The overall cybersecurity plan for SME’s

Cyber protection for small and medium businesses and not for profit Organisations – SME’s,  can be difficult and time consuming.   Not only that but in most cases it is very difficult to know where to start.

Most SME’s are concerned but because they do not know where to start are reluctant to start at all.   If you are an SME where do you start?

Here are five ideas to contemplate.

Use a team – small businesses can use external groups if possible.

More hands make light work can be applied to business security.   Cyber security and cyber protection is not a one person job.   More importantly it is not just the ICT person’s job.   There are numerous stakeholders in a business who’s information and capabilities are needed to create a good plan.

Even in micro business there are places where you can get information that will help you develop a good plan.    Most successful SME’s have some level of coaching, support or maybe an accountability group.   Networking groups are another source of ideas and support.   These can be utilized to help build and maintain a cybersecurity plan.

Understand where the attacks will come from

When creating your plan you first need to understand where an attack on your business will come from.   Most attacks are from the Internet but that does not exclude wireless, internal fraud and stupidity.

So your data protection components might look something like this

Component – what sort of attack – how can you protect it.

Internet.            From the connection.     Firewall

This is the making of your business risk analysis.   It is the founding stone for your cybersecurity plan.

Defence in depth

No single item or system will protect you from everything.   To most people this is known but never understood completely.   The latest whizz bang firewall will not protect your business from easy to crack passwords or untrained staff members.

The best protection for your business is an understanding that the more levels that you have in place protecting your information then the better the protection will be.   When creating a cybersecurity plan always think ONIONS, the more layers the better.

Paranoia is good for the soul.

This may sound cliched but everyone is after everything and lots of people will think it is OK to steal it from you.   If you have an idea that is going to make you millions, I can guarantee that there are numerous people out there who want to steal it from you, worst of all they will attempt to steal it from you.  In a lot of ways this is not paranoia this is common sense.

Intellectual property is huge in today’s criminal market, it is the next best thing apart from bank account details.   Protect it as well as you can through compartmalising your business and the information.   Create a system where no single person internally knows the big picture, apart from you of course.

It doesn’t just stop there, the cyber criminals are after anything that will give them leverage over you.    They are after your money, your IP, your clients information and your staff information.   All of it has to be kept secure and in most cases this is where the paranoia comes from.

Think of the long term.

Unless you are a criminal yourself, that business that you have created is going to be around for as long as you can make it.   99.9% of businesses think along those terms.

You want your business to be profitable and you want to be in a position to hand it down to your children when you retire.   Your business model may change over the life of the business but that is because of the way society and technology have changed.

In today’s world if you want your business to survive then you also need to understand the best and most secure ways to protect it.   Cybersecurity is more strategic planning than business tactics.   It is thinking the long term plan not the short term gain.   So because you are thinking long term, cybersecurity is more an investment that a expense.

When you started your business it was shoestring and sticky tape, just to keep your nose above water.   Later in the business process you look at improving the business to make more profit and increased revenue.   By investing in better security you are also protecting your most important assets – your customers, your staff, your finances and your IP.   A long term investment is in a $1000 firewall, with intrusion detection and application filtering not the $100 firewall that can be compromised with the Internet equivalent of a paper clip.


To most SME’s, understanding cybersecurity is a solution to a problem that they did not understand that they had.   That being said, like all problems, you have to understand where to start.   The creation of a good strategic cybersecurity plan is the first step for your business.   From there it is onward and upward to a more secure business environment.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.