirus and Anti-malwares. (Don’t go for free products, nothing is free even in Freetown).
- Have a good Internet Firewall.
- Do periodic assessment of devices.
- Have proper password management practices.
There may be sector-specific cyber-security policies in your business sector. You need to find out these and fully comply. Nevertheless, there is the need to have internal information security policies. These policies include but are not limited to the following:
- Password Protection Policy
- Software Update Policy
- Clean Desk Policy
- Technology Equipment Disposal Policy
- Email Policy
- Data Breach Response Policy, Etc.
Ensure to contact your Information Security (Infosec) lawyers for more info on relevant policies.
- Human Resources
Cyber-security awareness of employees is of utmost importance. Since employees directly interact with data both online and offline, they must be properly informed on appropriate steps to discovering phishing emails, identifying fraudulent links and taking other cyber precautions while online. Remember, if you build strong firewall, you should equally build a strong human wall. Continuing cyber education of employees is key!
Note the following points:
- Remove ex-employees’ access to facilities, devices and accounts.
- Have policies on how employees deal with data, software packages, password management etc.
- Having an internal IT (infosec) team (you may outsource same to a reputable company) is key.
- Ensure employees sign a Non-Disclosure Agreement in order to prevent future leak of trade secrets.
- Managerial Decisions
Management must be properly aware of the importance of cyber-security. They must be ready to make technical and financial decisions with cyber-security of the business in consideration. Ensure compliance with information security policies.
Management must also ensure that threats and breaches are handled technically and properly. Be ready to spend on cyber-security because you will pay more in case of a cyber-breach.
- Cyber Insurance
Cyber insurance covers business risk in the event of network failures and breaches of personal data. This may be a new area in most insurance company but if your work is mostly online, you may need to insure against cyber risks you never can tell. This may sound like an expensive plan but consult adequately with your insurance company. They continually acquire cyber expertise to work out something for you.
Note that if it is a risk it is insurable. Thus, cyber risks are insurable. Get a cyber-insurance cover today.
Finally, there are so many things to be considered in cyber-security and one of it is time. You cannot postpone attending to a threat. Neither should you postpone updating of software applications. Be on time.
Cyber-security is not about the length of the business but Cyber Strength.
(This article was first published as a thread via twitter on the 10th of July, 2020 on the author’s twitter handle @owoadeyemi. The author does a bi-weekly thread on cyber-security and data protection issues on Twitter).
About the Author
Adeyemi O. Owoade
Adeyemi is a Lagos-based (Nigeria) lawyer with profound interest in Technology-related Law, Cyber Security and Data Protection. He is a Certified Network Security Specialist (ICSI, UK).
 Central Bank of Nigeria (CBN), Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, Accessible here: <https://www.cbn.gov.ng/Out/2018/BSD/RISK%20BASED%20CYBERSECURITY%20FRAMEWORK%20Exposure%20Draft%20June.pdf>