Cybersecurity and VSBs : 5 small changes that will make a big difference

We are all well aware of this : cybersecurity is a topical issue. Digital technology brings us as many opportunities as it does dangers. And VSEs and SMEs are not immune to danger.

In December 2019, AFNIC published the results of its annual study (freely downloadable), carried out among 3,000 respondents: very small businesses (97%), VSEs (8%) and SMEs (5%). Among the respondents, 92% believe that their presence on the Internet is essential or useful to their business: 76% of companies are present on social networks, 69% have a website, and 26% say they sell their products/services online. (1)

Digital technology is therefore an essential development lever for small businesses. A lever that generates opportunities, but also risks. Risks that these small businesses do not always have the means to manage. In the field of cybersecurity, the smallest companies often lack the financial resources, technical resources, human resources and skills.

But here's the thing : cybersecurity is above all a set of good practices and good habits. These are often small organisational changes, small changes in routine, which can make all the difference.

Of course, cybersecurity is a complex, constantly changing environment that can only be fully understood by expert consultants. But it is entirely possible to protect yourself against a multitude of cyber threats through the daily application of certain auditing and security habits.

If you are the manager of a VSE or SME and you want to start securing your business at your own pace and without spending too much money, then here are 5 tips that will make all the difference.

1- Map your IT assets

Because you can't protect what you don't know. Make a list of all the digital equipment and services that you use on a daily basis in your business: computers (and their peripherals such as USB keys), tablets, local servers, remote servers (website hosting, email, etc.) as well as all the other peripherals that may be connected to each other (boxes, switches, 4G keys, printers, etc.).

Also list all the software you use: make sure they are in the correct version, have been updated, have a valid date and make sure you have valid user licences.

But beyond the various digital tools and services, mapping your IT assets also means mapping your flows.

Thus, draw up a list of accesses to your company's information system: who is accessing it? Under what status (administrator, user, guest)? By what means of access (local or remote connection)? And so on. Ask yourself all these questions and thus make an inventory of the interconnections between your employees and your information system.

But also make an inventory of the interconnections that could exist between your information system and the outside world (to a service provider, a partner, for example).

Make a list of all the tools and services that make up your IT infrastructure, as well as a list of the various flows from and to your IT infrastructure.

This will give you an overview of all the elements to be protected.

2- Separating computer uses

The main objective of this measure is to limit the spread of a possible virus or infection in case of an attack.

Separating computer uses involves several aspects:

• Creating user accounts with more or less limited authorisations depending on the needs of your employees. Create user accounts for each of your employees, taking care to grant only the necessary authorisations to each of them. Ask yourself: what do they need to do their daily work? Do they need access to more or less sensitive information? And so on. Ensuring the correct use of user accounts can limit the impact and scope of an attack. For example, the first piece of advice in terms of creating user accounts would be: "only user/guest accounts should be used to browse the internet". Indeed, many cyber attacks are caused by risky browsing from high privilege accounts. If necessary, create two or more user accounts for your employees depending on their needs.

• The use of IT equipments specific to the professional practice. Ideally, the separation of uses is this: separate personal and professional uses, and this is achieved through the equipment. Requiring your employees to work on your company's workstations and equipment will guarantee you much better control of your IT equipment (back to the first tip). In addition, as it is your company's equipment, you will be able to demand that the appropriate anti-virus software be installed.

• And the last aspect of the separation of uses is the creation of different mailboxes according to the uses, and thus, the creation of the professional mailbox. Requiring your employees to exchange e-mails from a professional and secure e-mail account not only allows you to have a say in the quality and security of the solution used, but also keeps any phishing attempts to which your employee may be subjected from his or her personal e-mail account well away from your information systems.

3- Implement a strong password policy

Implementing a strong password policy is essential in securing your user accounts on the various services used.

This requires the application of a few simple rules:

• A strong password is at least 10 characters (more if possible!) containing upper and lower case letters, special characters, and numbers. Remember that most brute force attacks on your passwords are launched by algorithms that have the ability to test thousands of different combinations per minute! So you can imagine that a password that is too simple is very easily guessed by attackers and their software.

• A strong password never contains personal information. Dates of birth, first names of children, spouses, etc. : these information are very easily accessible to the attacker. This information is very easily accessible to attackers who would target you personally. Perhaps online, in publicly accessible municipal registers, or perhaps it is information that you yourself have thoughtlessly published on your social networking accounts. So, as a precaution, never include any personal information in your passwords.

• A strong password is unique. Because yes, a strong password policy means using a different password for each online service that requires authentication. This way, if one of your accounts is attacked, your other accounts, using different passwords, will not be compromised.

• A strong password is certainly not written on a post-it note stuck to your screen. This point is often taken for granted, but it also means that a password should not be written on a note on your desk or in a notebook, even if you think it is safe. It is indeed difficult to apply the three previous tips without ever writing down your passwords anywhere : but there is a solution. There are many online "safes" and other software that allow you to keep your passwords safe. Remember only one complex password : the one to unlock your safe, and write down all the others in it. Some "safes" can even be added as extensions to your browser and allow you to quickly generate unique and secure passwords and automatically log in securely to the sites you register.

• A strong password is never shared. Never share your password(s), even with your colleagues, for any reason. Even in a professional context, a password is personal. And don't forget that social engineering uses manipulation to get users to reveal their passwords.

4- Use anti-virus software

Even if the use of anti-virus software is not magic, this solution is interesting when you have a limited budget to invest in the detection and prevention of cyber threats.

But beware, to be effective, an anti-virus must be deployed on all equipment, and in priority on those connected to the Internet.

It must be regularly kept up to date : you must therefore carry out software updates as quickly as possible when they are offered, but also updates to the signature database. Indeed, anti-virus software is designed to protect you against the hundreds of thousands of malicious codes created every day: without regular updates of this signature database, many malicious codes will be unknown to your anti-virus software and the latter will lose its effectiveness.

Most anti-virus software offers you the option of setting up automatic updates or automatic scans of your storage spaces: activating these settings is strongly recommended. When purchasing an anti-virus software, many software publishers also offer other interesting features, which it would be useful to consider according to your uses: firewall, Web filtering, VPN, anti-phishing tools or bank security reinforcement, etc.

5- Keep your data safe

Beyond cyber attacks, another aspect of cybersecurity that represents a real danger for organisations is the security of their data.

Indeed, all organisations, whatever their nature, collect, process and/or store data. This is sometimes even the core business of companies.

It is therefore essential to ensure the security of your company's data, both organisational data and data concerning your employees, customers or partners.

To ensure the security of your data:

• Again, map the data your company processes: first map the data you collect and process, the rest will come later. What data do you collect? In what way? For what purpose? What data is likely to affect or interrupt the business if lost or altered? Is there any data subject to legal obligations?

• Next, make an inventory of data processing: this step will enable you to identify the people involved in data processing and thus take the necessary precautions, and possibly train them for this task.

• Next comes the question of data storage: where is your data stored? On what media? It is recommended that you make regular data backups (daily, weekly, monthly) according to the needs of your business, and also make copies. This way, if your data is lost or altered on one medium, it will still be available and up-to-date on another medium. If you store your data in the cloud, make sure that the solution you use is of high quality, reliable and secure. In any case, and despite the security of the storage solution used, regular backups and copies of your data are essential.

Beyond the security framework, this question of data security is also sometimes a matter of the legal framework (GDPR).

Of course, this list is not exhaustive : securing an information system is more complex than that. So if this is not yet the case : put cybersecurity aspects on the agenda in your company. Invest in securing your business as soon as possible, to ensure its continuity.

In the meantime, you can apply these tips to limit your own and your employees' exposure to cyber risks in the first instance.

CyberSecura can assist you in securing your activities, both in terms of cybersecurity and data protection and compliance with the GDPR.

Sources :

(1) Les chiffres clés sur la présence sur Internet des TPE PME en 2019. France Num.

(2) "La cybersécurité pour les TPE et PME en douze questions", ANSSI.

Related blog posts:

• "Long-term support VS. short-term service"

• "Employees in the corporate security chain"

• "BYOD and cybersecurity issues"

• "Cybersecurity of startups and VSEs"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed about our news and receive our latest blog posts directly in your mailbox ? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!