Small and Medium Enterprises (SMEs) play a quite significant role in the economy of our country and little by little they are adding and adapting to the digital era. Many of them are using mobile devices, Internet access and communication and information technologies (ICT) to boost their commercial activity -to reach new markets and increase sales and productivity-, as well as to store, process and transmit information that could be sensitive or confidential.
In this situation, SMEs have to take the associated risks into account and implement policies, best practices and security mechanisms for the protection of such information, networks and systems, given that cyberattacks are on the increase and are increasingly sophisticated and persistent. In addition, the legal, financial and commercial consequences could be disastrous for companies. In Costa Rica there is no statistics on the percentage of SMEs that have been victims of cyberattacks, but in the United States and Spain more than 50% of SMEs have been attacked, which leads us to suppose that other PYMES are also being attacked, however their capabilities do not allow them to prevent, much less identify this type of attack.
Due to the lack of dissemination, education and advice in this field, the vast majority of SMEs are unaware of the risks and consider that they are not the target of cyberattacks, because as small companies, they do not have any digital asset of value that can be of interest to cybercriminals. However, all SMEs have significant information This is attractive to criminals, such as information on employees, suppliers, customers and business members, banking, accounting and financial information, business plan and strategy, and even intellectual property (formulas, commercial secrets, research, and so on). So, no matter the size of the company nor what its business is, there is always a risk and if the owners and administrators of SMEs decide not to invest in security, the risk is higher. This said, it is significant to raise awareness so that SMEs begin to implement security measures and mechanisms to protect their information, systems and networks, as they are equally vulnerable to any type of cyberattack. Cybercriminals know that SMEs are easy prey because they usually do not have adequate security.
The purpose of this document is to identify the problems, educate and raise awareness among the owners, administrators, employees and collaborators of SMEs to prevent cyberattacks, improve their capabilities and react in a timely manner to minimize the negative impact of a cybernetic attack. For this, we have compiled a set of policies, best practices and cybersecurity standards from different sources. This is not exhaustive, nor does it intend to be the only solution; on the contrary, it is simply a guide for owners, administrators, employees and collaborators of SMEs should they wish to adopt a culture of prevention and resilience. Absolute security does not exist, computers fail, threats continually change, and staff make mistakes. The danger is imminent and it will is not likely to disappear, but the idea is to be grown and reduce the risks to the maximum.
Protect your computer against spyware viruses and any other malicious code. Make sure that each individual computer (desktop, laptop, and so on) and mobile terminal (tablets, cell phones, and so on) of the company has anti-virus, spyware and malware programmes installed and is updated regularly. These programmes are available online and there is a great variety of supplier companies, who regularly update their programmes to correct security problems and improve their functionality. Configure the programmes so that the updates are installed automatically. The computers and mobile terminals has to be kept free of applications or programmes that are not business-related (video political parties, social networks, and so on), pirated or that have not been authorized by the advisor or IT staff. Having the latest anti-virus programme, web browser and operating system are some of the best practices against viruses, malware, spyware or other malicious code.
Don't trust e-mails and suspicious links. Through the method of social engineering, cybercriminals send emails with links to suspicious or false sites, or create false emails, either to install malicious code on computers and mobile terminals of the company or even pose as company employees requesting sensitive or confidential information. If the email is dubious, it is best to contact the person who supposedly sent the email directly to verify both the sender's information and its content. If it is indeed a fake email, it is best to delete it immediately. In these cases, you has to expect the worst and exercise caution and common sense.
Protect your networks. Safeguard your Internet connection using firewalls and encrypted information. If your company has a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router in such a way that the name of your Wi-Fi network is not public. Configure this access point with a secure password and under no circumstances leave it with the manufacturer's default settings and password. Also, do not use predictable words such as password, such as 123456, or password.
Establish security practices and policies to protect sensitive information. Establish security practices and measures of how your employees and collaborators should handle and protect sensitive or confidential information. Depending on the type of information your company collects from third parties and how to store it on your servers, we recommend that you hire an expert lawyer in the field of data protection to advise them not only in the Editorial of internal policies but also in compliance with the requirements established in the Law for the Protection of the Person against the Treatment of their Data (Law No. 8,968).
Train your employees and collaborators about cyber threats. Train your employees and collaborators about cyber threats and how to protect your business information, including the safe and proper use of social networks and searches on Internet sites, even when using computers and mobile terminals that are owned by employees or collaborators. Depending on the nature of your business, your employees and collaborators could reveal to your competitors sensitive or confidential information of your business through social networks. Employees and collaborators should be informed of the consequences and repercussions for both the company and them in case of uploading or revealing sensitive information of the company (trade secrets, business plan, and so on) on social networks or any site in Internet, and that can be seen by competitors, cyber criminals, and so on
If you do not make responsible use of social networks, owners, administrators, employees and collaborators could be giving data or relevant business information This is of interest to criminals, because they can take the lie truth, bribe the same employees, recreating information from waste/rubbish or information available on employee social networks. In these cases, it should be suggested to the company staff that they configure the privacy of their applications and social networks. We recommend not to visit websites to download free programmes, pages with pornographic content, Counting webs and on-line political parties. We recommend that the company internal procedures manual includes a section on security policies for using the Internet and social networks, and what the sanctions will be if those provisions are breached.
Ask your employees and collaborators to configure secure passwords. Consider implementing security measures, such as double authentication, which requires additional information beyond the initial password. Check with suppliers that handle sensitive company information, particularly banking or financial entities, to see if they offer multifactor authentication for their accounts. Ask your employees and collaborators to incorporate a high level of complexity when configuring their passwords. This is to say, they use a combination of uppercase and lowercase Charts, numbers and symbols in their passwords, and they are not related to personal data that can be deducted (such as the name of their pet or birthday). It is significant to point out that passwords are for their individual use as employees, and should not be stored in visible or easily accessible places (stuck to the monitor, under the keyboard or inside a drawer without a lock or a padlock). The password should be changed regularly, we suggest every two or three months, and that the same company password is not used to access accounts or other applications for personal use.
Use best practices during credit card payments. Check with your bank or credit/debit cards issuer to make sure that you are using the security tools and protocol properly, and that you have activated the anti-fraud service. We advise not to use the same company computer to make online payments as to surf the Internet. Also, try to have the company or corporate credit or debit cards supplied with EMV technology (includes chip).
Back up important information. Regularly back up the information on all the company computers and mobile terminals, particularly the company information considered critical, such as legal documents, databases, accounting and financial files, human resources files, and so on. We advise making automatic backups at least weekly, and storing the backups in two ways: on your own servers but not physically located inside the company, and in the cloud. We have to remember that today the attacks called "ransomware" (hijacking of databases) have become one of the main threats for companies.
Control physical access to computers and network components. Prohibit access or use by unauthorized people of company computers and mobile terminals, including people from the same company who are not authorized to access certain privileged information. Laptops are easier to steal or can get lost, so employees or collaborators should be advised to use a password, keep it secure and never leave them unattended in public places or leave them under third party supervision. Make sure that each employee and collaborator has their own user account and password.
Access to the networks, systems and programmes of the company has to be controlled. Employees and collaborators should have access only to the information they require to do their work. Under no circumstances should they install devices, applications or programmes without prior authorisation. The administrative privileges of access to sensitive information should only be assigned to trusted IT staff. Not all SMEs have the same possibilities, but we recommend controlling the access to the company through ID cards or some other biometric identification device, which allows monitoring both employees and collaborators such as visitors and customers. Surveillance cameras are also a good resource to detect irregular situations.
The use of removable disks and external devices (UBS). The plugging in of any external device that connects to company equipment should be monitored and controlled, whether they are removable hard disks, memory cards or any other unit in which sensitive or confidential data can be stored. The company should provide memory devices (also called "Mayan key"), which encrypts the information and has a password. Also, make sure that all the files coming from that type of devices are previously analyzed by an anti-virus before being copied or run on the company's computers.
Suppliers and business members' vulnerabilities are also yours. The companies that provide services and products could put your company at risk. To avoid problems, we advise to protect both on a legal level and on a computer level, and perform controls with a certain regularity to ensure that suppliers also comply with standards and best practices.
Create a mobile terminal action plan. Mobile terminals can generate security vulnerabilities, particularly if employees and collaborators have confidential information or can access the corporate network through such devices. We recommend that users who use passwords to protect devices encrypt the information and install security applications to prevent cybercriminals from stealing information while those mobile devices are connected to public networks, which should be totally prohibited. Be sure to establish policies and procedures in case of loss or theft of a company mobile device that has access to sensitive company information.
Printing sensitive or confidential information. It is quite common to send to print or photocopy client reports, account statements, minutes of meetings, contracts, supplier information, customer orders, and so on. Then we carelessly do not destroy the information or documents afterwards, or it remains on the printer for several hours or even days. In both cases, the documents are then trashed without much control. What would happen if a third party starts to check your rubbish and take advantage of sensitive or confidential information? A good practice is to have a paper shredder to prevent sensitive or confidential company information from falling into the hands of competitors or criminals.
Protect all your website pages. Be sure to protect each and every page in your portal, not just the subscription or online shopping payment pages. It is important that your portal has security certificates, particularly when collecting sensitive or personal information from clients or third parties.
Response plan to cyber incidents. Regarding SMEs which, due to the nature of their commercial activity are more vulnerable to this type of attack, we advise hiring a consulting company to make a general assessment of the company and identify system vulnerabilities and possible threats, and also help them define a plan of response in case of a cyberattack. Large companies have a response plan not only covering cyber incidents but also other incidents also, such as assaults, floods, earthquakes, blackouts, and so on. It is vital for the continuity of the operation of the company that the IT and personnel administrators understand and know how to proceed and the steps to follow in the case a cybernetic incident is detected to minimize the impact of the attack and its consequences for the company. It is also advisable to do training and drills every so often to improve reaction and response times.
