Cybersecurity Agency Releases SME Cybersecurity Guidelines: 3 Checkpoints to Help Industries Prevent Hacks
The Administration for Cyber Security released the 'SME Basic Cybersecurity Protection Guidelines,' focusing on account management, device/data management, and awareness training to help businesses build fundamental defenses without heavy costs.
📋 Article Processing Timeline
- 📰 Published: April 16, 2026 at 12:09
- 🔍 Collected: April 16, 2026 at 12:31 (22 min after Published)
- 🤖 AI Analyzed: April 19, 2026 at 01:10 (60h 38m after Collected)
(Central News Agency reporter Pan Tzu-yu, Taipei, 16th) With the advent of the internet era, industrial cybersecurity awareness must be upgraded accordingly. The Administration for Cyber Security under the Ministry of Digital Affairs recently released the "SME Basic Cybersecurity Protection Guidelines," assisting enterprises in building a cybersecurity foundation through three main aspects: account management, device and data management, and cybersecurity awareness training.
The Administration for Cyber Security pointed out in a press release today that hackers prefer to attack targets with weaker defenses. SMEs without dedicated cybersecurity personnel can easily become prime targets for hackers. A reused password or a desktop that hasn't been updated in three years might seem like a daily occurrence, but it could result in the company being unable to receive orders and ship goods for an entire week.
The Administration stated that cybersecurity protection does not necessarily require spending a lot of money on equipment; the key is to establish correct operational processes and usage habits. It recommends that enterprises use the "SME Basic Cybersecurity Protection Guidelines" to quickly evaluate their own defensive capabilities. The guidelines include a "SME Basic Cybersecurity Protection Self-Checklist," listing 16 basic checkpoints, such as "Is the password more than 15 characters?" and "Are you using the 3-2-1 rule for backups?" Business owners only need to check "yes" or "no" to discover their defensive vulnerabilities.
Regarding how SMEs should implement cybersecurity protection, the Administration suggests implementing three aspects: "account management," "device and data management," and "cybersecurity awareness training."
For account management, it is recommended that passwords be at least 15 characters long, and each account should have an exclusive password, which can significantly reduce the risk of being cracked. Ensure accounts are not shared; every employee should have an independent account, and multiple people sharing is prohibited. An employee's account must be deactivated immediately on the day they resign to prevent vital data leaks.
For device and data management, the goal is to protect the company's assets. Whether it's Windows or commonly used software (like LINE, Chrome), "auto-update" must be turned on, and antivirus software installed. Systems should be regularly scanned and vulnerabilities patched to keep hackers out.
The Administration specifically reminded to implement the "3-2-1 backup rule": company data must have at least 3 backup copies, stored on 2 different storage media, with at least 1 copy stored off-site. It is recommended that 1 copy be stored offline (like an external hard drive). This is an enterprise's chance to recover data when hit by a ransomware attack.
Furthermore, the first thing to do after installing new equipment is to change the password. Cameras, printers, routers, and other devices use identical default passwords from the factory, which attackers know very well. Once the device connects to the internet, the first step is to change the default password.
Regarding cybersecurity awareness training, cultivate employees' ability to spot phishing traps. It is recommended that enterprises establish internal rules, such as always verifying by phone before executing actions involving permission changes, financial flows, or file downloads, rather than directly clicking links or attachments in emails.
Enterprises should also establish a cybersecurity incident response plan. When unknown programs appear on a computer, files are suddenly encrypted, or the system slows down abnormally, these signs are easily ignored as ordinary malfunctions. When anomalies are detected, the first step is to disconnect from the network, the second is to notify the designated contact point, and the third is to preserve the scene screen or logs. These 3 steps require no technical background and can be executed by any employee.
The Administration also urged businesses to make good use of government resources by registering for free as a member of the "Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC)" to receive the latest threat alerts and obtain real-time cybersecurity intelligence. Additionally, they can acquire free cybersecurity protection resources from the SME Networking University, the National Institute of Cyber Security, and TWCERT/CC through the "SME Cybersecurity Reference Resources" appended to the guidelines.
The Administration emphasized that cybersecurity is not an extra operational expense but the foundation of business operations, hoping to work with SMEs nationwide to create a safer and more digitally resilient operational environment. (Editor: Chang Chun-mao) 1150416
The Administration for Cyber Security pointed out in a press release today that hackers prefer to attack targets with weaker defenses. SMEs without dedicated cybersecurity personnel can easily become prime targets for hackers. A reused password or a desktop that hasn't been updated in three years might seem like a daily occurrence, but it could result in the company being unable to receive orders and ship goods for an entire week.
The Administration stated that cybersecurity protection does not necessarily require spending a lot of money on equipment; the key is to establish correct operational processes and usage habits. It recommends that enterprises use the "SME Basic Cybersecurity Protection Guidelines" to quickly evaluate their own defensive capabilities. The guidelines include a "SME Basic Cybersecurity Protection Self-Checklist," listing 16 basic checkpoints, such as "Is the password more than 15 characters?" and "Are you using the 3-2-1 rule for backups?" Business owners only need to check "yes" or "no" to discover their defensive vulnerabilities.
Regarding how SMEs should implement cybersecurity protection, the Administration suggests implementing three aspects: "account management," "device and data management," and "cybersecurity awareness training."
For account management, it is recommended that passwords be at least 15 characters long, and each account should have an exclusive password, which can significantly reduce the risk of being cracked. Ensure accounts are not shared; every employee should have an independent account, and multiple people sharing is prohibited. An employee's account must be deactivated immediately on the day they resign to prevent vital data leaks.
For device and data management, the goal is to protect the company's assets. Whether it's Windows or commonly used software (like LINE, Chrome), "auto-update" must be turned on, and antivirus software installed. Systems should be regularly scanned and vulnerabilities patched to keep hackers out.
The Administration specifically reminded to implement the "3-2-1 backup rule": company data must have at least 3 backup copies, stored on 2 different storage media, with at least 1 copy stored off-site. It is recommended that 1 copy be stored offline (like an external hard drive). This is an enterprise's chance to recover data when hit by a ransomware attack.
Furthermore, the first thing to do after installing new equipment is to change the password. Cameras, printers, routers, and other devices use identical default passwords from the factory, which attackers know very well. Once the device connects to the internet, the first step is to change the default password.
Regarding cybersecurity awareness training, cultivate employees' ability to spot phishing traps. It is recommended that enterprises establish internal rules, such as always verifying by phone before executing actions involving permission changes, financial flows, or file downloads, rather than directly clicking links or attachments in emails.
Enterprises should also establish a cybersecurity incident response plan. When unknown programs appear on a computer, files are suddenly encrypted, or the system slows down abnormally, these signs are easily ignored as ordinary malfunctions. When anomalies are detected, the first step is to disconnect from the network, the second is to notify the designated contact point, and the third is to preserve the scene screen or logs. These 3 steps require no technical background and can be executed by any employee.
The Administration also urged businesses to make good use of government resources by registering for free as a member of the "Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC)" to receive the latest threat alerts and obtain real-time cybersecurity intelligence. Additionally, they can acquire free cybersecurity protection resources from the SME Networking University, the National Institute of Cyber Security, and TWCERT/CC through the "SME Cybersecurity Reference Resources" appended to the guidelines.
The Administration emphasized that cybersecurity is not an extra operational expense but the foundation of business operations, hoping to work with SMEs nationwide to create a safer and more digitally resilient operational environment. (Editor: Chang Chun-mao) 1150416