IT security for SMEs - best with a concept
Jul 03, 2022
Especially those responsible for SMEs that do not have their own IT department should regularly deal with the IT security of their company, for example with a security concept in which minimum standards are defined.
T security is also an essential topic for SMEs. A functioning IT infrastructure is one of the necessary prerequisites for smooth work processes of almost every company - regardless of size. In addition to technical faults, cyber attacks are now the greatest threat to the functioning of the IT of companies and organisations. Almost every week there are sensational attacks on well-known companies.
In 2021, the Federal Criminal Police Office registered more than 145,000 reported cyber offences, which corresponds to approximately 400 offences per day. In addition, the authors of the situation report point to an "above-average dark field" of unreported offences. For comparison: In 2020, there were still around 108,000 reported offences of the same nature. The probability of being affected by an attack on one's own systems thus continues to rise. Despite the costs and the associated effort, measures to improve IT security are without question sensible for every company.
SMEs as targets for cyber criminals
When it comes to fraud and cybercrime, the principle of "the measure makes the difference" applies. In their search for suitable targets, fraudsters usually try to reach as large a circle of potential victims as possible. This works particularly well on the Internet. The search for vulnerable systems can be easily automated. Therefore, there is acute danger if computers with security vulnerabilities in one's own network are accessible from the Internet. If software errors become known, as was the case, for example, with the error in the Microsoft Exchange server or with the Log 4 J vulnerability, it usually does not take long before criminals try to actively exploit this. Possible consequences can be:
- Data theft in connection with subsequent extortion of ransom money.
- Data sabotage and the infiltration of malicious software
- Access and encryption with so-called ransomware and subsequent blackmail of the network owner
- Remote control of computers and integration into so-called botnets
In addition to financial losses for possible ransoms, it is above all the restricted ability to work and the effort required to restore one's own systems that can cause lasting difficulties for companies after a cyber attack. In the past, even well-known companies sometimes had to deal with the consequences of a cyber attack for months.
ISMS - Concept for IT security
Effort and benefit for concepts and measures must of course remain in a healthy relationship. Therefore, before creating a concept, those responsible should consider where the focus should be placed. If a system can be restored quickly because backups are created regularly, precautions for active attack detection using intrusion detection can possibly be dispensed with. If, on the other hand, important company and customer data is located in the network to be protected, the situation is usually different. If such data falls into the hands of cyber criminals, this can have serious consequences, for example if it is sold or published in relevant forums.
Generally, a concept describing all IT security measures in companies is called an Information Security Management System (ISMS). Assistance for IT security concepts is provided by authorities such as the Federal Office for Information Security (BSI), but also by associations such as chambers of trade or institutions such as the VdS. In addition, those responsible for SMEs must observe the regulations of the General Data Protection Regulation (DSGVO). We have summarised a few of the possible templates for you below:
- Basic IT protection modules of the BSI [1]: This is a very comprehensive and detailed elaboration that covers almost all conceivable risks and scenarios. It contains concrete instructions for specific computer types and operating system versions. Measures in the event of acute attacks and instructions for emergency management are also listed.
- Basic IT protection profiles of the BSI [2]: This collection contains ready-made profiles, for example for craft enterprises. The basis here is also the BSI's basic protection modules. The German Confederation of Skilled Crafts (ZDH) summarises the applicable modules.
- VdS guidelines 10000 [3]: VdS Schadenverhütung GmbH is a subsidiary of the German Insurance Association and offers catalogues of measures in the form of its guidelines. However, these are subject to a fee.
- ISO 27001: This is an established standard for information security. In particular, it is possible to have companies certified by recognised auditors according to their specifications. The requirements of ISO 27001 are compatible with the basic protection modules of the BSI. The BSI also lists certified auditors [4].
- **The General Data Protection Regulation not only stipulates requirements such as obtaining consent for the electronic processing of personal data. It also explicitly requires the appointment of a data protection officer. In addition, IT systems must be designed "taking into account the state of the art" so that processed data are secured with an "adequate level of protection". Incidents such as unauthorised access to personal data stored in one's own system must be reported immediately to the competent supervisory authority.
Minimum IT Security Standards for SMEs
The necessary measures must of course be assessed for each company on a case-by-case basis. However, some principles should always be observed as a kind of minimum standard:
- Use of current operating systems and programmes: Attention should definitely be paid to the regular installation of security updates.
- Observation of the current security situation: Those responsible in SMEs should at least have a rough idea of whether their own IT infrastructure could be affected by current security vulnerabilities.
- Regular backups: If the worst comes to the worst, up-to-date backups can protect the ability to work and also customer interests.
- Use of appropriate security software: Virus scanners and firewalls should be present in every network. The use of active attack detection is recommended even for small IT networks. Intrusion detection systems are often already integrated in more professional routers.
- Network separation and authorisation concepts: Data should only be accessible where it is absolutely necessary. This reduces the attack surface and also protects against accidental disclosure of sensitive data.
- Rules of conduct for employees: The handling of sensitive information such as access data, passwords and personal data should be explicitly discussed and bindingly defined. Individual employees may not even be aware of risks. At this point, protective mechanisms, such as the prohibition of passing on certain data by telephone or e-mail, can also be usefully integrated. The obligation to consult with superiors can also help in some cases.
IT security for SMEs: a mandatory task
Everyone who uses IT systems should pay attention to certain security precautions in this day and age. Those responsible for SMEs have a special responsibility here. Break-ins into their systems mean dangers for personal data of customers and internals of the company at the same time. In extreme cases, even jobs or the very existence of the company may depend on access to its own data. A sensible IT security concept with clear guidelines and a distribution of tasks creates security of action in everyday life and especially in stressful situations. By the way, you can also create such a stress situation artificially if you wish - with penetration testing - and put your concept to the test.
Sources:
[1] https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/IT-Grundschutz-Bausteine/Bausteine_Download_Edition_node.html
[2] https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Unternehmen-allgemein/IT-Grundschutz-Profile/veroeffentlichte-Profile/veroeffentlichte-profile_node.html
[3] https://vds.de/kompetenzen/cyber-security/vds-richtlinien/anforderungsrichtlinien-/-leitfaeden/vds-10000-informations-sicherheit-fuer-kmu
[4] https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Managementsystemen/ISO-27001-Basis-IT-Grundschutz/Auditoren/iso27001auditoren_node.html