How to build a cyber security plan: A guide for SMEs

This article was originally published on HLB Global's blog.

At The Missing Link, we understand that many SMEs face unique challenges when it comes to safeguarding their systems and data—from limited resources to a rapidly evolving threat landscape. In this article, our own Gareth Rees, alongside industry partner HLB, offers actionable insights on building a cybersecurity plan tailored specifically for SMEs. Whether you’re looking to strengthen your defences, meet regulatory demands, or simply gain peace of mind, this guide has the practical steps and advice you need to get started.

Today, small and medium-sized enterprises (SMEs) are confronted with an unprecedented level of cyber risk and threats. Malicious actors do not discriminate based on entity size, but instead, focus on organisational vulnerability and susceptibility.

There is an increasingly blurred line between the physical and digital worlds, businesses of all sizes must prioritise cyber security to protect their assets. There are many challenges ahead for businesses to ensure they protect their reputations, continue to grow, and avoid the wrath of regulators and governing bodies.

Therefore, it is imperative to build and implement a comprehensive cyber security plan, but how do businesses achieve this and tackle the evolving threat head-on?

How to build a cyber security plan?

Take a step-by-step approach to build your solid plan:

1. Assess your current security situation

It’s best to start by commissioning a comprehensive cyber security risk assessment. This will allow you to identify and evaluate your critical assets, customer data, financial records, IP, and operational systems.; helping balance the investment in controls appropriate to the actual risks.

Security Controls Reviews and Security Maturity Assessments can help to provide an understanding of your current control posture and provide recommendations on how to best use the technology you already have in place, as well as provide a solid roadmap for how to maximise your cyber security budget and clarify the need for investment.

Use vulnerability scanners, external attack surface assessments, and plan penetration tests to help determine your current posture regarding vulnerabilities, exposures, and security alerting tools. If you find any gaps or weaknesses document them, plan, and implement timely remediations to establish stronger cyber security baselines.

2. Define your objectives

You need to establish clear security objectives to align with your business goals, so you can prioritise assets based on value and risk exposure. For example, are you correctly safeguarding intellectual property, or adequately protecting customer data? Each objective must follow the SMART principles, being specific, measurable, attainable, relevant, and time-bound.

3. Develop security procedures and policies

As you create robust security policies, you will show how your company plans to protect its assets. Such policies could include data classification and handling procedures, acceptable use policies, incident response protocols, and training guidelines. You should tailor each policy to the unique requirements of your company to ensure that they are always practical and enforceable. Don’t forget to review these policies regularly and adapt them as new threats arise.

4. Put in place multi-layered security measures

The best cyber security plans have multiple layers of defence. You might start by securing your perimeter with firewalls, intrusion prevention, and detection systems. You should also have endpoint protection on all your devices, including traditional anti-virus capability but also EDR, Endpoint Detection, and Response capability. Encrypt sensitive data at rest and in transit so it is safe from unauthorised access and regularly patch or update systems to close vulnerabilities.

You might even consider advanced solutions like Security Information and Event Management (SIEM) tools, as these will give you real-time monitoring and threat detection from a range of your security tools and log sources, not just your endpoints. Two-factor authentication (2FA) or Multi-Factor Authentication (MFA) provides a substantial bang for buck approach when adding another layer of security to your network

5. Craft an instant response plan

A detailed cyber security response plan will outline the steps to take in the event of a cyber-attack. This plan should have multiple steps, such as:

• Detection of security incidents
• Incident classification
• Key contact information for stakeholders
• Responsibilities and roles of various team members
• Containing or mitigating the incident, preventing further damage
• Eradicating the root cause of the breach
• Recovering systems and data to normal operational levels
• Lessons learned, reviewing the incident, so that you can improve future efforts

Conduct regular training sessions and tabletop exercises so everyone understands what they need to do. If you want to go further and pressure test your teams, processes, and technologies to ensure they can stand up to a real-world incident, consider instigating Red Team Attack Simulations or Low-Intensity Assumed Breach exercises to provide valuable confidence and lessons learned ahead of real security events.

6. Train your people

Unfortunately, human error is one of the most common causes of a data breach. Don’t let one of your staff members be the weakest link and educate everyone about common cyber threats. Then, have regular training sessions where you simulate an attack to test their awareness or readiness.

Go further and ensure that cyber security training is embedded within the culture of your organisation so that everyone considers the cyber security of the organisation, as their responsibility. Consider using best-in-class cyber security awareness tools and practices or engaging managed security service providers to help source tools and create cyber security aware programs to create and embed the culture.

7. Be aware of third-party risks

Many businesses rely on third-party partners and vendors to help them with daily operations, but this introduces an additional risk. So, develop third-party risk management strategies with strong contractual agreements that cover security requirements, and consider adopting tools to help you monitor supplier performance.

Regularly assess the situation to ensure that the third-party company views cyber security as a high priority and have regular and open dialogue with your partners to ensure the security health of your entire supplier ecosystem.

8. Monitor and review

Remember that cyber security is not a one-time effort but requires ongoing monitoring and adjustment. There are plenty of monitoring tools to help you detect unusual activity and you can conduct a regular security audit to evaluate their effectiveness. Review the plan periodically and update it to address new threats and vulnerabilities.

9. Reach out to external experts

Often, an SME will lack the in-house expertise needed to manage a cyber security plan effectively. So, if you’re in this situation, it’s a good idea to partner with an external consultant or managed security service provider. These are experts who can offer you insights into the latest threats, conduct advanced security assessments, provide access to new security tools that are optimal for your environment, or provide you with expert round-the-clock monitoring, detection, and response capability.

Always be learning

Creating a cyber security plan tailored to your company’s unique needs can feel overwhelming. That’s where The Missing Link, alongside our trusted partner HLB Global, comes in. With extensive expertise in cyber security, HLB Global complements our solutions, enabling us to guide you through the complexities of cyber risk management with bespoke strategies.

We offer targeted advice and risk assurance, aligned with your industry requirements, so you’re not just compliant but fortified against evolving threats. Contact us today to discover how our partnership can help you establish a comprehensive cyber security plan that seamlessly aligns with your business goals.