Saturday, January 25, 2025
No menu items!

Top 5 Cyber Security Controls Ideal for SMEs

Must Read

There are a multitude of cyber security controls that businesses can implement and leverage to protect against cyber threats, but we’ve selected 5 of the best that are ideal specifically for SMEs.

In today’s digital, data-driven economy, cyber security is the foundation of any strategy because cyber threats are increasing in volume and sophistication.


SMEs don’t always have the budget and resources at hand to defend themselves. Information is invaluable to the business leader, especially details that can end up saving thousands—if not millions—of Rands!

But it is important to keep perspective, and many tech vendors paint a very bleak picture to trigger a response from the market and a rush on to purchase solutions.

With these controls in place, businesses are generally considered to have done the best they can to protect themselves.

The first cyber security control: User Access Control

“In South Africa, the average length of time to identify a data breach is 177 days; globally it is 207 days… you could argue that South Africa is a bit more security-conscious than other regions. But why does it take 177 days? There is a misconception about hackers—that they are masked figures acting alone somewhere unknown—this is simply not the case. Today’s hackers are sophisticated, work in syndicates and use the latest technology, like AI, to target a broad base simultaneously.”

Once they have access to your environment, they won’t initiate attacks right away. “No, they are going to do their homework; they are going to study their target and find out if its viable and whether or not they will get a return on their investment of time and skills.”

It is vital to routinely authenticate users before granting access to applications or devices using unique credentials. Make sure to have an off-boarding process implemented to deactivate accounts of employees who leave, for example.

Implement two-factor authentication, so that user admin accounts are used to perform admin activities only, and remove or disable special access privileges when not required.

“The key thing here is to make sure you know who is logging into your environment, and can you identify them?”

Control number 2:  Secure configuration

It’s very easy to rely on the purchase of new software, for example, and believe you are now fully protected.

The problem is you haven’t changed the default settings; all know what those default settings are, so you’re not safe at all! You must remove any unnecessary user accounts on any device accessing the network. If it’s unnecessary, then remove it!

Its important that businesses do not allow employees to install software that is not critical to fulfilling their function in the business—the more software components, the more patching required, and the higher the security risk.

Disable auto-run features, those without user authorisation. Every single person must be authenticated before they are granted access—especially in terms of financial information.

Control number 3:  Patch Management

Many businesses struggle with this one because most are under the misunderstanding that ‘the IT guy’ will take care of this!

In the IT world, that guy is fighting fires 99% of the time, so something like patch management will slip through the cracks. You need to automate this (patch management) as best as possible. There are tools available, third-party tools… we have a whole workflow that automates this for our customers, from the servers to the switches to the firewalls down to the physical laptops and end-user devices. Whatever software you are running in your environment must be licensed and supported.

 Control 4:  Firewalls

The firewall is critical because it is your access point into your network. It protects you from the outside, but it also protects people on the inside from accessing malicious content.

Key aspects to bear in mind: change any default administrative password to an alternative—using best practices—or disable remote administrative access entirely; block unauthenticated inbound connections by default; ensure inbound firewall rules are approved and documented by an authorised individual; and use a host-based firewall on devices that are used on untrusted networks, including public Wi-Fi hotspots.

Control number 5: Malware

To simplify this control area—a minefield of acronyms—there are some points to keep in mind, including keeping software up to date with signature files updated at least daily.

Anti-virus is a well-known term, but that is one component—there are many enhancements on anti-virus, like EDR, MDR, and XDR.

Traditionally, an antivirus downloads a signature file to your device, and then any file coming into your device will be compared to the signature file. If it is listed in the signature file, then it is deemed to be malicious, so the signature file is really a list of all the bad stuff.

It is critical to configure software to scan files automatically upon access, ensure software scans web pages automatically when they are accessed through a web browser, and ensure software prevents connections to malicious websites.

The last line of defense—if all else fails—considers data protection and backup. Factor in automation, incremental and differential backups, encryption, and multiple backup destinations.

By IPT COO Dillon Gray

- Advertisement -

VISA Makes Key Investment in Moniepoint to Fuel SME Growth in Africa

As Africa's Fintech landscape evolves rapidly, driven by a dynamic ecosystem and a focus on closing the financial inclusion...
Latest News
- Advertisement -

More Articles Like This

- Advertisement -