Ten actions SMEs can implement to improve their security when you have no capital budget

Conduct a cybersecurity awareness training programme

Educate your employees about cybersecurity best practices, such as how to identify phishing emails, how to create strong passwords, and how to handle sensitive data securely. This initiative significantly reduces the risk of successful attacks due to human error and given human error is a significant factor in many cybersecurity incidents training employees can significantly reduce the risk of successful attacks.

While paid training options are available, you can create an in-house training programme using free resources from the National Cyber Security Centre (NCSC) and other reputable sources.

• Departments involved: Information Security, Human Resources, and Communications.
• Tips: Make the training engaging and relevant to employees' roles. Conduct regular refresher sessions to keep cybersecurity at the forefront of your mind.
• Time: Developing and delivering the initial training may take several weeks, with ongoing refresher sessions.
• Resources: NCSC's "Top Tips for Staff" (https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/top-tips-for-staff-web-version)

Implement multi-factor authentication (MFA)

MFA adds an extra layer of security by requiring users to provide added verification (e.g., a code from a mobile app) and their password. MFA can prevent unauthorised access even if a password is compromised. Many MFA solutions, such as Google Authenticator and Microsoft Authenticator, are free.

• Departments involved: Information Security and IT.
• Tips: Start with critical systems and high-risk users, then expand to all users. Provide clear instructions on setting up and using MFA, involving the IT department in the process.
• Time: Implementing MFA can take a few days to a few weeks, depending on the size and complexity of your organisation.
• Resources: NCSC's "Multi-factor Authentication for Online Services" (https://www.ncsc.gov.uk/collection/multi-factor-authentication)

Establish a vulnerability management programme

Regularly scan your systems and applications for vulnerabilities and prioritise risk-based patching. Unpatched vulnerabilities are a common entry point for attackers. Free vulnerability scanning tools like OpenVAS and Nmap are available.

• Departments involved: Information Security and IT.
• Tips: Prioritise patching critical systems and high-risk vulnerabilities. Establish a regular patching schedule and watch for new vulnerabilities.
• Time: Initial setup may take a few weeks, with ongoing scanning and patching.
• Resources: NCSC's "Vulnerability Management" (https://www.ncsc.gov.uk/collection/vulnerability-management)

Develop and assess an incident response plan

Create a plan that outlines the steps to take during a cybersecurity incident, including roles and responsibilities, communication protocols, and recovery procedures. A well-defined incident response plan is a key tool in minimizing the impact of a cybersecurity incident, providing senior management with a sense of security and confidence in the organization's resilience. Developing the plan?internally?is free, although you may choose to invest in paid incident response tools or services.

• Departments: Information Security, IT, Legal, Communications, and Senior Management.
• Tips: Involve all relevant stakeholders in the planning process. Regularly test and update the plan based on lessons learned.
• Time: The initial plan may take several weeks, with ongoing testing and updates.
• Resources: NCSC's "10 Steps to Cyber Security - Incident Management" (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps/incident-management)

Implement a secure configuration baseline

Establish a set of security settings and configurations for all devices and systems in your organisation. Consistently applying secure configurations reduces the attack surface and makes it harder for attackers to exploit vulnerabilities. Developing the baseline is free, although you may need to invest time in researching best practices and testing configurations.

• Departments involved: Information Security and IT.
• Tips: Use industry-standard benchmarks, such as the Center for Internet Security (CIS) benchmarks, as a starting point. Review and update the baseline regularly as new threats and technologies emerge.
• Time: Developing the initial baseline may take several weeks, with ongoing maintenance.
• Resources: CIS Benchmarks (https://www.cisecurity.org/cis-benchmarks/)

Conduct regular phishing simulations

Send simulated phishing emails to employees to test their ability to identify and report suspicious messages. Phishing is a common tactic attackers use to gain initial access to an organisation's network. Simulations help find employees who need added training and raise overall awareness. Free phishing simulation tools such as Gophish are available.

• Departments involved: Information Security and Human Resources.
• Tips: Start with simple phishing scenarios and gradually increase the difficulty. Provide immediate feedback and training to employees who fall for the simulations.
• Time: With ongoing campaigns, setting up and running a phishing simulation campaign may take a few days to a few weeks.
• Resources: Gophish (https://getgophish.com/)

Implement a password management policy

Establish guidelines for creating strong, unique passwords and storing them securely. Weak or reused passwords commonly cause account compromises. Developing the policy is free, although you may choose to invest in a paid password manager for your organisation.

• Departments involved: Information Security and IT.
• Tips: Encourage the use of passphrases instead of complex passwords. Require employees to use a password manager to generate and store unique passwords for each account.
• Time: Developing and implementing the policy may take a few weeks.
• Resources: NCSC's "Password Administration for System Owners" (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach)

Establish a security champions programme

Identify and train employees from various departments to serve as cybersecurity advocates and points of contact within their teams. Security champions can help promote cybersecurity best practices, identify potential risks, and provide feedback to the Information Security team. Training security champions are free, although you may choose to invest in additional resources or incentives.

• Departments involved: Information Security and representatives from various departments.
• Tips: Select champions enthusiastic about cybersecurity and well-respected within their teams. Provide regular training and support to help them succeed in their roles.
• Time: Establishing and training the initial group of security champions may take a few weeks, with ongoing support and collaboration.
• Resources: SANS Institute's "Security Awareness Champion Guide" (https://www.sans.org/security-awareness-training/resources/security-awareness-champion-guide)

Conduct a data classification exercise

Identify and categorise the types of data your organisation handles based on sensitivity and criticality. This includes personal data, financial information, intellectual property, and any other data that, if compromised, could cause significant harm to your organisation or its stakeholders. Understanding your data helps prioritise security efforts and ensures appropriate controls are in place to protect sensitive information. Conducting the exercise is free, although you may need to invest time in collaboration and documentation.

• Departments involved: Information Security, IT, Legal, and data owners from various departments.
• Tips: Start with high-level categories (e.g., public, internal, confidential, restricted) and refine as needed. Establish clear guidelines for handling and protecting data in each category.
• Time: The initial data classification exercise may take several weeks, with ongoing maintenance.
• Resources: ICO's "Data Classification Introduction" (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/data-classification/)

Perform a cybersecurity risk assessment

Identify, analyse, and prioritise the cybersecurity risks facing your organisation. A risk assessment helps you understand your organisation's risk profile and allocate resources effectively to mitigate the most significant risks. Conducting the assessment?internally?is free, although you may choose to invest in paid risk assessment tools or services.

• Departments: Information Security, IT, Legal, and Senior Management.
• Tips: Use a structured risk assessment framework, such as the NCSC's Risk Management Guidance. Involve stakeholders from across the organisation to ensure a comprehensive understanding of risks.
• Time: The initial risk assessment with ongoing updates may take several weeks to a few months.
• Resources: NCSC's "Risk Management Guidance" (https://www.ncsc.gov.uk/collection/risk-management-guidance)

Implementing these ten free / low-cost actions can significantly improve your organisation's cybersecurity posture and reduce the risk of successful cyberattacks. Remember to collaborate with stakeholders across the organisation, provide ongoing training and support, and regularly review and update your cybersecurity strategies to stay ahead of emerging threats.