Information Assurance for SMEs

We are regularly hearing news regarding attempted or successful cyber-attacks on large corporations, government institutions and military targets.  The threat of hackers accessing online data and using it for financial or political gain is increasing and Britain’s National Security Strategy has classed the threat as Tier 1, which, although it is far less likely to cause actual physical harm to individuals, is equal to terrorism.

With only the large scale attacks making the media headlines, it can seem like a world away from those of us working away in our offices, industrial estates and retail outlets. As the threat of someone hacking into our data may sound like an unlikely event, information assurance isn’t a top priority for many SMEs.

As the majority of companies are conducting more of their business online; through their website, social media or cloud computing for example, the risk of cyber-attack is a growing reality. Many businesses see that embracing technology has reaped rewards; with increased efficiency, national or global clients, greater flexibility in working practices and cheaper marketing. Whilst these have helped many companies, they do come with a risk that the company is exposed to cyber-attack.

You may think that your company are too small for anyone to be interested in accessing your data, but if it is valuable to you, then it has value to others. SMEs are appealing targets, as they are more likely to underestimate the risk and so are less likely to have current data security measures in place. SMEs also provide cyber criminals with routes into larger companies that the SME is supplying to, or serving.

Whilst national targets such as electricity grids, or air traffic control would cause massive disruption, they are well protected and present more of a challenge than a large number of smaller hits on SMEs. From gathering data to sell, or use for fraudulent purposes, to cloning bank details, accessing data offers a number of financial gains. There is evidence that organised groups from areas such as Eastern Europe are obtaining the majority of their income through small scale cyber-crimes.

If you are a SME taking advantage of technology to drive your business success, you really need to put measures in place to make it more difficult for your company to be targeted. This needn’t be a costly exercise, but does need to be regularly reviewed and updated, to keep pace with developments. Whilst nothing can guarantee to fully protect your business, below are ten information assurance recommendations for SMEs:

1. First, you need an audit to work out what areas of your business need protecting and prioritising these, so you know where to focus your attention. This could include any specialist applications that give you a competitive advantage or highly confidential data.

2. You need to identify what device connects your business to the internet and install a firewall if one isn’t already in place. This needs to be configured and updated regularly to ensure it is fit for purpose.

3. Higher risk activities such as online banking should take place on a machine where no other web browsing takes place.

4. Strong passwords, including a combination of letters, numbers and symbols in upper and lower case should be used and not shared with other staff members

5. Back-up systems for data should be used, so if your system is hacked, you haven’t lost all of your work.

6. In many businesses all staff have access to all files, but this isn’t usually necessary. Consider restricting access to data that individuals do not need in order to undertake their role.

7. Any removable data, such as USB sticks and DVDs used to store business data should be restricted to work use only. They should ideally be kept in the workplace and stored securely. Where possible the data on these should be encrypted, so if stolen, it can’t be used.

8. With increasing numbers of people working from home,, it important that any computers used have anti-malware software installed and are password protected.

9. Incorporate security measures into your staff training.

10. Regularly review the measures you have put into place, updating software as necessary and reminding staff of good practice.


If your business would benefit from higher levels of information assurance, ECA offer the extensive expertise to secure the data, information and other documentation stored electronically within your company.

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.