Five examples of SME managing directors lulling themselves into a false sense of IT security

Most SMEs make various efforts in terms of data protection and data security. But unclear responsibilities undermine protection against loss of data packets and cyberattacks. Here are five examples – and possible solutions.

The data is backed up regularly, the IT partner runs updates and access to the cloud data storage is governed by various access rights. So everything’s OK then? Let’s take a closer look and unmask the mistakes that undermine the well-intentioned security measures. The three examples have something in common: The failure is not due to technology, but organisational misjudgements.

It’s worth looking at in more detail, as managing directors and owners are legally responsible for data protection and data security in their SME. This responsibility and the risk cannot be outsourced – either to employees, IT service providers or insurance companies. And the new Swiss Data Protection Act (nDSG), which came into force on 1 September 2023, increases data security claims as a condition for data protection. So now is a good time to review, scrutinise – and improve – the measures that have been taken. This article highlights potential problems and provides possible solutions in the form of a checklist.

Error 1: The backup means your data is secure

The SME regularly backs up its important business data – Office documents, the CRM and ERP databases, manuals and any other relevant digital information. But, in the event of an emergency, it must be possible to recover the data too. And in the event of a successful attack, cybercriminals must not be able to access the backups, otherwise they could encrypt them, render them unusable or publish them.

Review your backup strategy if any of these statements apply to you:

• Your backup is permanently accessible from a PC because it is located on an external hard disk or in a network storage system.
• The backup is unencrypted.
• You have not checked whether you can recover the data and whether the backup media is available and readable.

Error 2: Secure passwords are secure

All used passwords comply with the guidelines for secure passwords in that they are at least 12 characters long, include special characters and do not contain any words from the dictionary. This is a good approach, but it’s far from guaranteed. If this password is stolen through data theft or phishing, it is no longer secure. Cybercriminals try to log in to various services using credential stuffing with known access data. Additional safety measures are required at the very least for important accounts such as Microsoft 365 or company applications. Two-factor authentication (2FA) increases security, but can also be disabled depending on the procedure. Approaches that enable authentication without a password are better.

If any of the following applies to your SME, you should improve the protection of your business accounts:

• We use the same password for several accounts.
• We work without a password manager.
• There are no rules for passwords.
• Our accounts are password-protected only, without any additional security measures.

Comprehensive protection for your locations with beem: discover now

Error 3: Access rights and personal accounts protect our data

In principle, this statement is correct. In reality, however, the situation is often different: for example, when everyone has access to everything. What is perhaps meant as a sign of trust in employees makes cybercriminals’ work much easier. Once ransomware is active in the local network, it can access all systems unimpeded and encrypt the data. And the risk of incorrect use increases if, for example, employees accidentally dispose of the entire digital project repository in the Recycle Bin.

Here, too, if any of the following applies to you, you should check the permissions:

• All employees have access to the entire document storage system – with a few exceptions, such as accounting and HR.
• When employees leave the company, the accounts remain active for a period of time.
• Several employees use the same account and password for certain cloud services or the intranet.

Error 4: We run regular updates

The problem lies in the definition of ‘regularly’. Do you install security updates as soon as they are published, or are there fixed time intervals during which your SME itself or your IT partner updates workstations and servers? In the event of serious security loopholes in Windows and Office applications (Microsoft 365), delayed updates give cybercriminals a highly welcome window of time to exploit the vulnerability.

We’ve been here before: if any of the following applies to you, you should question the update strategy:

• We (or the IT partner) install updates at defined intervals.
• We have systems in operation for which there are no more security updates.
• We cannot update certain systems because the software that runs on them is too old for newer operating systems.
• Employees decide when – and whether – to install updates.

Error 5: We’re secure thanks to a firewall

This statement is not necessarily wrong. But it depends on what the firewall detects. Older firewalls often only protect against external attacks or block access to certain addresses. Malware downloaded via e-mail accounts or browsers, or a malicious script on a website, is not detected. It gets into the company network without the firewall sounding an alarm. Better protection is provided by a firewall that can investigate the content of network traffic – and that is properly configured to do so. But no matter how good the firewall is in the office, it’s no use when working from home or on the go.

Here, too, if any of the following applies to you, consider protecting your local infrastructure:

• We have not defined the responsibilities for operation of the firewall (e.g. in a service contract with an IT partner).
• We have not defined a process for how to deal with warnings from the firewall.
• Business laptops are only protected with basic security measures such as anti-virus software.

Checklist: Questions for your IT partner on strengthening IT security

Security problems of this type are usually unintentional. Instead, they result from unclear responsibilities between SMEs and IT partners, inadequate documentation or cost pressure for IT services. Prompt updates, for example, require more frequent use by the IT specialists or the IT partner. Updates are actually a good example of this: IT security is an ongoing process that needs to be constantly scrutinised and adapted.

It’s worth taking a closer look at IT security and establishing clarity. Transparency about tasks and responsibilities shows you where your SME stands. With the right security measures, you reduce the risk of a cyberattack and the associated reputational damage and business interruptions. A prepared and communicated contingency plan reduces the impact of a potential attack.

This checklist summarises important points that you can discuss with your IT partner in order to professionalise IT security together:

1. Business-critical data and applications: What do you absolutely need to keep things running? This will give you an idea of what to prioritise when it comes to IT security measures.
2. Service contracts: What tasks and responsibilities are defined in it? Do these include, for example, the encryption of backups, the update interval, user management or the response time in the event of an outage?
3. Documentation: Is there a standardised checklist for maintenance work? Are completed tasks logged? As a managing director, do you have transparency about the current state of your IT thanks to the documentation?
4. Compliance with and verification of guidelines: Are the guidelines adhered to and do they still meet current needs? Changes to the IT environment may require different guidelines.
5. Security assessment: Do you need to be clear about the current state of your IT security? An assessment will provide you with a detailed description of the condition of your infrastructure and allow you to plan any optimisation measures based on the facts.
6. Additional expenses: How are additional services regulated and billed? This includes, for example, the unplanned replacement of hardware or the adjustment of firewall rules outside of the agreed maintenance.
7. Contingency plan: And last but not least: Do the emergency measures work in the event of loss of data or a cyber attack? This includes testing preventive security measures such as backups or the failure of redundant network components before anything happens.

Regular review and adjustment of IT security measures reduces the risk of data loss and successful cyberattacks, and thus the risk of operational downtime too. IT security is also a key component of the guidelines of the new Swiss Data Protection Act (nDSG), which stipulates that the management board has a responsibility and duty of care towards its employees. The nDSG provides for personal liability and corresponding fines in the event of violations. Increased IT security reduces the risk of such incidents and protects you and your employees.