Contact us: +45 32 67 26 26

Smaller Companies Need Cyber Security Too, According To The ENISA

Isabella Lüders
By: Isabella Lüders Cyber Security | 26 November

In June 2021, The European Union Agency for Cybersecurity (ENISA) issued a report giving detailed recommendations to Small and Medium Enterprises (SMEs) on how they can solve common challenges. About 45% of SMEs reported that they implemented new technologies in response to the pandemic but less than 10% of them included any new security measures. As a result, SMEs are very vulnerable to security breaches.

In this blog post, we will list the most important takeaways from the report to help you improve your cybersecurity.

How security breaches impact your business

Clicking on a suspicious link, engaging with fishy websites, or using preinstalled anti-virus software may seem like minor incidents, but they can have grave consequences for you and your organisation. If hit by a cyber-attack or security breach, the ENISA 2021 report concluded, 80% of SMEs would experience serious negative consequences, of which 57% would become bankrupt or go out of business. Even if the outcome is less severe, dealing with data losses, legal ramifications or corrupted devices needlessly wastes resources.


Why should small companies care about cybersecurity?

The most popular online services are teleworking, banking transactions, emails and information search – chances are that your company very much depends on the internet. Despite the benefits of using online services, accessing the internet makes your network vulnerable to phishing, web-based attacks, general malware as well as other security breaches. This issue affects companies of every size, but not all companies are equally well protected.

ENISA found that 85% of major businesses consider cybersecurity to be a key concern. In SMEs, however, cybersecurity is often not prioritised. Either it is not seen as relevant or disregarded due to a lack of staff or finances. This is a bit misguided because cybersecurity is crucial and does not have to be overly expensive. You should identify areas in need of improvement first and then implement the appropriate measures! Three areas ENISA recommends improving are:

  1. People

  2. Process

  3. Technology


1. Train your Team

It is commonly thought that cybersecurity is limited to the IT department, which is not the case. Every single member of an organisation plays a crucial role in keeping the network secure, which is why they should be aware of possible threats and know how to handle them. Since 84% of cyber-attacks rely on some sort of social engineering, organisational members should also adapt good IT security habits.

These are the most common causes for security incidents:

  • 56% - Weak passwords (2020)

  • 44% - Unlocked devices (2020)

  • 28% - Ransomware (2018)

  • Using private devices

  • Lack of security policies

These issues make the entire business and the personal data it handles vulnerable. ENISA recommends enrolling employees in some type of awareness training. This kind of training can teach them about creating strong passwords, safely browsing the internet, lawfully processing personal data and much more. Awareness training should not be a one-time course but rather, a continuous effort to improve cybersecurity.



2. Restructure your security processes

Implement your own IT Security Policy

In addition to having knowledgeable employees, you need to lay out a clear set of IT security guidelines. These specific guidelines indicate to employees how they are expected to behave when using the company’s network, equipment, and services. If you want to know how to create your own IT security policy with our step-by-step guide and template.

Conduct cybersecurity audits

It can be difficult to monitor the traffic and activities on every single device or network, even for a smaller company. As a result, you could risk a critical issue, vulnerability, or threat remaining undetected. Therefore, it is recommended to conduct regular cybersecurity audits and assessments. By doing so, you can identify any possible weak points before a breach occurs and make sure that your company’s cybersecurity framework is maintained.

Incident planning and response

In case that a security breach does occur, your company must have a protocol in place that details how to proceed and handle the situation correctly. Not only does a formalised response allow you to act quickly but it prevents you from possibly disclosing confidential information or negatively impacting your organisation’s public image.

Maybe a Data Protection Officer can help

Conducting cybersecurity audits and assessments, drafting IT security policies, and planning incident responses can be timely and sometimes require expertise; you could consider having a Data Protection Officer (DPO). They can assist with such tasks, ensure GDPR compliance and follow other regulations. Maybe your organisation could benefit from having a DPO.


3. Update your Technical Setup

For all the other efforts to pay off, you need a strong technical framework. The report states that over 70% of SMEs solely rely on pre-installed or basic software to protect them from security breaches. However, this is very unreliable. Here are some additional measures that can strengthen your IT security:

Network and Asset Security

One of the easiest things to implement is a firewall. Its basic function is to filter and monitor traffic that is sent or received, based on rules you set for your network. There are many additional services a firewall can provide; for example, filtering email traffic, blocking access to malicious websites or warning against potential attacks. Having a firewall is important but you can select additional features that fit your organisation’s needs.

An additional measure is installing anti-virus software. Although a majority already uses such programs to protect against malware, you should ensure that it is used effectively; make sure you always have the most current version installed on all devices, also employees’ tablets and smartphones. You should also be able to centrally manage the anti-virus software to ensure it is up to date.

Security Monitoring

Once you have implemented all the necessary programs and systems, you have to make sure they work effectively. We suggest getting started with IT asset management. It is a system that monitors all company devices and assets to prevent the usage of malicious or unauthorised programs.

So what now?

I hope you could see why smaller businesses should prioritise cybersecurity just as much as larger organisations. We encourage you and your organisation to follow the recommendations from ENISA’s 2021 report, as it can increase cybersecurity and prevent the consequences that a breach might cause.

Our key takeaway from ENISA’s report is that an organisation’s employees are their most important asset. Therefore, the best way to get started is to raise awareness about cybersecurity. We recommend enrolling your employees in awareness training where they learn how to identify and handle threats as well as how to act diligently online.