SMEs should not hesitate to ask for support when needed, and we strongly encourage SMEs to check first with their national cybersecurity authorities—each of which has free resources that are available. In the European Union, SMEs can contact the network of European Digital Innovation Hubs, the Cybersecurity Coordination Centres (one in each Member State) under the Cybersecurity Competence Centre. In the United States, SMEs can contact the National Institute of Standards and Technology (NIST) through its Small Business Cybersecurity Corner; the Cybersecurity and Infrastructure Security Agency through its Cyber Essentials for SME resources; and the U.S. Small Business Administration’s Cybersecurity Resources. In case of malicious cyber incidents, SMEs should also not hesitate to reach out to the relevant national, local authorities, service providers, and, where applicable, a computer emergency response team (also known as a cybersecurity incident response team).
In addition, SMEs should consider the following helpful hints, which is not an exhaustive list of best practices, to become more cyber-secure.
To effectively address cyber risks, a change of mind-set is needed. Awareness around cybersecurity should be raised and security must become an enterprise-wide issue, involving everyone in fulfilling security responsibilities. The guide Cybersecurity is Everyone’s Job represents a good point of departure as it outlines the role of each employee in protecting an organisation from cyber threats, based on the types of work performed by the individual.
As new technologies emerge, cyber threats also become more complex and difficult to predict. Therefore, it is important to timely identify businesses’ weak points by mapping out all critical assets: people, physical infrastructures, information systems, business processes, corporate image, as well as available technologies. Several organizations offer services that can help map and analyze a company’s digital footprint and third-party risks, as well as provide continuous data security scans and tailored data security advice.
Understanding security, why it is needed, and how to most effectively implement it is key. This calls for a global approach, which includes establishing a security plan, relying on a security manual, putting in place procedures and protocols based on certified policies and technologies, and conducting regular cybersecurity audits. A comprehensive cybersecurity strategy does not necessarily have to be costly for SMEs to implement and maintain. With SecureSME, ENISA suggests practical tips on measures that can be adopted without investing a large amount of money. The Quick Start Guide for NIST’s Cybersecurity Framework also may be a good starting point for small businesses to better manage cybersecurity risk.
Implementing cybersecurity measures does not only imply the installation of certain technical measures, but it also requires educating employees on how to use technologies and providing them with the skills to work in a secure way. It is essential to start from the basics, such as how to best secure devices via e-ID and passwords or to encrypt sensitive e-mails, as well as consider immersive trainings and simulations. Different organisations can be found that test the effectiveness and resilience of enterprise assets, identify and exploit weaknesses in controls, and simulate malicious cyber incidents.
Understanding one’s cyber-risks and appropriately conceiving a security strategy also requires building trust. This trust is needed in the company to better manage the business and raise credibility with customers, but it is also needed with respect to external partners. Sharing information with other SMEs on the causes of malicious cyber incidents and the solutions developed to tackle them is extremely important to become more cyber resilient. Collaborations with peers, as well as with expert institutions, have to be nurtured and fostered.
Cybersecurity is a multifaceted issue that should be approached step-by-step. For example, ENISA developed a Cybersecurity guide for SMEs with 12 high level steps on how SMEs can better secure their systems and their business, including developing a good cybersecurity culture and develop an incident response plan.
