If the recent Data Protection Day passed you by, is this because you’re very confident in the cybersecurity of your company—or are you just unaware of the risks?
Reported cyber crime costs UK businesses around £29 billion a year. Research by the Federation of Small Businesses (FSB) revealed that two thirds of small businesses were unaware of the risks of cyber crime—or aware, but somehow believed their own business was not at risk! Yet ironically, around the same proportion have been affected by cybercrime.
Follow our seven steps to ensure your business is as protected from cyber crime as it can be.
Pump up those passwords
The FSB say that only 25% of SMEs have a ‘strong’ password policy in place. Passwords are a tricky issue, because we have to weigh the strength of potential passwords against our ability to remember them! But don’t kid yourself they’re unimportant. A strong password may prevent or delay a cyberattack. Don’t go for the obvious, use a mix of numbers, letters and characters where possible and never include personal information (pets, sports teams, family names etc.). Reduce the burden on fellow system users by making sure only secure systems need passwords and that password changes aren’t enforced too regularly (frequent password changes can have the unwanted rebound effect of making users choose new passwords only minimally different from their last).
More guidance can be found on this topic of the National Cyber Security Centre website, including this excellent document on ‘Simplifying your Approach’.
Install a firewall and anti-virus software
Both firewalls and anti-virus software are absolute must-haves. Firewalls form a virtual barrier around your private network (‘intranet’), monitoring and restricting what can cross that barrier. A hardware firewall will sometimes be integral to your router (if it’s not, look at getting one). A software firewall should be installed on your devices.
Good anti-virus software protects your devices against phishing scams, ransomware and all other types of viruses and malware. But its ability to protect is only as good as your ability to update it (unless it automatically updates itself, as many do). Which brings us to the next step…
Update, update and back up, back up!
To ensure your data and devices are secure, it’s important to update not just your anti-virus software, but also all the apps, operating systems and programs that your devices run. It’s easy to ignore update messages and kid yourself you’ll get to it later, and it’s also easy not to bother checking for updates for programs that don’t automatically prompt you. But skimping on this step is a great way to open up your devices and your network to security breaches and viruses. Hackers target out-of-date software and exploit its known vulnerabilities with malware.
Also ensure (and check, if you have the manpower and expertise to do so) that any devices used by staff to access company data, be it their own device or one owned by the company, is constantly updated too. Maintaining security should be part of your company’s Bring Your Own Device (BYOD) policy, which every employee using their own device should read, sign and follow.
Back up your data constantly, so that if the worst happens and your system goes down, that data is safe elsewhere. Use the cloud, servers in a separate location, independent hard drives or even all three! For the sake of physical security (e.g. the threat of fire, flood, burglary etc.), ensure one of your back-up methods involves the data being kept in a separate physical location.
Consider a VPN (Virtual Private Network)
A VPN service provides end-to-end encryption for your data, forming a private ‘tunnel’ of communication through the public internet. It’s particularly useful if you have users or devices at different sites, or if you or your employees work from home.
Scroll past the 10 recommended VPN services in this excellent TechRadar article to read more about VPNs and the questions you need to ask before choosing a VPN provider.
Train and monitor staff
Sadly, research shows again and again that most cyber security breaches occur due to human error or ignorance rather than the technological brilliance of cybercriminals. Make sure you and your staff:
- Are aware of personal responsibility in relation to cyber security and data security
- Know how to spot problems such as phishing emails and altered invoices
- Understand how to keep personal devices used for work and business-owned devices safe
- Know the importance of reporting potential breaches and how to do so.
Spear phishing attacks, where hackers send targeted emails impersonating reputable companies, are on the rise and increasingly hard to detect. By not identifying these emails as suspicious, your employees may inadvertently give away data or allow access to your network, resulting in a data breach or the infiltration of a virus or ransomware.
“Raise awareness of cyber security risks and promote vigilance within the company,” urges the Federation of Small Businesses (FSB).
“Employees are often a last line of defence against attacks that bypassed technological barriers, and a simple action such as not opening an email attachment may prevent a huge impact to the business.”
Consider data access and the General Data Protection Regulation (GDPR)
It’s vital that you and your employees understand and adhere to the GDPR. The FSB has a wealth of information on GDPR, as has the Information Commissioner’s Office (ICO).
If you still don’t feel you really grasp GDPR, check out the FSB’s How Could GDPR Affect My Business.
You could also use the ICO’s self-assessment checklist for small business owners and sole traders, which uses your answers to the checklist to create a short report. This will improve your understanding of data protection, help you identify any changes you need to make and signpost you towards additional guidance.
Also, consider what data each employee actually needs to do their job. Sensitive information should be only accessible to employees who require it. By limiting the number of people who can access data or a certain system, you minimise opportunities for a breach. Make sure that ex-employees are immediately locked out of the system, and do the same for contractors as soon as their work for you is finished.
Have a cyber-security breach procedure
A clear, simple security policy that outlines the procedure in the event of a breach can help reduce damage caused by a security breach or cyber-attack, but like all policies, it will only be as good as you and your employees’ knowledge of and adherence to it.
Think about how you would limit damage, how you would safely access your backed-up data, how you would replace compromised hardware and software and who you would need to inform. For help on writing your procedure, read this Six Step Plan for Dealing with a Cyber Security Breach.
Consider cybersecurity insurance if you don’t already have it, and don’t put off assessing and improving your cybersecurity. That delay could cost your business not just time and money, but also its reputation.
Are you protected? Have you ever been caught out? Please share your thoughts below.