Access control (Defences & Tools)
Authentication (Defences & Tools)
Authentication is performed when a user has to provide proof of their (digital) identity to a system or service. The most common means of authentication are passwords. Despite their wide-spread use, they are typically associated with security and usability challenges. For instance, users might be overwhelmed by too stringent password policies and resort to reusing the same password across multiple accounts. Password managers can help mitigate these issues. Passkeys offer a replacement that can perform better in terms of both security and usability.
Some password practices have been deemed favourable for security in the past, but are now deprecated and their use is generally discouraged. Firstly, regular password expiry has been shown to lead to overall weaker passwords and passwords that can be easily guessed from the previous ones. Secondly, modern password composition policies should enforce only length over other complexity requirements.
Backup & Recovery (Defences & Tools)
A backup is a securely stored copy of your important business data stored separately from your main systems, so it can be recovered if something goes wrong. Ransomware, hardware failure, accidental deletion, and natural disasters can all result in permanent data loss without a reliable backup, severely impacting business continuity. The recommended approach are automated backups according to the 3-2-1 rule: keep three copies of your data, on two different types of storage, with one stored off-site or in the cloud. Critically, backups are only useful if they are tested regularly. Many businesses discover their backup was broken only when they need it most, potentially leading to a business-endangering disaster. A working backup is your single most reliable recovery option after a cyberattack.
Business Continuity Plan (Defences & Tools)
An Incident Response Plan can be supplemented by a business continuity plan. This plan’s focus is how the business can continue to operate even when some services are down after a disruptive event such as a cyberattack, power outage, or natural disaster. It focuses on how essential services will continue in emergencies, e.g., internal communication or between branches when email or telephone are down.
Business Email Compromise (BEC) (Threats & Attacks)
Business Email Compromise is a sophisticated spear-phishing attack similar, in which attackers impersonate a trusted person, such as a CEO, a supplier, or a colleague, via email to trick employees into making bank transfers or sharing sensitive information. Unlike generic phishing, BEC attacks are carefully researched and personalised, using real names, job titles, and business context to appear convincing. They often contain no suspicious links or attachments, making them harder to detect automatically. Small and medium businesses are frequently targeted because they may have fewer formal approval processes for financial transactions.
Data Breach (Threats & Attacks)
Data Breaches occur, when an attacker gets in an organisation’s systems and steals, i.e., breaches, data. This can be as part of cyber espionage or ordinary cyber-criminal activity. How the data is handled by the attackers depends on the goal they want to achieve. In traditional ransomware attacks, the data is simply encrypted and therefore rendered unusable unless a ransom is paid (the best practice is not to pay though). More recently, ransomware also breaches data to not only extort the ransom, but also coerce organisations into paying to prevent the data from being made public, e.g., by release on the Internet. Similar, acts of cyber sabotage might aim to harm companies by simply releasing confidential information on the Internet. In case of cyber espionage the data is typically not publicly released, but instead valuable IP or internal process data is stolen to give competitors a competitive edge.
Denial of Service (DoS) and
Distributed Denial of Service Attacks (DDoS) (Threats & Attacks)
Denial of Service (DoS) attacks aim to overwhelm a system, network, or service with excessive requests (e.g., network traffic) such that it becomes inaccessible to legitimate users. Distributed Denial of Service (DDoS) attacks pool these requests from multiple sources. For instance, they might use botnets (large networks of hijacked computers) to generate the enormous volume of requests needed. For businesses that rely on their website for sales, bookings, or customer communication, even a short outage can cause significant financial harm. While large enterprises are more frequent targets, SMEs are not immune, particularly those with public-facing services.
Incident Response Plan (Defences & Tools)
An incident response plan is a documented set of procedures that defines exactly what a business should do when a cyberattack or security incident occurs. Its focus is the incident and how to remediate it. It typically defines roles, communication procedures, legal and regulatory obligations, and how to learn from incidents. It specifies who is responsible for which actions, how to contain the damage, which authorities and customers must be notified (and how to notify them), and how to restore normal operations. Without a plan, businesses typically react slowly and inconsistently during a crisis, significantly worsening the impact. Even a simple, well-rehearsed plan can make the difference between a contained incident and a business-threatening catastrophe. Every SME should have at least a basic incident response plan.
Malware (Threats & Attacks)
Malware is any type of malicious software, i.e., software that performs unwanted actions on a system, potentially giving attackers access to that system or disrupting its operations. Malware is a leading threat to SMEs, potentially causing data breaches, financial loss, and reputational damage. A typical delivery method for malware are phishing emails with malicious attachments.
Multi-Factor Authentication (MFA) (Defences & Tools)
Multi-Factor Authentication adds an extra layer of security when logging into an account. It requires users to prove their identity in more than one way before being granted access to an account. For instance, first entering a password (first factor in this example) and then entering a code sent to their mobile phone (second factor in this example). Even if an attacker gets access to one of the factors, e.g., by guessing a password or stealing a smartphone, they cannot log in without the other factor. MFA is capable of blocking many types of account takeover attempts and is an advisable security measure to enable.
Passkeys (Defences & Tools)
Passkeys are an authentication mechanisms and can serve as additional factor or replacement to passwords. Originally introduced by the FIDO alliance, this standard is now in wide-spread use and allows passwordless authentication on a wide variety of services and devices. The most important advantages of passkeys over passwords is that (a) they are based on public key cryptography and therefore even if an attacker compromises a server they cannot steal any useful authentication information, and (b) they come with built-in phishing protection. Passkeys represent a significant security improvement over passwords
and their use is highly recommended for businesses of all sizes.
Password Management (Defences & Tools)
Password management involves creating, storing, and updating strong passwords. A recommended way to manage password is with a password manager. Password managers are applications that store all passwords securely in an encrypted vault, protected by a single strong master password. It allows employees to use a different, complex password for every account without needing to remember them all. Password managers help mitigate multiple risks typically associated with passwords: (1) they allow choosing strong and unique passwords for each account; (2) when used with auto-fill they can help protect against phishing attacks, since the auto-fill will not work on phishing websites and users are more likely to spot the attack; and (3) they can mitigate shoulder-surfing risks when auto-fill is used and passwords are not entered using the keyboard in public places, e.g., while on business travel in a train or a plane. Moreover, many password managers include functions to alert users if credentials appear in a known data breach, allowing timely changes of passwords.
Patch Management (Defences & Tools)
Software vendors regularly discover and fix security vulnerabilities in their products, releasing updates (called patches) to correct them. Unpatched systems are a common target for attackers. Patch management is the process of systematically identifying, testing, and applying these updates across all business devices and systems in a timely manner. Attackers frequently exploit unpatched systems because many organisations delay updates. Some of the most damaging cyberattacks in recent history succeeded because organisations had failed to install patches that were already available. For SMEs, enabling automatic updates wherever possible and regularly checking for updates on other software are essential practices. Unpatched systems are among the most easily exploited vulnerabilities in any organisation.
Phishing (Threats & Attacks)
Phishing is a type of social engineering attacks in which criminals send deceptive emails pretending to be a trusted source, e.g., such as a bank, a supplier, or a government agency, to trick people into revealing passwords, clicking malicious links, or downloading malicious files. It is the most common form of cyberattack and the leading cause of data breaches for businesses of all sizes. Phishing messages typically create a sense of urgency, such as claiming an account will be suspended unless you act immediately. An especially hard-todetect method of phishing is clone phishing. In clone phishing the attacker uses a legitimate email sent by a company as template and changes it as little as possible, in order to make it appear legitimate in terms of layout, writing, etc.
While it is easy to blame users for clicking links, it is important to realise that many technical measures had to fail if a phishing email lands in a user’s inbox and an incident through phishing represents a failure of technical measures as well as users. On the technical side, the deployment of email security protocols such as DMARC, DKIM, and SPF can be effective in fighting phishing threats. On the user side, training employees to recognise suspicious emails can complement technical measures if it is ensured that the training is actually effective. Otherwise it can be large money and productivity drain, if all employees have to attend ineffective training measures.
Ransomware (Threats & Attacks)
Ransomware is a, currently especially prolific, type of malware that encrypts the victim’s files, making them completely inaccessible, and then demands a payment (usually in cryptocurrency) in exchange for the key to unlock them. Attacks can bring an entire business to a standstill for days or even weeks, halting operations, customer service, and sales. Even if the ransom is paid, there is no guarantee the attackers will restore access, or that they have not also stolen and copied the data. Double extortion is a typical practice: first the attacker demands a payment to decrypt the files of a business, then they demand payment again on the threat of releasing stolen business data to the public. Regular, tested backups stored offline are the most reliable protection, since they allow you to restore your data without paying. Backups will not protect you against stolen data being released though. It is generally regarded best practice not to pay the ransom. Instead, security specialists might be able to recover the data, even if backups are not present. In case the ransom must be paid, experienced companies offer negotiators that might be able to lower the ransom if paying is unavoidable.
Risk-based Authentication (RBA) (Defences & Tools)
An advanced form of MFA is Risk-based Authentication (RBA). In RBA, the system to which the user authenticates makes a dynamic risk assessment. Based on this risk assessment, additional factors are required to login. For instance, when in the company network on a stationary computer, only the password might be required, but when connecting through VPN, an additional second factor is needed. This reduces the frequency at which users are required to provide additional factors and therefore generally increases the usability of the system, while not compromising security (conditional on a business being able to perform proper risk assessments in their systems).
Security Awareness & Training (Defences & Tools)
Security awareness training teaches employees how to recognise cybersecurity threats and respond appropriately. It can cover any number of topics, from spotting phishing emails, to handling sensitive data or reporting suspicious activity. Because the majority of cyberattacks can involve humans in some form, training staff is among the most impactful security investments available to an SME. Effective training goes beyond a one-off presentation: it includes regular refreshers and clear procedures for what to do when something seems wrong. Employees who know what to look for become an active layer of defence, not just a potential vulnerability. While many standards require awareness and training measures only once every year, research has shown that already after six months a refresher measure is needed.
Social Engineering (Threats & Attacks)
Social engineering is the manipulation of people into performing actions or revealing confidential information, exploiting human psychology rather than technical vulnerabilities. Attackers use tactics such as impersonating a trusted authority, creating urgency, or appealing to helpfulness to get what they want, without any hacking involved. A common example is a phone call from someone pretending to be IT support, asking an employee for their password to fix an urgent problem. Defences rely on awareness training and clear internal procedures, such as always verifying the identity of anyone requesting sensitive information. Cultivating a culture where questioning unusual requests is encouraged and not punished in case of legitimate requests is one of the most effective countermeasures.
Spear Phishing (Threats & Attacks)
Spear phishing is a highly targeted form of phishing in which attackers research a specific individual or organisation before crafting a personalised, convincing message. Unlike generic phishing emails sent to millions of people, a spear phishing message might reference your name, job title, a recent business transaction, or a colleague’s name to appear authentic. This level of personalisation makes spear phishing significantly more convincing and harder to detect. Executives, finance teams, and IT staff are frequent targets because of the access or financial authority they hold. Even well-trained employees can be deceived by a well-crafted spear phishing attack, which is why thorough technical measures are crucially important.
Supply Chain Attack (Threats & Attacks)
A supply chain attack occurs when a cybercriminal does not target a company directly, but tried to get to it through a third party, such as a software vendor, IT supplier, or contractor. Your business might have strong defences, but if a software tool or service you rely on is compromised, attackers can use that trusted relationship as a backdoor into your systems. For SMEs, this means that cybersecurity is not solely about your own defences. The cybersecurity posture of your suppliers, technology partners, and potentially customers that have access to your systems matter too. Asking vendors about their security standards and
including security expectations in supplier contracts are increasingly important practices. The 2020 SolarWinds attack, which affected thousands of organisations worldwide, is a wellknown example of this threat.
Zero Trust (Defences & Tools)
Zero Trust is a security model that implements “least privilege” to the strongest degree (cf. Access Control). It is built on the principle of “never trust, always verify”. This means no user, device, or system is automatically trusted, even when it is already inside the company network. Traditional security focused on keeping threats outside the perimeter, assuming everything inside was safe. Instead, Zero Trust challenges this by continuously verifying identity and limiting access to only what each user genuinely needs. This approach is particularly relevant for businesses using cloud services and supporting remote workers, where the traditional network perimeter no longer clearly exists. Implementing Zero Trust does not require a complete infrastructure overhaul. It starts with practical steps such as enabling Multi-Factor Authentication or Risk-Based Authentication, enforcing access controls, and segmenting your network. It is increasingly recommended as the standard security model for modern workplaces and has even proven its worth in Ukraine against the cyber operations by Russian actors.