Navigating the ever-evolving world of cyber security can be overwhelming for small and mid-size businesses (SMBs). A recent study by Sage underscores this sentiment, with 43% of SMBs admitting that deciphering the right security measures feels like wading through murky waters.

By Ben Aung, chief risk officer at Sage

Every day brings a fresh cyber threat, another breached company, or the latest indispensable security gadget. Alarmingly, Sage highlights that 55% of South African business leaders view educating their employees as a challenge in keeping abreast of these relentless threats. With the limited resources globally, it is no wonder that half of SMBs — a staggering 48% — have faced the brunt of at least one cyber security incident in the past year.

Given the devastating effects a cyber breach can have on a small business it has become increasingly evident that cyber security isn’t an inherent risk that can simply be ignored; it must be seen as an integral part of everyday business management, just like data protection and regulations such as PoPIA (Protection of Personal Information Act). It should be considered and integrated into processes in the same way we manage any other business risks.

And while SMBs must get proactive and start prioritising cyber security, it is not always clear where to start especially as many of them often lack a dedicated internal cyber security specialist. In fact, according to Sage, just 10% of SMBs have a dedicated security manager that can monitor and respond to cyber threats.

Therefore, SMBs should focus on a core of good cyber security practices that can be implemented easily, quickly and without the need for expert IT.

Despite the evolving tactics of cyber criminals, the vulnerabilities they exploit remain relatively unchanged, so tried and tested cyber security basics form a strong defence in the face of any attack and can be easily rolled out with minimal disruption to business.

Getting the basics right will not only protect businesses from a wide variety of attacks but will also offer business leaders the much-needed reassurance to focus on driving profitability.


Some steps to cyber resilience include:


Understand the fundamental security needs

Before diving headfirst into new tools and systems, businesses need to first understand where the possible vulnerabilities are to ensure tools and best practices are optimised for their unique security needs.

For example, for online retailers, an e-commerce website is likely the most valuable business asset, given it is the main source of revenue and attracting new customers. Whereas, in the case of a manufacturing business, the most important asset is the operational technology used in the manufacturing process, without which operations would ground to a halt. Simultaneously, all businesses hold personal data belonging to customers and employees which must be adequately protected.

To focus precious resources in the right places, businesses must first assess what assets they have, which ones would be most vulnerable to cyber-attacks and which assets they should prioritise.

To be effective, this process should include stakeholders from different parts of the organisation. This will help ensure all important systems are included and will also generate buy-in from everyone when rolling out cyber security measures to reduce critical security risks most effectively.

Despite the variations and diversity across SMB security needs, there are practical steps that business leaders can take now to immediately bolster defences against cyber risks.


Two-factor authentication

In today’s digital age, activating two-factor authentication (2FA) stands out as an essential step. This security measure goes beyond the traditional password, creating a significant hurdle for cybercriminals.

When they encounter 2FA, even a stolen password will not grant them access.

By utilising a unique code, sent either to a personal device like a smartphone or a dedicated hardware token, access is only possible for someone with the physical device in hand.


Security of the cloud

Next, as technology advances, businesses should embrace the security advantages of the cloud. Notably, reputable cloud providers often boast state-of-the-art security infrastructures that surpass what many organisations can manage on-site.

By migrating to these providers, businesses tap into their extensive security research and rapid threat response mechanisms. These cloud services do not just provide robust, streamlined security; they also offer a cost-effective solution that reduces the burden on in-house IT teams.


Endpoint detection and response

Speaking of evolution in security, the implementation of endpoint detection and response (EDR) tools is a game-changer.

Traditional anti-virus systems are now being outpaced by these advanced tools. Solutions like Microsoft’s Defender for Endpoint can be integrated across a company’s devices, offering vigilant monitoring against unusual, potentially harmful behaviours. Their real-time response to threats, often without needing human intervention, means threats are detected and neutralised rapidly, minimising potential harm.


Cyber security training and culture

While technology offers many solutions, the human element remains crucial. This is why prioritising employee cyber security training is paramount. Instead of being the weak link, well-trained employees can become a formidable first line of defence.

Through regular workshops and training sessions, employees can be updated on the latest threats, such as the ever-persistent issue of phishing.

An organisation that fosters open dialogue around cyber security ensures that every member feels responsible for the collective digital safety. The transformation is palpable: a workforce that once might have been vulnerable now becomes vigilant, able to spot and report suspicious activities.


Incident preparedness

Lastly, in the realm of cyber security, foresight is invaluable. Businesses should proactively plan for emergencies. This involves recognising which data and systems are essential for daily operations and devising contingency plans.

These plans should consider worst-case scenarios, such as crippling data breaches or ransomware attacks. Having a list of key contacts and a coordinated response strategy can be the difference between a minor hiccup and a major crisis.

Such preparedness ensures swift, coordinated reactions during incidents, significantly reducing potential damage in terms of downtime, costs, and reputation.


Keeping it simple is the key to cyber resilience

Cyber security does not have to be an insurmountable goal. While many aspects are highly technical, grasping the basic concepts of cyber resilience should be simple and easy to implement. Taking these steps will reduce the likelihood of a successful attack and ensure SMBs are ready to take effective action if needed.