ENISA Cybersecurity Guide For SMEs Online Single - Page

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

EUROPEAN UNION AGENCY

FOR CYBERSECURITY

Cybersecurity guide for SMEs

TO SECURING
YOUR
BUSINESS
The COVID-19 crisis showed
how important the Internet and
computers in general are for SMEs.
In order to thrive in business
during the pandemic many SMEs
had to take business continuity
measures, such as adopting to
cloud services, improving their
internet services, upgrading their
websites and enabling staff to
work remotely.

This leaflet provides SMEs with


practical 12 high level steps
on how to better secure their
systems and their business. It is
a companion publication to the
more detailed ENISA report
“Cybersecurity for SMES –
Challenges and
Recommendations”.
1
DEVELOP GOOD
CYBERSECURITY
CULTURE
ASSIGN MANAGEMENT RESPONSIBILITY
Good cybersecurity is a key element in the ongoing success of any SME.
Responsibility for this critical function should be assigned to someone
within the organization who should ensure appropriate resources such
as time from personnel, the purchasing of cybersecurity software,
services and hardware, training for staff, and the development
of effective policies are given to cybersecurity.

GAIN EMPLOYEE BUY-IN


Gain employee buy-in through effective communication on
cybersecurity from management, by management openly supporting
cybersecurity initiatives, appropriate trainings delivered to employees,
and providing employees with clear and specific rules outlined in
cybersecurity policies.

2
CONDUCT CYBERSECURITY
AUDITS
Regular audits should be carried out by
those with the appropriate knowledge,
skills and experience. Auditors should be
independent, be it an outside contractor
or internal to the SME and independent
of daily IT operations.

REMEMBER DATA
PROTECTION
Under the EU General Data Protection
Regulation1 any SMEs that process or
store personal data belonging to EU/EEA
residents need to ensure that appropriate
PUBLISH CYBERSECURITY POLICIES security controls are in place to protect that
Clear and specific rules should be outlined in cybersecurity data. This includes ensuring that any third
policies for employees on how they are expected to behave parties working on behalf of the SME have
when using the company’s ICT environment, equipment appropriate security measures in place.
and services. These policies should also highlight the
consequences an employee could face should they not
adhere to the policies. The policies need to be regularly 1 General Data Protection Regulation https://
reviewed and updated. ec.europa.eu/info/law/law-topic/data-protection_en

3
2
PROVIDE ENSURE
3
APPROPRIATE EFFECTIVE
TRAINING THIRD PARTY
Provide regular cybersecurity awareness trainings for all
employees to ensure they can recognize and deal with the
MANAGEMENT
various cybersecurity threats. These trainings should be
tailored for SME’s and focus on real-life situations. Ensure that all vendors, particularly those with
access to sensitive data and/or systems, are
Provide specialized cybersecurity training for those actively managed and meet agreed levels of
responsible for managing cybersecurity within the security. Contractual agreements should be
business to ensure they will have the skills and in place to regulate how vendors meet those
competencies required to do their job. security requirements.

4
4 5
SECURE
ACCESS TO
SYSTEMS
DEVELOP
Encourage everyone to use a passphrase, a collection of at least
three random common words combined into a phrase that
provide a very good combination of memorability and security.

AN INCIDENT If you opt for a typical password:


 Make it long, with lower and upper case characters, possibly

RESPONSE
also numbers and special characters.
 Avoid obvious, such as “password”, sequences of letters
or numbers like “abc”, numbers like “123”.

PLAN  Avoid using personal info that can be found online.

And whether you use passphrases or passwords


Develop a formal incident response plan,  Do not reuse them elsewhere.
which contains clear guidelines, roles and  Do not share them with colleagues.
responsibilities documented to ensure  Enable Multi-Factor Authentication.
that all security incidents are responded  Use a dedicated password manager.
to in a timely, professional and appropriate
manner. To respond quickly to security
threats, investigate tools that could monitor
and create alerts when suspicious activity
or security breaches are occurring.

5
6
Keeping the devices staff use, be EMPLOY EMAIL AND WEB
their desktop PCs, laptops, tablets, PROTECTION TOOLS
or smartphones, secure is a key step
in a cybersecurity program. Employ solutions to block spam emails,
email-containing links to malicious
KEEP SOFTWARE PATCHED websites, emails containing malicious
AND UP TO DATE attachments such as viruses, and
phishing emails.
Ideally using a centralized platform
to manage patching. It is highly ENCRYPTION
recommended for SMEs to:
Protect data by encrypting it. SMEs

SECURE
 Regularly update all of their software.
 Turn on automatic updates should ensure the data stored on
whenever possible. mobile devices such as laptops,
smartphones, and tables are

DEVICES
 Identify software and hardware that
requires manual updates. encrypted. For data transferred
 Take into account mobile and IoT devices. over public networks, such as hotel
or airport WiFi networks, ensure
ANTI-VIRUS that data is encrypted, either by
employing a Virtual Private Network
A centrally managed anti-virus solution (VPN) or accessing websites over
should be implemented on all types of secure connections using SSL/TLS
devices and kept up-to-date in order to protocol. Ensure their own websites
ensure its continuous effectiveness. Also, are employing suitable encryption
do not install pirated software as it may technology to protect client data as
contain malware. it travels over the Internet.

6
7
SECURE
YOUR
IMPLEMENT MOBILE DEVICE
MANAGEMENT

NETWORK
When facilitating staff to work remotely many SMEs
allow staff to use their own laptops, tablet and/
or smartphones. This introduces several security
concerns about sensitive business data stored
on those devices. One way to manage this risk is
to employ a Mobile Device Management (MDM) EMPLOY FIREWALLS
solution, allowing SMEs to: Firewalls manage the traffic that enters and leaves a network
 Control what devices are allowed to access its and are a critical tool in protecting SMEs systems. Firewalls
systems and services. should be deployed to protect all critical systems, in particular
 Ensure the device has up to date anti-virus a firewall should be employed to protect the SME’s network
software installed. from the Internet.
 Determine if the device is encrypted.
 Confirm if the device has up to date software REVIEW REMOTE ACCESS SOLUTIONS
patches installed. SMEs should regularly review any remote access tools to ensure
 Enforce the device is protected by a PIN they are secure, particularly:
and/or a password. Ensure all remote access software is patched and up date.
 Remotely wipe any SME data from the Restrict remote access from suspicious geographical
device should the device owner report locations or certain IP addresses.
it lost or stolen, or if the device owner’s Restrict staff remote access only to the systems and
employment was to end with the SME. computers they need for their work.
Enforce strong passwords for remote access and where
possible enable multi-factor authentication.
Ensure monitoring and alerting is enabled to warn
of suspected attacks or unusual suspicious activity.

7
8 9
IMPROVE
PHYSICAL SECURE
SECURITY BACKUPS
Appropriate physical controls should be employed To enable the recovery of key formation, backups
wherever important information resides. A company should be maintained as they are an effective way to
laptop or a smartphone, for instance, should not be recover from disasters such as a ransomware attack.
left unattended in the back seat of a car. Anytime a The following backup rules should apply:
user walks away from their computer they should  backup is regular and automated whenever possible,
lock it. Otherwise, enable auto-lock function on any  backup is held separately from the SME’s
device used for business purposes. Sensitive printed production environment,
documents should also not be left unattended and  backups are encrypted, especially if they are going
when not in use, securely stored away. to be moved between locations,
 the ability to regularly restore data from the backups
is tested. Ideally, a regular test of a full restore from
start to finish should be done.

8
10
ENGAGE WITH
THE CLOUD
While offering many advantages, cloud based solutions do
present some unique risks, which SMEs should consider before
engaging with a cloud provider. ENISA have published a “Cloud
Security Guide for SMEs”2 which SMEs should refer to when
migrating to the cloud.

When selecting a cloud provider, SME should ensure it does


not breach any laws or regulations by storing data, especially
personal data, outside of the EU/EEA. For example, the EU GDPR
requires that personal data of residents within the EU/EEA is not
stored or transmitted outside of the EU/EEA unless under very
specific conditions.

2 https://www.enisa.europa.eu/publications/cloud-security-guide-for-smes

9
12
11
SECURE SEEK AND
ONLINE SHARE
SITES INFORMATION
It is essential that SMEs ensure that their online websites An effective tool in the fight against cybercrime is the
are configured and maintained in a secure manner sharing of information. The sharing of information in
and that any personal data or financial details, such relation to cybercrime is key to SMEs to better understand
as credit card data, is appropriately protected. This the risks they face. Firms that hear about cybersecurity
will entail running regular security tests against the challenges, and how those challenges were overcome,
websites to identify any potential security weaknesses from their peers will more likely take steps to secure their
and conducting regular reviews to ensure the site is systems than if they were to hear similar details from
maintained and updated properly. industry reports or from cybersecurity surveys.

10
EUROPEAN UNION AGENCY
FOR CYBERSECURITY

ABOUT ENISA
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency
dedicated to achieving a high common level of cybersecurity across Europe.
Established in 2004 and strengthened by the EU Cybersecurity Act, the European
Union Agency for Cybersecurity contributes to EU cyber policy, enhances the
trustworthiness of ICT products, services and processes with cybersecurity
certification schemes, cooperates with Member States and EU bodies, and helps
Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing,
capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience
of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens
digitally secure. For more information, visit www.enisa.europa.eu.

ENISA
European Union Agency for Cybersecurity

Athens Office Heraklion Office


Ethnikis Antistaseos 72 & 95 Nikolaou Plastira
Agamemnonos 14, 700 13 Vassilika Vouton,
Chalandri 15231, Attiki, Greece​ Heraklion, Greece

enisa.europa.eu

You might also like