11 lessons all SMEs need to learn about Cyber Security

4th December 2020

Cyber crime is unstoppable. High profile cases involving the likes of the NHS, Sony, and Equifax have made cyber security an especially hot topic.

Though it’s virtually impossible to guess what vulnerabilities cyber criminals will try to exploit next, there are many practical, rudimentary cyber security measures that companies can use to keep risks at arm’s length as much as possible.

Though we’re firewall boffins over at Just Firewalls, we’ll be the first to admit that firewall functions only represent a part of any cyber-preparedness measures. So, with that said, here are 11 cybersecurity lessons that we feel all SMEs need to abide by.

1. No cyber security measures are ever “set and forget”

No IT infrastructure will ever be 100% secure, 100% of the time. In an ideal world, cyber security measures would look after themselves, ticking over in the background with little to no human input. Thanks to the growth of automation and AI, many cyber security tasks can take place without manual intervention. But that doesn’t mean you should abdicate control completely.

Regularly schedule time to survey your network security landscape. This will mean different things to different organisations, but checking network-wide antivirus and update coverage; ensuring all network firmware is up to date; and reviewing security logs are great places to start. Firewalls, WIPS systems, and network monitoring solutions are invaluable here.

2. No company is too small to fall victim to cyber crime

We’ve seen plenty of big names fall victim to cyber crime in the past few years, but that doesn’t mean that small companies are off the hook – far from it. A cyber criminal may see a small organisation as a much more attractive prospect: they’re a softer, easier target who may not have the resources to implement robust cyber-preparedness measures.

As a side note, remember that larger, well-regarded “household name” companies can usually weather the punitive expenses and bad PR caused by a cyber-incident. SMEs however may be more strongly impacted – they have fewer assets to spare and often rely on their reputation and contacts in order to survive.

3. Vulnerabilities can appear during times of rapid growth and restructuring.

Times of rapid growth or restructure can be a stressful time for all concerned – not least the IT department. Orchestrating vast network infrastructure changes whilst also maintaining network usability and security can be a massive undertaking. IT technicians are only human – and when deadlines are looming it’s all too easy to make mistakes and cut corners. But this can easily introduce vulnerabilities into the network. Poorly planned and executed network changes may cause data bottlenecks and operational inefficiencies too.

If you’re able to plan network changes in advance, always do so. You may find it useful to process map the proper way to add, change, and configure essential network assets and make sure they’re secure. This way, when changes need to be made in a hurry, you have a documented and totally “idiot-proof” guide that details each process.

4. Be mindful of the social engineering behind phishing attacks.

In 2019, the DMCS reported that 32% of businesses had suffered a cyber security incident in the 12 months prior to their survey. Of these, 80% identified phishing attacks as a particular risk factor. Phishing attacks are designed to catch us unawares, often using believable-looking email layouts and brand assets to fool us into thinking an email or link has truly come from a trustworthy source.

Phishing emails often look just like communications from service providers (such as Xero, Office 365, or G Suite), prompting the recipient to change their password using a phony link or dupe them into sharing some other piece of valuable information. Particularly pernicious, targeted “spear phishing” attacks may even pretend to come from a senior member of staff, ordering a team member to make a dodgy payment or share access credentials with a third party.

Without being made aware of the risk of phishing, a surprising amount of people may well believe these messages and respond as requested, effectively giving data to cyber criminals without even realising. We’re all incredibly busy and time poor, and phishing emails often include an element of urgency – tricking users into doing “what’s needed” now, not after they’ve double checked with the IT department.

5. Malware isn’t the only cyber threat out there.

Antivirus software is absolutely essential, but malware is far from the only threat out there. Companies can also be at risk of hacks, phishing, insider threats, DDoS attacks, and more – or a mixture of the above.

6. Use password managers and multi-factor authentication wherever possible.

Advice about creating strong passwords is readily available online, but never fall into the trap of storing your passwords anywhere in plain text and certainly never on a sticky note by your screen! Encrypted password management tools like Dashlane and LastPass make light work of saving and managing numerous passwords.

For added assurance that your sensitive systems are only being accessed by verified individuals, use 2-factor or multi-factor authentication solutions to ensure that access is only being granted to verified individuals – we highly recommend WatchGuard’s AuthPoint MFA solution.

7. Always lock your pc when you step away.

It’s unlikely that anyone on your payroll would even think of carrying out cyber crime – probably far from it. But you need to be aware that internal threats are a possibility. So even if it’s just for a moment, always lock your PC when you walk away. Even staff who don’t have access to particularly sensitive systems should get into this habit.

It might sound paranoid, but it’s likely that most of your team have something on their PC that could be well worth stealing, leaking, or tampering with – HR records, intellectual property, financial data – you name it. It only takes one person to betray the company’s trust.

8. Cyber security training is important, but not a cure-all.

Just as a chain is only as strong as its weakest link, a network is only as well-defended as its most vulnerable device. Therefore, every member of staff who uses internet- or network-enabled devices should receive regular cyber security training so they can continue to use your company’s IT securely and effectively. Strong cyber-defences are a team effort.

But training isn’t a watertight solution. German psychologist Hermann Ebbinghaus found that if we don’t attempt to retain information, we forget 70% of it within 24 hours. It’s therefore advisable to embed cyber security learning through regular training and repeated exposure to good cyber security practices.

9. Hacking tools are more readily available than you may think.

Hacking tools are readily available online if you know where to look – and if a team member is computer savvy enough to be looking for hacking tools, they’re probably going to know where to find them! Even moderately computer literate internal actors can cause cyber-chaos with the right equipment and know-how.

Any meddling that originates within the network may not be picked up by your firewall – firewalls are chiefly “gatekeepers” after all. Therefore, network security and access to sensitive data needs to be strongly policed to guard against both internal and external threats.

10. Always have an IT contingency plan.

All organisations need to take stock of the tech they use on a daily basis and explore what they would do if access to crucial hardware or data was cut off, or if data was deleted or tampered with.

Think as laterally as you can about how these factors will affect external parties too, like how you’ll continue to serve your clients, what you’ll tell them if their service is affected, and whether you’ll incur any fines or litigation under data protection laws. Also consider the frequency, availability, and security of data backups too.

Document all of these plans in a centrally available contingency planning document so all parties know what course of action to take if the worst happens. When an incident occurs and you’re under stress, that’s not the best time to be making IT security decisions. But if you plan ahead of time, it’s as simple as following your own prior instructions.

11. Firewalls need replacing at least every 5 years.

To the uninitiated, a firewall may seem like a pretty straightforward device. It lets in the good and turns away the bad – surely it’ll continue doing that until it gives up the ghost, right? Wrong. Though a firewall unit may appear to be trucking along nicely after 5, 8, even 10 years of dutiful service, it’s unlikely that it’ll be able to handle newer threats and deal with the ever-changing online landscape. We recommend that you replace firewalls (and other intrusion prevention hardware like WIPS systems) every 5 years.


Hopefully you’ve found this guide useful. Give yourself a pat on the back if you’re already implementing most of these points! For enterprise-level intrusion protection solutions, look no further than our suite of firewalls , multi-factor authentication solutions , and WIPS devices , as well as a selection of network access hardware . Call our friendly sales team on 0161 518 3341 or drop us a line.

You’re in safe hands with our cyber security team