Top Five Information Security Errors Made By SMEs

There are many information security threats facing businesses, and it can be especially tough at the SME level. Small and medium enterprises are exposed to the same threats as larger businesses, but have more limited resources with which to meet these security challenges.

By Chris Holden, Information Security Consultant

Here are five of the most common security mistakes made by SMEs:

Error One: Not Recognising That Users are the Weakest Link

Possibly the biggest error made by SMEs is to not train staff to be aware that what they do has an impact on security. Non-technical staff are the weakest link in the information security chain, no matter how many security policies are in operation. They are the people exposed to phishing emails, social engineering phone calls and likely to surf to sites on the Internet that you don’t have blocked because you never dreamed they could be a threat. Security is not the top concern for most workers, and just their attempts to work more efficiently can expose a company to risk – for instance emailing a sensitive file to their personal account to work on over the weekend.
By making staff aware of the risks and engaging with them, so that when they need a resource it can be provided securely, a lot of user-based risk can be mitigated.

Error Two: The Disaster Recovery Plan Has Never Been Tested

It is all well and good to have multiple backup sets, stored in separate locations and even to have a plan on how to keep things going should the worst happen. However, it is as important to verify that your backups work as it is to make them! If your recovery plan has never been tested, how can you be certain it will work? The failure of the plan in a real disaster recovery situation could spell the end of the business or a significant amount of downtime and expense.

Error Three: Not Controlling Mobile and Home Working

Most businesses, for efficiency and productivity, allow home working at some times and mobile working if staff are on the road. If the equipment is supplied by the business and is kept up to date and a VPN is always used, all well and good. However, many companies allow staff to use their own devices – which are not so secure.
If home/mobile working is going to be allowed it should be ensured that anti-virus/anti-malware is installed and updated daily on the device in question; that the device is password/PIN protected; a VPN is always used; if a laptop, whole disk encryption is in use; and if possible, that the device should be able to be remotely wiped in case of loss or theft.

It should be noted that even getting company email on a phone is a risk, as any data sent via email is on that phone and quite easily accessible if it is lost or stolen.
Permission for a staff member to work at home should always be a senior management decision, so that these issues can be addressed.

Error Four: Failure to Keep Everything up to Date

It can be a big chore to keep desktop operating systems and other software patched and ensure that everyone’s web browser is the latest version. However tiresome it can be, it is important to do so. Once a vulnerability is found, it is usually not long before it is exploited, and just one compromised machine could do untold damage to a business.

Error Five: Failure to Secure Data Properly

Data is money, and many SMEs indiscriminately place data on their cloud – sometimes where any employee can access it regardless of whether they need access to that data, or even should have access to it.
Choice of cloud service is, of course, paramount. It should be properly accredited, and also offer all the features needed. Encryption and the ability to protect individual folders are probably the minimum requirements. If sensitive data is available to all staff it only takes one careless mistake or one disgruntled employee for there to be a problem. Ease of use is also a big issue. If it’s too difficult or inconvenient for a user to log in and find what they need quickly, they will probably upload the files they need to their own cloud – an obvious data security risk.
It should also be considered whether sensitive data actually needs to be cloud-based at all. It should always be remembered that the security of your data is only as good as your cloud provider’s security.