Tips for SMEs

Com­pany net­works are gen­er­ally more dif­fi­cult to pro­tect against cyber-crim­inal attacks than pri­vate ones. The rea­sons can be found in their increased com­plexity and the serious eco­nomic con­se­quences of inter­rup­tions or break­downs. Con­cise mea­sures to min­imise risks are there­fore vital.

The most impor­tant points to remember:

  • To weigh up risks and imple­ment mea­sures, you should draw on guide­lines and info sheets issued by estab­lished insti­tu­tions.
  • Iden­tify the processes, sys­tems and data most valu­able to your com­pany, and start with those.
  • To increase your infor­ma­tion secu­rity, you should con­sider taking tech­nical as well as organ­i­sa­tional mea­sures.
  • Define respon­si­bil­i­ties, com­pe­tences and con­tact points for secu­rity-related issues.

Com­pany net­works are gen­er­ally com­plex struc­tures which grew over time, and which include var­ious data flows and inter­faces with cus­tomers and busi­ness part­ners. Even short-term dis­rup­tions, or even worse, break­downs of this infra­struc­ture, often result in serious eco­nomic effects for a com­pany. This makes SMEs gen­er­ally prone to greater risks of cyber-crim­i­nality than pri­vate indi­vid­uals.

To increase SME resilience - their so-called ICT resilience - against such risks and to min­imise risks in this regard, SMEs need to take suit­able pro­tec­tive mea­sures. Due to their com­plexity and volume, these are how­ever gen­er­ally quite cost- and resource-inten­sive. Careful con­sid­er­a­tion is there­fore of utmost impor­tance.

Use guide­lines and info sheets

How should SMEs approach such an immense task? And how do they ensure that nothing is over­looked?

Many estab­lished insti­tu­tions have looked into these issues and have inten­sively addressed the imple­men­ta­tion of ICT pro­tec­tion mea­sures espe­cially for SMEs. Over time, var­ious guide­lines and info sheets have been drawn up this way. These enable SMEs to pro­ceed both effi­ciently and effec­tively. It is there­fore highly rec­om­mended to draw on such tools.

As an intro­duc­tion to this sub­ject matter, we would rec­om­mend the “Infor­ma­tion secu­rity check­list for SMEs” by MELANI. This very com­pact info sheet explic­itly addresses Swiss SMEs and is meant to help them increase the infor­ma­tion secu­rity of their system envi­ron­ment and inside their com­pany net­work.

Iden­ti­fying processes, sys­tems and data

Where and with what should you start? Which processes, sys­tems or data should SMEs address first?

The basis to answering this ques­tion is a (sim­pli­fied) risk analysis. To this end, all processes, sys­tems and data of par­tic­ular impor­tance for a company’s value-added chain should be iden­ti­fied and assessed as to how vul­ner­able they are to ICT risks.

Taking tech­nical mea­sures

Tech­nical mea­sures form the first line of defence to counter cyber-crim­inal risks. The cat­a­logue of poten­tial mea­sures is a long one. But which mea­sures are the right ones?

This ques­tion largely depends on each SME's spe­cific threat sit­u­a­tion. How­ever, some tech­nical mea­sures can still be con­sid­ered uni­versal and there­fore form part of every SME’s basic pro­tec­tion. The fol­lowing are cer­tainly mea­sures which fall into this cat­e­gory:

  • Reg­u­larly run­ning data back-ups
  • Installing and oper­ating up-to-date antivirus soft­ware
  • Reg­u­larly run­ning secu­rity updates

Taking organ­i­sa­tional mea­sures

Tech­nical mea­sures alone cannot pro­vide exten­sive pro­tec­tion. There­fore, addi­tional organ­i­sa­tional mea­sures will also always be nec­es­sary.

There is an exten­sive lists of organ­i­sa­tional mea­sures, too. Items of par­tic­ular impor­tance though are:

  • Raising employee aware­ness and training them on a reg­ular basis
  • Estab­lishing a strict pass­word regime
  • Securing processes for crit­ical appli­ca­tions (e. g. double ver­i­fi­ca­tion prin­ciple with e-banking appli­ca­tions)

Defining respon­si­bil­i­ties, com­pe­tences and con­tact points

Who is respon­sible for data back-ups? Who is respon­sible for run­ning secu­rity updates? Who can employees con­tact, for instance if they sus­pect a mal­ware infec­tion?

To run your oper­a­tions smoothly, respon­si­bil­i­ties, com­pe­tences and ICT secu­rity con­tact points inside an SME should not just be defined, but all employees should also be familiar with them.

A suit­able infor­ma­tion plat­form can pro­mote low-threshold access to the appro­priate places. This will allow for reduc­tions in reac­tion times in case of any and an increase in the noti­fi­ca­tion quota.

Swiss SMEs are increas­ingly becoming the target of cyber-crim­inal attacks, with some­times serious con­se­quences for the com­pany affected. Risk reduc­tion mea­sures are there­fore vital.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic courses

This basic course will point out cur­rent threats on the Internet and con­veys mea­sures as to how you can pro­tect your­self by taking some simple mea­sures.

fur­ther infor­ma­tion

Prac­tical courses

Learn and prac­tice the most impor­tant mea­sures for your com­puter and e-banking secu­rity on com­puters pro­vided by us.

fur­ther infor­ma­tion

Send this to a friend