News Item

Top ten cyber hygiene tips for SMEs during COVID-19 pandemic

The EU Agency for Cybersecurity releases ten cyber hygiene tips to support SMEs in protecting their virtual assets against cyber attacks, during the COVID-19 pandemic.

Published on June 02, 2020

Crises like the current COVID-19 pandemic have a serious impact on the European as well as the International society and economy.  Small and medium-sized enterprises (SMEs) are often coping with difficult times.  Unfortunately, cybercriminals often see such crises as opportunities.  Phishing and ransomware attacks are on the rise.

SMEs are also faced with a new reality where employees are working more from home.  This way they become even more dependent on Information Technology (IT) than before.  It goes without saying that protecting these virtual assets is of utmost importance to almost every SME.  According to ENISA, the top ten cyber hygiene topics that SMEs should address, possibly through outsourcing where needed, are presented below:

  1. Management buy-in. It is important that management sees the importance of cybersecurity for the organisation and that it is informed on a regular basis.
  2. Risk assessment. This answers the question: what do I have to protect and from what?  Identify and prioritise the main assets and threats your organisation is facing.
  3. Cybersecurity policy. Have the necessary policies in place to deal with cybersecurity and appoint someone, for example an Information Security Officer (ISO), who is responsible for overseeing the implementation of these policies.
  4. Awareness. Employees should understand the risks and should be informed about how to behave online.  People tend to forget such things rather rapidly, so repeating this every now and then can be valuable.
  5. Updates. Keeping everything, meaning servers, workstations, smartphones, etc. up-to-date is key in your cyber hygiene. Applying security updates is part of this process.  Ideally, this whole process is to a certain level automated and the updates can be tested in a testing environment.
  6. Backups. Prior to doing these updates it is vital to have good backups in place.  This will also protect the environment from attacks such as ransomware.  Backup the most important data often and think about the cost of losing data during a certain timespan.  Keep the backups offline, test the backups and try to have duplication of the backups.
  7. Access management. Have rules/policies in place for access management and enforce them.  Make sure default passwords are changed for example, that passwords are not shared, etc.
  8. Endpoint protection. Think about securing the endpoints through for example installing antivirus software.
  9. Secure remote access. Limit remote access as much as possible and where absolutely needed, enable it but in a secure way.  Make sure that communication is encrypted properly.
  10. Incident management plan. There should be a plan on how to handle an incident when it occurs.  Different realistic scenarios could be part of this plan.  Get to know whom you could contact when things are problematic, for instance the national CSIRT.


Further Information

For further information related to the cybersecurity aspects of the COVID19 pandemic, consult the ENISA pages dedicated to this issue under the Topic - COVID19

For press questions and interviews, please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies