SMEs are also faced with a new reality where employees are working more from home. This way they become even more dependent on Information Technology (IT) than before. It goes without saying that protecting these virtual assets is of utmost importance to almost every SME. According to ENISA, the top ten cyber hygiene topics that SMEs should address, possibly through outsourcing where needed, are presented below:
- Management buy-in. It is important that management sees the importance of cybersecurity for the organisation and that it is informed on a regular basis.
- Risk assessment. This answers the question: what do I have to protect and from what? Identify and prioritise the main assets and threats your organisation is facing.
- Cybersecurity policy. Have the necessary policies in place to deal with cybersecurity and appoint someone, for example an Information Security Officer (ISO), who is responsible for overseeing the implementation of these policies.
- Awareness. Employees should understand the risks and should be informed about how to behave online. People tend to forget such things rather rapidly, so repeating this every now and then can be valuable.
- Updates. Keeping everything, meaning servers, workstations, smartphones, etc. up-to-date is key in your cyber hygiene. Applying security updates is part of this process. Ideally, this whole process is to a certain level automated and the updates can be tested in a testing environment.
- Backups. Prior to doing these updates it is vital to have good backups in place. This will also protect the environment from attacks such as ransomware. Backup the most important data often and think about the cost of losing data during a certain timespan. Keep the backups offline, test the backups and try to have duplication of the backups.
- Access management. Have rules/policies in place for access management and enforce them. Make sure default passwords are changed for example, that passwords are not shared, etc.
- Endpoint protection. Think about securing the endpoints through for example installing antivirus software.
- Secure remote access. Limit remote access as much as possible and where absolutely needed, enable it but in a secure way. Make sure that communication is encrypted properly.
- Incident management plan. There should be a plan on how to handle an incident when it occurs. Different realistic scenarios could be part of this plan. Get to know whom you could contact when things are problematic, for instance the national CSIRT.
For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic – COVID19
For press questions and interviews, please contact press (at) enisa.europa.eu
https://www.enisa.europa.eu/news/enisa-news/top-ten-cyber-hygiene-tips-for-smes-during-covid-19-pandemic (Published on June 02, 2020)