Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: ENISA issues cybersecurity recommendations for SMEs

The European Union Agency for Cybersecurity ('ENISA') announced, on 28 June 2021, that it had issued a report with recommendations on the cybersecurity challenges faced by small and medium entreprises ('SMEs'), as well as a high-level cybersecurity guide. In particular, the report aims to provide advice for SMEs to successfully cope with cybersecurity challenges, especially those resulting from the COVID-19 pandemic. Furthermore, the report highlights that as a result of challenges created by the pandemic, many SMEs have turned to new technologies to maintain their business, but have often failed to increase their security in relation to these new systems.

Specifically, the report idenitifies the following cyber risks, in rank order, as the most prevalent for SMEs:

  1. Phishing attacks;
  2. Web-based attacks;
  3. General malware;
  4. Malicious insider; and
  5. Denial of service. 

In addition, the report reveals a number of operational issues faced by SMEs, including low awareness of cyber threats, inadequate protection for critical and sensitive information, lack of budget to cover costs incurred for implementing cybersecurity measures, availability of ICT cybersecurity expertise and personnel, and an absence of suitable guidelines tailored to the SMEs sector. 

In order to address the above challenges and risks, the report recommends several measures, which broadly fall into three categories:

  • people-based measures:
    • measures relating to responsibility;
    • employee buy-in and awareness;
    • cybersecurity training and cybersecurity policies; 
    • third party management in relation to confidential and/or sensitive information; and
  • process-based measures
    •  measures relating to monitoring internal business processes;
    • performing audits;
    • incident planning and response;
    • passwords;
    • software patches; and
  • data protection and technical measures:
    • measures relating to network security;
    • anti-virus;
    • encryption;
    • security monitoring;
    • physical security; and
    • securing of backups.

You can read the press release here, the report here, and the guide here.