smb security
© Daniil Peshkov |

Effective security measures do not have to mean huge expense. A series of small changes to best practices, such as updating software and improving staff training, can help SMBs to minimise the threat posed by the most common of attacks

For anyone running a small business today, it should be clear that being the victim of a data breach could have severe consequences for the future of the company. Yet, despite seeing large companies such as Google, Facebook and T-Mobile suffer from breaches, there is still a feeling among SMBs that they are too small to be the target of an attack, or they are too small to be noticed. Unfortunately, this understanding does not reflect the reality of how an attack takes place. Many attacks do not target individual companies specifically, rather, the aim is often to identify common weak points and secure the widest reach possible.

A report by Hiscox has found that many SMBs “incorrectly felt that they weren’t at risk”  despite more than half of UK firms having already faced a cyberattack in 2019. The report also reveals that the average loss from breaches has grown to £280,000, demonstrating how vital it is for all SMBs to have an effective security strategy in place.

Thankfully, effective security measures do not have to mean huge increases in expenditure. By making small but considered changes, SMBs can have a very positive impact on their data security.

Best practices

The first step towards making business security more effective is to make sure the company network is protected by business antivirus and firewall software to control the incoming and outgoing network traffic. For companies with mobile workers it is also worth considering a VPN service to ensure remote users can connect securely.

With so many devices requiring a network connection, it is easy for some to be overlooked. While there are the usual computers, servers and printers, the rise in smart device usage could mean that devices many people would not think of as a security risk, actually have the potential to be. Previously innocuous items like kettles, speakers and lightbulbs may now need to be included in security checks. No matter how small the device, it should not be connected until the default password has been changed to something more secure.

Regardless of its purpose, every device that can connect to the office network should be updated as soon as patches and updates become available. While individual devices are simple to update, having just one person updating every single device could become incredibly time consuming and could see devices unintentionally overlooked. To avoid this risk, the responsibility should be shared between the staff that use devices, with just communal devices directly managed by the IT team.

Regular staff training

The idea of a data breach might conjure up visions of masked hackers trying to break through your company’s defences, but the reality is much more opportunistic. In the last two years, human error was the cause of 88% of reported breaches. This means that simple mistakes such as opening phishing emails, using weak passwords and accessing unsecured networks while working remotely have all been to blame for data breaches. To dramatically improve the security of your data, look to your staff.

While the majority of people today are comfortable using the internet and answering emails, it cannot be assumed that everyone has the same level of knowledge and experience when it comes to security. Eliminating small mistakes can only be done if all members of staff are fully trained to the same level. As a minimum, staff at all levels of the company should be able to both identify a potential risk and be confident enough to alert the relevant member of staff quickly.

Cybersecurity and threats are both constantly evolving, which means that staff training should be regularly updated to ensure that changes to best practices and processes are fully understood. By making training a regular opportunity for staff to ask questions and engage with the topic, it can help to make security a day-to-day consideration rather than an afterthought.

Create a response strategy

The key to combating cyber threats is preparation, but these steps alone might not be enough to prevent an attack. Should the worst still happen, adopting a ‘when not if’ attitude is vital to ensuring that the damage caused by an attack is kept to a minimum.

This strategy should take the form of a document that identifies the range of possible attacks and outlines detailed strategies for how they should be dealt with. As well as internal procedures, the document should also identify the process for informing clients, partners and the general public.

By having a transparent response in place, staff will be aware of what they need to do should a breach occur, and it will be clear to those dealing with the company that responsible planning had taken place to protect data. By demonstrating this, SMBs will be able to minimise the loss of trust and reputation that can often accompany the downtime and financial damage of a data breach.


Effective cybersecurity is as much about education as it is software solutions. By identifying and plugging holes that might otherwise be overlooked, SMBs can ensure they are better protected. Updating and patching devices is a vital element of any security strategy, but by combining this with small changes to company culture and strategy the cumulation of small changes can dramatically reduce the risk of human error and have a significant, positive impact on SMB security.


Terry Hearn


Please enter your comment!
Please enter your name here