Cyber security for SMEs: Follow these 6 steps and pass any audit

As threats continue to grow, Cyber Security is becoming increasingly important for businesses of all sizes. All are vulnerable and all are legally obligated to protect their customers and their employees’ data. Therefore, to ensure business continuity and regulatory compliance, it is of high importance that every business has a Cyber Security strategy in place.

But what about Cyber Security for SMEs? Let’s look at this conversation with an imaginary boss of a medium-sized company. His questions and our answers are representative of the concerns and issues that plague small and midsize businesses when it comes to cyber security for SMEs.

I thought cyber criminals would rather target larger businesses —more customer data and revenue equals more money, doesn’t it? 

One of the reasons why it is the other way around is that most SMEs don’t have any clue on how to protect themselves against cyber attacks. Also they suffer lack of resources, for example when it comes to personnel or finance. 

Another reason is that large companies usually have effective cyber protection and can invest in it regularly, which makes them less attractive to cybercriminals.

Don’t forget: The average cost of data theft for SMBs was $2.98 million. SMBs are more willing to pay for cyber criminals, because they can’t afford to disrupt their business operations. Also it takes longer for SMBs to detect a breach: the average breach lifecycle is 287 days and in addition to that, downtime also heavily affects SMBs – time is money afterall, the more you lose, the greater the price you have to pay after. This delay is like having an intruder in your home without even noticing it… Not to mention customer trust which we all know is priceless, but if you lose it, it can cost you your business.

As a small company, we don’t have the money nor the knowledge to implement luxury software and to hold security audits!

We are absolutely aware that things can quickly get tight for SMEs, especially in the financial area. Real protection can protect against risks disproportionate to its cost, and the good news is that with license cost optimization tools, it’s not even that expensive.

How likely is it for a SME to be attacked?

Let’s see…

  • 43% of all global cyber attacks target small businesses.
  • 60% of small businesses that are victims of a cyber attack go out of business within six months.
  • Cybercrime costs small and medium businesses more than $2.2 million a year (IT forensics and data recovery costs, costs for business interruption, costs for crisis communication, costs for legal advice etc.)
  • There was a 424% increase in new small business cyber breaches in 2021.
  • If you want to ruin your stomach, check out the whole statistic…. 


But don’t you worry! Because of your increased risk and your tight resources we’ve summarized a few steps on how you can ensure cybersecurity and protect yourself from phishing, ransomware or other cyber security threats, even as a small or medium-sized business. 

To put it simply: With our following options, you could gain a competitive advantage against your competition and better protect not only your data, but also the economic future of your company. So are you in? 

Cyber security for SMEs

Cyber security for small businesses – a guide

Step 1: Become aware 

SMEs are nowadays the preferred target of hackers. They are often helpless in the face of cybercrime and lack the necessary skills and processes to identify the risks at an early stage. A vulnerability that cybercriminals exploit shamelessly. To appropriately protect your business, no matter how small, from attacks and cyber threats, you must first realize that you are at risk.

Take this quiz to find out more about your company’s security status

Also make sure your employees have enough expertise! Organize Cyber Security trainings, perhaps even with other SMEs, suppliers and partners and share the costs. Believe us, it’s definitely worth it, because every employee who clicks on untrustworthy links in an email or doesn’t log in and out properly is a constant risk source for your company that has to be migrated.

Step 2: Get to know your enemy 

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun Tzu, who would be a killer CISO in our time, from “The Art of War”

Once you and your employees are aware of the amount of risks your company’s at, it’s time to look at them more properly. The more you get to know cyber threats and how cybercriminals operate, the safer you can make your SME. 

Until this point you’re already on the best way to implement cyber security strategies at your company! You now need to start focusing on how to prevent, mitigate or in the worst case endure cyber attacks. 

Step 3: Build up an IT inventory!

Cyber Security for SMEs is not only about your employees’ awareness or your own knowledge. It is also mandatory that you gain an overview of the complete IT landscape by inventorying all your IT assets. IT Asset Management is key when it comes to your IT inventory, therefore you should be aware of how to overcome ITAM challenges, reap maximum benefits and revolutionize the way you manage your IT assets. This will later help you identify risks and vulnerabilities. 

Bonus: This inventory can be managed, updated and used really easily, especially in security audits and in training processes, for example when hiring someone new. 

Now you SEE what you’ve got. It’s time to test your system! 

Cyber security for SMEs

Step 4: Get to know the weaknesses of your systems!

You need to know where the vulnerabilities of your systems are. Therefore you have to test and analyze your current IT assets. 

Cyber security for SMEs – Checklist (aka: Hardening your Cyber Security without spending any money)

  • Is operation-critical data backed up externally on a regular basis (at least daily)? 
  • Is critical software installed to access the company data only with multi-factor authentication?
  • How demanding is your password policy? Follow best practices, do not falter in this trivial IT security aspect.
  • Is the browser’s cache cleared regularly?
  • Do the IT security standards also apply without restriction to remote employees?
  • Are all employees aware of common cybercrime methods such as phishing or CEO fraud (a type of spear-phishing email attack in which the attacker impersonates your CEO)?

No matter how big or small your company is, if you know exactly what’s going on at your company, who has access to each area, and where there are security gaps, you’ve already done almost everything you can to be cyber secure. Almost.

Step 5: Principles to follow 

Implement principles that help you manage accesses and roles regarding your IT landscape! 

Shall we take a look at what principles you could should use? 

Access management (who’s got access to what and why?) 

Segregation of duties (SOD)

SoD policies are processes, guidelines and/or rules that an organization has created to make sure security controls are in place while also balancing operational efficiencies and costs.

With implementing SoDs you’ll define clear roles and responsibilities, avoid conflicts of interest, reduce data breaches and gain protection against fraud and manipulation. 

More about why to use SoDs you find in this article.

Least Privilege Principle (PoLP)

No matter what business you’re in, if you have multiple employees with access and several authority levels, it’s important to know about PoPL.

PoLP defined by the Cybersecurity and Infrastructure Security Agency of the US

“Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. Therefore, careful delegation of access rights can limit attackers from damaging a system.”

Sounds reasonable, doesn’t it? Check out our article on the Least Privilege Principle to learn everything about avoiding privilege creep and why it is so important to assign only minimum privileges for your employees! 

Endpoint security

Endpoint security adds a strong layer of protection, it secures the endpoints or entry points of your employees’ devices: desktops, laptops and mobile devices. Today’s endpoint protection systems have evolved a lot from traditional antivirus softwares, they provide a comprehensive protection to quickly detect, analyze, block and contain attacks in progress. EPPs or endpoint protection platforms offer a wide range of functionality to protect against threats. 

The transition to remote work after the pandemic and the growing popularity of BYOD (bring your own device), brought an exponential increase in the endpoints connected to your network and this also increased your attack surface. That’s why endpoint security is key when it comes to operating as a SME.

Risk management and emergency management 

Cyber Security for SMEs is not so different from big companies’ strategies. For example: Instead of suppressing the risk of a cyber attack, SMEs should also rather think about attacks in advance. What would happen if…? Many small and medium-sized enterprises do not consider their situation until they are in the midst of an attack, i.e., in that hot phase when action must be taken particularly quickly. Making decisions quickly and on the basis of gut instinct are rarely characterized by cleverness. Instead, prepare yourself and your company, stay cool-headed and solve the problem faster, more efficiently and – most importantly – without losing your money! 

What to consider when building up an emergency plan: 

  1. Defined reporting channels: 

Employees must know who their contact person is – for example, in the IT, compliance or legal departments, or (especially in smaller companies) at an external IT service provider. In the event of a suspicion or emergency, these contacts must initiate the necessary security measures, sensitize employees and, if necessary, also inform external parties affected (customers, suppliers, banks, supervisory authorities, etc.).

  1. Immediate technical measurements: 

In the case of attacks with ransomware, immediate technical measures are also mandatory. First of all, the affected system must be identified. Then, to minimize the damage, the infected systems should be disconnected from the network immediately: Network plugs, batteries and WLAN adapters should be removed or deactivated and the power supply interrupted. The corresponding instructions must be issued by a unit set up for this purpose.

  1. Trace evidence: 

It is important to secure traces right from the start, for example by backing up the suspicious e-mail (screenshot) or by forensically securing caches and hard disks. To prevent further data loss, it is advisable to have forensic backups – before repair attempts or reboots of the affected systems are made.

  1. Event log: 

Both the attack and the measures taken should be documented in the form of a so-called event log.

There must be no uncertainty whatsoever as to how to respond in the event of a cyber attack. The primary objectives of response measures in the event of a cyber attack are to limit the damage that has occurred or to prevent further damage (internal and external) and to return to normal business operations.

Cyber Security for SMEs


Manual management of security measures quickly reaches its limits due to the ever-increasing complexity of the software and hardware used, even in SMEs, and slower detection and remediation of security vulnerabilities is the result.

The automation of security processes accelerates the detection of ever new, previously unknown vulnerabilities and attempts to close them quickly and reliably when they become known.

You can automate almost all your company’s IT processes: 

  1. Automated risk detection: Identify potential risk factors without relying on manual tasks or time-consuming training. It minimizes human error, the most common cause for business data leakage. 
  2. Automated notifications and alerts: Reaction time is crucial, it can make a difference between an access risk and a cyber attack. Automated alerts help you address potential access risk issues as soon as possible.
  3. Maximize transparency in your company: Notifications and alerts are sent directly to your company’s communication channels, so there’s maximum awareness, nothing blocks the flow of information. Stay always up-to-date and get a detailed overview of your employees’ security status.
  4. Pass any security audit: Auditors can cause constant stomach cramps, especially if you work in an industry where you have to be compliant with IT security standards. Be prepared instead of being scared. 

Luckily, these tools are not only available for enterprise-level players. We created our software, TheFence with SMB owners in mind to provide them with effective and effortless defense for an affordable price. Check out our plans and choose the best option for your SME!

Step 6: Strive for Cyber Resilience!

While cyber security defines methods, processes and measures to protect data, networks and IT systems from cyber attacks, thereby reducing the risk of becoming a victim of an attack, resilience is not limited to risk minimization, but provides for measures, processes and methods to ensure operations during an attack or to quickly resume operations after an attack. Cyber resilience programs require holistic thinking and quick, agile action in the face of attacks. The goal of resilience concepts is to ensure that a secure operating state can be guaranteed in all situations and threat situations.

8 min read

Share this post:

Scroll to Top

Live webinar

How to detect the riskiest
users, roles and areas in SAP

🎤 Speaker: Csaba Békési – Risk Consultant at XS Matrix (TheFence)
💡 Moderator: Paulino Calderon – Co-Founder of WebSec
📅 Date: June 19th, 2024

🕒 Time: 10 am (EST)

Duration: 1 hour

📍 Venue: Zoom Meeting