How can SME’s protect their sensitive information against Cyber Crime?

bigstock-Personal-Trust-Background-Conc-6855331A study released this October by HP revealed that the average annual cost of cyber crime for a U.S. company was $11.56 million—a 78 percent increase since the study was first conducted in 2009. Denial-of-service attacks, insider attacks and information theft are some of the problems businesses face, and companies paid an average price of $1 million to resolve a single attack. Even scarier as a statistic, “ Smaller organizations incur a significantly higher per-capita cost than larger organizations.”

Small and medium business and not for profit organisations can least afford the rising cost of cyber crime. What can an SME do to protect against a security breach? The answer is simpler that you would think. And financially, it is a bargain compared to the physical, financial and emotional cost of rectifying a security breach.

Security breaches stem from one of the following seven causes:

  • Unintended disclosure: Someone posts private or sensitive data on a website, blog, Facebook page or Twitter account.
  • Hacking or malware: An unauthorised person gains access to a computer, server or smartphone through the use of a malicious program.
  • Payment card fraud: Customer information is stolen from a point-of-sale location.
  • Bad staff: Intentionally stolen or leaked information.
  • Lost, discarded or stolen mobile devices: Mainly media like flash drives, but also laptops, smart phones and tables.
  • Lost, discarded or stolen documents.
  • Stolen computers and servers.

Protecting an SME is not all about having the right technology in place. It’s about hiring the right people (resilience), having good security practices (compliance), and, most importantly, deploying common sense. So let’s look at some basic ways to protect that critical business information:

  • Identify what your business considers sensitive information. Work out what information in your business is sensitive to a customer (credit cards, medical records, social security numbers), and then document where it is stored.
  • Isolate sensitive data. Keep sensitive information on the smallest number of computers possible. Then separate these computers from the rest of the network. The fewer copies available, the easier it is to protect them.
  • Encrypt sensitive data. All sensitive data that is on a mobile device—laptop, tablet or smartphone—need to be encrypted. Encrypting ensures that no one can see the data except its intended recipient; the key for decrypting it is stored separately. If you encrypt the data, it will be very hard for bad guys to access in the event of a breach.
  • Use SSL (Secure Sockets Layer) in transmission. SSL is a highly secure method for encrypting information in transit, as well as during storage. If sensitive information needs to be transferred electronically, securing it is a must.
  • Check your new employees. A quick call to the references or previous supervisors of a new employee can verify (or not) that they are telling the truth about things like the reason they left their job. If your business requires a higher level of security, then a police check can also be done.
  • Put a good privacy policy in place. Every SME needs security policies for the use of internet, email, social media, mobile devices and cloud storage. For instance, can employees e-mail intellectual property to their home e-mail address? Store it on a tablet they brought from home? You probably don’t want this to happen, but you might not have a policy to prevent it. The separation of office and personal life needs to be enforced.
  • Use a good firewall, and especially a secure wireless connection. A firewall is the front-facing part of your business in regard to the internet. Good security here is like putting in a decent front door and lock with an alarm on your house. Don’t skimp on these components.
  • Keep anti-virus, spyware and applications up to date. These components are not “set and forget.” They all need to be updated regularly. Turn on automatic updates, and make sure AV definitions are updated daily.
  • Protect sensitive data with strong passwords. Not only should passwords be complex, with letters, numbers and symbols, but you should update them regularly.
  • Download applications only from reputable sources. Much of the “free” software online is riddled with malware. The only place on the internet where you should be getting drivers and applications is from the manufacturer’s site or its affiliates.
  • Physical security is just as important. Getting physical access to your building is a great way for someone to access your files and company computers. Restricting access, especially to parts of your building where valuable data is stored, keeps people honest.
  • Shred it! Any sensitive data that is leaving the office should be shredded.
  • Physically protect laptops and tablets. Portable devices have a tendency to be lost or stolen, so make sure that if it happens they are hard to access (BIOS passwords, strong passwords and physical locks), and even harder to get sensitive information off (encryption on the hard drive).
  • Always vet outsourced or service businesses. If you have critical components of your business that are outsourced, make sure the company has security controls similar to or better than the ones you have.
  • Consider outsourcing security or hiring a consultant. Your company’s managers or lone “IT guy/gal” may not have the expertise to handle every aspect of your security. There are a number of reputable companies that can do a better job of managing your internal security than you could through an ad hoc approach. You will also find that a managed security service is not as expensive as you might have thought.

Finally—what to do if you do have a security breach?

  • DON’T panic.
  • Contain the loss.
  • Get help.
  • Redefine your security policies so that it doesn’t happen again.

Once you discover that you have been breached, you need to localise and contain the problem. You should also implement a breach process that involves turning off servers and workstations, investigating hacked systems and eradicating malware and spyware. Once this is done, then inform relevant authorities. You may also need to get a solicitor or security expert involved.

Depending on the severity of the breach, you may need to contact your clients and customers, but consult with your solicitor or the AFP first. It can also be a good idea to employ a public relations person to keep everyone informed with the correct information, and ensure that the rumor mill does not produce something you cannot control.
If the above steps sound like a huge hassle, that’s because they are. It is always best to prevent a cyber crime before it happens. Remember—it’s a lot more expensive to fix a breach that it is to secure your data.


Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.