Looking after the IT security of your business can feel like a daunting task. Mainstream media frequently report on cyber attacks, but advice from experts is often provided without actionable advice on how to protect yourself or your business.
We have compiled a list of our top five areas that small businesses frequently ask questions about.
Passwords should be strong enough to protect your organisation. However, very complex passwords can be hard to remember, resulting in people choosing weaker passwords or repeating them across accounts.
Use or include three random words such as “horsebatterystaple” in your password to help protect against common issues like brute force attacks (where an attacker tries many passwords with the hope of guessing it correctly), while keeping it simple enough for the user to remember. You can also include symbols, capital letters and numbers to make it even more secure.
Passwords should always be enabled, for example on mobile phones and laptops, and default passwords should always be changed to something unique by the user. They should also be changed in the event of a loss, for example if you’ve witnessed suspicious activity being undertaken on the account.
If you need help remembering your passwords, consider using a password manager to store them. There are several pros and cons of using this method. Additional guidance provided on the NCSC website.
Two Factor Authentication
Two Factor Authentication (2FA) is a method of adding an additional layer of security to accounts or transactions. It typically combines something the user knows, like a password or PIN, with something they have, like a mobile phone, number generating token or USB stick.
Common methods of 2FA include a single use code being sent via SMS, email, phone, or smartphone application. Alternatively, a physical token similar to a USB can be used, either through the display of a verification code on a small LCD display or via a cryptographic key when plugged into the USB port.
Not all organisations provide 2FA and the only way to be certain is to perform your own research. Searching online for ‘<service provider name> two factor’ is a good indicator, and there are also some websites which provide lists of those that are known to provide 2FA: https://twofactorauth.org
Severe data loss can be caused without warning and the result is typically a massive disruption to you and your business. In these instances, a robust data backup is often the only road to recovery.
You must first consider what data should be backed up and where it is located. Highlight what is critical by asking yourself: “what would be the operational and financial impact to my business of permanently losing this information?” Backups should be performed daily and also if a critical order list changes.
Backups can be taken on physical devices such as a portable hard drive, or through a cloud-based backup service, depending on your business needs. The backups should be isolated from their associated network and device to protect them in the event of a malware outbreak. You should secure digital backups through encryption or password protection, and store any physical backups in a safe location, while also making multiple copies where possible in case of device failure.
Finally, it is vital to test backups once they have been created, as an untested backup could delay your business’ ability to recover from an incident and potentially leave you without a useable backup.
Unfortunately, each piece of software your business uses offers the potential of unauthorised access into their host, making software a target for exploitation. Despite manufacturers’ best efforts, it isn’t possible to create perfectly secure software and so it must be patched and maintained to ensure it remains protected as new flaws and vulnerabilities are found.
It is recommended you implement automatic updates where possible, and create a manual update schedule for those that cannot be done automatically. Contact your device manufacturer or search their website for a ‘Drivers and Downloads’ section to find out more for each piece of software.
When setting up new devices you should also remove any unnecessary pre-installed software, while ensuring that they have firewall protection enabled and are running up-to-date anti-virus software.
Finally, modern operating systems offer built-in security features, allowing you to restrict the usage of individual users. It is recommended you implement these where relevant, for example in Microsoft Windows, user accounts should be set up with limited privileges and not as administrators, with MacOS’ built in ‘Keychain’ software providing a similar function for all MacOS based computers.
People can sometimes be the weakest link in the security chain, but they can become your strongest asset if they understand the risks. The exploitation of people, such as convincing someone to open an infected email (also known as phishing) or allowing a stranger into your premises as a method of facilitating an attack or crime is commonly referred to as ‘Social Engineering’. Organisations can combat such threats by raising awareness via training and testing and encouraging vigilance from all employees.
First, ensure that your company policies outline acceptable actions for your employees when in the workplace or using company equipment. From this basis, you can then provide formal cyber security awareness training and sporadic internal testing, such as sending fake phishing emails to employees to gauge their level of awareness based on how many people click on the potentially malicious links.
Vigilance should be encouraged at all touch points, including the physical security of devices by locking devices when unattended and disabling USB ports if not required. Your employees, secure loose documents, and ensure sensitive documents are shredded or disposed of securely.
Finally, consider achieving cyber security accreditations, which displays to customers and suppliers that your company takes cyber security seriously. Most SMEs should pursue Cyber Essentials and Cyber Essentials Plus, or IASME (Information Assurance for Small and Medium Enterprises).