SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 6 - 11 minutes)

Protecting Against Attacks


SaRB for SMOs Action Info

Security Management Group

Protecting against attacks

The end goal of understanding attackers, how they attack, what they are after, and what makes it easy for them, is all to get a better understanding of how best to protect your organisation.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



The is the last in the series of articles on attackers and attacks and brings together the various strands and ties them together in thinking more tactically and strategically about how your organisation can protect itself better. In bringing things together, we are going to recover some of the key points we’ve made in previous episodes and connect the dots, so to say. If you haven’t had a chance to go through the previous episodes related to this mini-series, you’ll find a list of link in the resources section.

Default sample awareness and knowledge infographic

What Hinders Protection for Small Organisations

In previous episodes we started each one by looking at some of the details of what Small Organisations get wrong, here we are going to bring some of those things together from a protection perspective. So, some of the things that Small Organisations get wrong about protecting themselves include:

  • Assuming that they should wait until they are bigger and able to afford “better security” before they do anything. The unexpected impacts of technology are often not considered.
  • For example, before any organisation had office telephones, it didn’t need anyone to answer them, but as soon as it wanted to benefit from allowing customers to call and staff to make calls, each organisation had to accept that they would have to invest in a phone system to benefit from the use of this technology. What they didn’t expect was that they would have to deal with sales calls from businesses or other types of enquiries which could then involve them having to use call centres. Equally, any organisation which intends to connect with the internet, or use computer-based technology will have accept that it will have to deal with security to benefit from any type of electronic connection with their users. This obviously includes, mobile phones, the internet, social media, video conferencing, email, etc. etc.
  • What this means is that Small Organisations are not really in any position to wait until they are big enough to be able to afford to pay for security services, before they start to protect themselves from attacks. In recent episodes we have shown how Attacks can happen any time, from anywhere in the world on any technology once you make that connection to the online world.
  • The challenge today is that in most cases many small organisations may not ever get big enough to make use of larger paid services if they don’t start to take action while they are small – the chances are that they may be compromised long before they know it. Waiting to improve your password, or even making sure that you use a password manager, or to update your devices operating system and applications, can all be done without any expenditure, but will protection your organisation immediately as long as you undertake the appropriate controls collectively.
  • Believing that because they don’t hold any personal data on their systems, they probably don’t need to worry about security. This is a misunderstanding of what attackers are after, as we covered previously, there are so many other assets of value to attackers than just personal data. The assets that attackers are after have a different value to them which Small Organisations don’t see or understand.
  • Thinking that “We don’t understand our own users and customers, so how are we going to be able to understand attackers and security?” We hope that we are able to guide your organisation through what your organisation needs to understand and when it needs to understand more and do more about security. Any Small Organisation intending to learn about customers or security, or marketing, or almost anything else, needs to view it as a journey not a destination. This is because, almost every service delivery or management activity is different for every stage of growth of the organisation. Security is no different, and needs to be implemented with good foundations, so that as the organisation grows it will be easier and cost less to take it from one level to the next.
  • Concluding that “We’ve spoken to some experts, and they’ve told us what we need to do, and it’s all over the top, we are only a Small Organisation”. Security professionals providing services will aim to provide what they think is best based on the questions and responses in discussions with you. Often, they will aim to give you what you need and not what you want to pay. What we do is offer three levels of actions and activities: first is the must do now as a minimum cyber hygiene level, then the second level is good practices, and the third level is best practices. This third level is where the best practices are similar to what the experts may have suggested. Since your organisation will have to start somewhere, we help you get started in such a way that you are able to do that at no or little cost.
  • Believing that “We’ve got the best anti-malware solution, which includes most of the security tools we’ve heard about, what’s the point in spending any more than that?” Most of the anti-malware suite of tools cover many aspects of malware related attacks, but they do not cover everything you may need. Only someone who understands your Organisation can tell you what you need, generic software, no matter how good still has to be configured to provide the protection you specifically need. But this will still not include things like social engineering, click-throughs by staff, connecting using free vulnerable Wi-Fi, etc. etc.
  • Believing that “Our staff are sensible and trusted professionals, why should we put measures in place which actually makes life difficult for all of us, and they have to ask someone to give them access to do things?” Security controls to limit staff doing things isn’t about reducing productivity, they are about ensuring that simple mistakes are not made, whilst also setting the right environment for when the organisation grows. Many of the controls which limit staff actions are the controls that any Organisation with ten or more employees will be expected to already have in place to demonstrate that it is worth doing business with. Implementing strict controls early is good for security culture as the organisation grows and avoids costly mistakes which attackers often rely on to take advantage of.
  • Believing that “We’re only a very Small Organisation, so we don’t really see the need for policies. procedures and other documentation when we have so much other work to do in providing our services”. Any organisation intending on outsourcing services to a not-for-profit or a for-profit organisation is likely to want to understand how seriously it takes data protection and security. Documented policies and procedures can help prove to others that data protection is taken seriously. 

Many of these beliefs and views may arise out of not understanding the threats and risks, but also out of genuine questions about allocating time and resources in managing overall risks to the organisation. As an organisation grows it will take a different view on almost every aspect of security than the way it did when it was smaller.

Understanding your Environment

The security controls your organisation needs to protect itself from attackers and accidental actions will depend on a range of factors including some or all of the following:

  • Size of organisation – this isn’t just the number of employees, but may also need to include board members, trustees, volunteers, interns, etc. the more people involved, the greater the need to manage security controls to protect the organisations.
  • Stage of growth – each stage of growth of an organisation will require a different security mindset. For example, if the organisation is growth stage it may need controls which enable it to get to the next level, which is expansion. Equally, any organisation already at the most mature stage would be expected to already have a robust security programme. Small Organisations need the right level of controls to protect their current assets and enable them to grow.
  • Aspirations of growth – not all organisations have aspirations of high growth. Some may intend on remain small. However, any aspirations of growth must be considered in selecting the right controls.
  • For profit or not-for-profit – all organisations need security controls, but how they are implemented may differ for whether your organisation operates for profit or not.
  • Stakeholders – in some cases, some stakeholders may require certain levels of security or particular implementations.
  • Funding – whether your organisation is for profit or not is different whether it needs to apply for funding, be it from government sources, angel investors, or venture capital. There are many examples of funders requiring security questionnaires as part of the funding process, and then to request audits before they commit funding at the final stage.
  • Home or office working environments – although it is a given that most organisations now accept some level of home working, the percentage of home working may require additional considerations.
  • Personal or sensitive data – if your organisation processes any personal or sensitive data, it will likely need to demonstrate accountability of its security management on top of other controls (as indicated by the UK’s Information Commissioner’s guidance on the seven principles of data protection.
  • Industry sector – some sectors have additional regulatory requirements than others, for example banking, insurance, pharmaceuticals, telecoms, manufacturing, food preparation, etc. not all sectors have technology in place (in some cases not yet) to manage aspects of their activities. But many industries are beginning to bring in new technologies, and as they do so, they will have to manage the security of those technologies.
  • Website – whether an organisation has a static or a dynamic website, it will need to be protected with the appropriate controls according to the technology used.
  • Service delivery – some service delivery may be automated by technology, and where this is the case that technology will need to be considered in the security programme.
  • Sales and marketing – organisations utilising automation for these activities will require further controls to ensure that you have the appropriate protection required.
  • IT utilised – the IT hardware and software utilised will need to be considered in how it is used, where it is used, and the way it is used. Further, how it will be updated and maintained to be secure regardless of where, who and how it is used by staff.
  • Surveillance and physical security controls – the use of IoT devices and systems for physical protection of the home and office will require very specific set of security controls so that the use of such technology doesn’t impact any other technology in terms of security.
  • Operational technology – the use of manufacturing systems, autonomous vehicles, etc. requires additional set of controls on top of those for other technology.

This is by no means an exhaustive list but is meant to indicate that each organisation is different and how it utilises technology is also very different, consequently each one requires very specific consideration.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from