Cybersecurity Within SMEs – Strategy to Protect Sensible Data –

cybersecurity for small businesses


A strong cybersecurity strategy can help protect your name and the trust of your clients in your
company. This is where the 3Ps – people, processes, policy – come into play and aid in drawing
up an action plan that can be followed by small and medium-sized enterprises (SMEs in short)

1. Introduction

We have been talking for a while now about the possibility of everybody to be subjected to small
or large-scale cyber-crime. Cyber threats are universal and they are growing both in numbers and
intensity. The actors behind these threats are not only trying to break into an organizations
network, but also seek to bag their data.

Today most companies operate online for multiple reasons: more exposure, facilitation of
services and reach etc. Consequently, they are targeted more and more often. SMEs are part of an
entire chain of exchange of data, operating in connection with clients, authorities, other
companies and so on. This leads to the conclusion that sensitive information is communicated
between parties and is held by SMEs all over the world as part of their normal course of business.
Clients entrust you with sensible personal data such as financial reports, healthcare information
or trade secrets, making your company the perfect target for cyber-criminals.

I will provide some reasons why cybersecurity is a vital problem-area that should be taken into
account by companies in todays’ threat landscape, followed by a short overview of the aspects
that should be taken into account when drawing up a security plan. Finally, the article makes the
case for consultancy in all things cyber and gives some advantages of collaboration with experts
in cybersecurity.

2. Pitfalls of an unprepared SME when faced with cyber threats

Why is it so important for an enterprise to not only detect and recover when faced with a cyber-
attack, but also prevent such threats as much as possible? The answer is quite clear and it comes
in the form of another question that you should ask yourself: How will your clients see you if you
lose their data? The trust of clients and keeping a good name is vital for any
organization/company. A data breach will inevitably lead to reputation damages and usually high
amounts of fines, not to mention the possibility that, if your network is compromised due to
ransomware, your entire business could be blocked.

Having said all of these, it is obvious that cybersecurity should be taken seriously, this being
highlighted by a recent study that showed the fact that 43% of cyber-attacks target small
businesses and 60% of them go out of business within six months.

3. 3Ps of cybersecurity

Now it is time to move on and discuss the ways in which the above-mentioned dangers can be
prevented, efficiently responded to and ultimately lead to resilience from the part of the
enterprise. Every cyber-strategy should have as objectives prevention, detection and recovery
when dealing with cyber threats. This is simply because, as stated before, you want to avoid
being subjected to a cyber-attack, in the first place. However, if malicious things get past your
preventative measures, you should be able to quickly detect them in order to mitigate damage as
much as possible and, finally have a system in place that can help you recover from the attack.
In order to achieve these three objectives, there are three types of controls that have to be taken
into account when drafting a cybersecurity strategy. They are usually named the “3Ps of
cybersecurity”: People, Processes and Policy. These three controls form an ecosystem and are
equally important for the well-functioning of the internal cybersecurity plan of a company. They
are correlated and their development needs to be synchronized, since untrained staff could cancel
the use of sophisticated technological processes, for example. I will further detail on each one of
them, giving some samples of how they can be efficiently used.

3.1. People

I will start with the human resource of an SME. Employees are often the weak links in an
organization’s security and you might know how the saying goes: the weakest link in the chain
defines the strength of the chain. People share passwords, can click on compromised links and
open unchecked email attachments and, thus, are susceptible to being deceived. Actions of one
employee are enough to compromise the network of your entire company. Hackers use social
engineering to manipulate you in order to gain control over your system. More specifically, they
can use the spear phishing technique, conducting attacks after doing research on the target. These
are directed attacks on a particular person/organization with internal knowledge gathered from
open sources such as posts of employees on social media. Malicious actors are, in this case, after
confidential information, business secrets and other sensitive information.

Social engineering and phishing account for 70% – 90% of breaches, leading to the conclusion
that, against preconceptions about cybersecurity, it is not enough to have a strong technical
infrastructure. You need to be able to protect your company against human-led errors. First things
first, staff has to be educated digitally and be equipped with critical thinking skills as a way of
being able to detect a false email or malicious link, for example. After investing in staff training,
any SME could use a tool for testing the employees and their actions when confronted with a phishing attack.

Ethical phishing simulation provided by an experienced company can be such a
tool and can give you an idea of how resilient you and your company are when faced with social
engineering techniques. These simulations function by gathering data on the enterprise, creating
an attack strategy, launching the campaign, gathering data of the employees that fell in the
simulation’s trap, and ultimately creating a personalized educational program and a regular
phishing campaign to test staff awareness.

3.2. Processes

The second “P” relates to all software and hardware techniques you can implement in order to
limit, as much as possible, the risk of being subjected to an attack. It refers to the entire chain of
technological systems that can be used for the security of the organization and are efficient in the
majority of circumstances, putting down threats even automatically, without having to manually
resort to human action. Some examples could be ensuring that the network infrastructure is well
built or making sure that the organization’s website is secure. Moreover, through technology,
some of the human-led errors mentioned in the previous section could be fixed from an
architectural perspective, by giving access to data based on the specific position and internal role
of an employee.

A useful tool is frequent penetration testing that can enable companies to discover their
vulnerabilities and ways to mitigate them. Here is where experts in penetration testing come into
play. It is vital to test your processes in order to identify potential leaks, since such a test helps
you think like the enemy, looking at your own networks from the perspective of a malicious actor
searching for hidden vulnerabilities. The findings of the penetration team inform you about the
efficiency and effectiveness of your security program, aiding you in enhancing your protection
and reduce risks.

3.3. Policy

The last “P” relates to policies implemented by a company as a way of providing a conduct
framework for employees, partners, consultants and other similar stakeholders. In this context,
policies regulate online access, data sharing, network use etc., all in order to ensure security of
the company. A well-thought-out policy system works like an action plan that can be
implemented by anyone or anything and describes the general roles, expectations and
responsibilities of every actor. In this way, a strong cybersecurity policy helps create

Technical policies are the most commonly used ones and provide a comprehensive system of
safeguards that, usually, aim to prevent attacks in the first place. Some examples could be
implementing strict rules when creating passwords or using an email filtering or flagging system.
Moreover, you may even restrict the access to certain websites such as social media pages from
the enterprise’s network, in order to limit the danger of social engineering as much as possible.

Another aspect in which you need to implement policies is data protection and compliance with
specific regulating instruments such as the GDPR (EU) or CCPA and CDPA (California and
Virginia). When it comes to the GDPR, this legally binding document sets a strict standard for
customers’ data, enabling them to enforce their rights. On the other hand, this may come as a
burden for any organization, since processes and internal procedures/policies must be put in place
in order to ensure compliance and avoid high fines. Among other requirements imposed by the
Regulation, companies must have a Data Protection Officer (under some conditions), responsible
for the well-handling of customer’s data and reporting incidents.

General internal procedures should also be implemented as a way of making sure that incidents
are responded to in an efficient manner. Reporting suspect activity should be mandatory and a
cornerstone for every security policy. In this way, a common way of thinking would be avoided: I
did not fall in the trap of clicking on this attachment so everything is good. Every employee
should flag any possible threat in order to catch an attack before it happens. This makes it clear
that a comprehensive system of cybersecurity governance is of utmost importance for your
company as a way of complementing technical processes mentioned in the previous section and
ensuring that the human resource is aware and understands the enterprise’s cybersecurity
mitigation efforts.

4. Importance of consultancy from experts

As you can see, there are quite a few aspects that you should take into account when drawing up
an effective cybersecurity strategy. Seeking expert advice when doing this may have some
advantages that can make the process less intimidating and ensure better results. Firstly,
outsourcing and using a team of cyber experts only when needed makes for a cheaper alternative
to a traditional IT department that would not only have to manage the usual technical assistance,
but also create and manage the security plan. Secondly, an expert team helps with risk reduction
since it provides guidance and the best personalized security measures to maximize their
efficiency. Finally, they can help educate your staff on the latest technologies, safer workplace
practices and create cybersecurity threats awareness, ameliorating the risk of human-led errors
presented above.

5. Conclusion

Since security cannot be seen as a perpetual state and there is always the risk of a successful
attack, SMEs should take charge and invest in training staff, use new technical controls and issue
a system of comprehensive policies. By following the structure of the “3 Ps”, you can achieve the
objectives present in every cybersecurity plan: prevention, detection and recovery. To wrap up
and put it simply, any company should first establish its biggest threats. Then, it should draw up a
plan on how to prevent and discover them. Finally, a strong incident response/recovery plan should be in place in case these threats get past all the other safeguards, this entire strategy being easier to frame with the help of cybersecurity experts.