Cyber Security: The Complete SME Guide

A guide to cyber security for small businesses. Now more than ever, it is vital that small businesses protect themselves by prioritising cybersecurity. Follow these tips to keep your business as safe as possible from the threat of cyberattack.

cyber security

Passwords protect your devices and data from unauthorised access and use. All your laptops and PCs should have an encryption product which requires a PIN or password in order to start up. This is incorporated as standard on most devices today, particularly laptops, tablets and mobile phones. However, if you have older computers, you should check them, and where necessary have a start-up security product installed. Alternatively, you should ensure there is no sensitive or business-critical data stored on older and unprotected devices.

It is important to have guidelines for all your staff on password security.

Guidelines should include how to set a strong password, and rules on saving passwords on devices, which may vary depending on whether devices are shared or for a sole user. Your team should understand to avoid the obvious – if you use 1234 as a PIN or the word “password” as your password, you cannot expect to keep your data safe from an unauthorised user. Combinations of upper case and lower case letters, with numbers and special characters, will give far greater security. The use of two-factor authorisation, or 2FA, offers additional protection for important files and accounts.

When it comes to data back-up you need to consider what, how and when.

Begin by identifying what your business-critical data is. For most small businesses, this will include customer records, other contacts, emails and financial accounts. Use separate storage for back-ups. A USB or standalone drive can be used if you prefer to do manual back-ups, but cloud storage is a more convenient alternative. Cloud storage providers run automatic back-ups at least daily, and most offer a free storage allowance, with a small charge payable for additional storage. For guidance on choosing a cloud storage provider, take a look at the National Cyber Security Centre’s advice [insert link if required]. Ideally, your essential data should be backed up every day. This may seem onerous, but backing up your data is good business practice and should be done routinely to ensure that you do not lose data in the event of loss or damage to your devices.

Carefully manage mobile devices

More and more work is being done on mobile devices, and there is, of course, a greater risk of loss or theft associated with devices which are taken out of the office. Switch on the location tracking service on all work mobiles and tablets, and encourage your staff to do the same for personal devices if they are using them for work and sensitive data is stored on them. Make sure PINs or passwords are being used, and fingerprint or facial recognition security features have been activated where relevant. Keeping devices up to date affords another layer of security protection. Updates to operating software and apps should be installed promptly, as these may contain new elements of security protection designed to combat recently discovered cyber threats. When out and about, avoid using unknown WiFi hotspots. It is much safer to tether a laptop to your mobile to access your network data service. Similarly, treat Virtual Private Networks with caution, as these can have security issues such as leaks and malware infections.

 
 
 

Malware is short for malicious software. This is software which is created specifically to cause damage to targeted devices and associated systems. There are several key types of malware including:

Viruses are used to infect files on your devices, they are usually found as executable files, with the format .exe.

Worms: Worms pass on viruses from one device to another as they communicate, infecting each one in turn.

Trojan: Trojans breach the security of your device, thus enabling other malware to access your files.

Ransomware: This locks up your device and will send a ransom note demanding money in order to get it unlocked.

Spyware: Spyware keeps a low profile as it spies on activity on your device, recording key data such as passwords, credit card details and other confidential data.

Phishing attacks, where scammers attempt to steal your login details, data or money from you, are increasingly common and becoming harder to detect.

It is important that all of your staff know what to look out for when it comes to phishing. Some scams are more sophisticated than others, and many phishing emails may appear to be completely genuine at first glance.

Phishing may also be attempted via texts, and staff should be made aware of this.

Malware usually accesses your device via an email – often in the form of an attachment or link. An email may appear to have been sent from a large organisation, such as a known bank. If your business does not already have any connection to the sender organisation, this should trigger alarm bells, and you should be wary of how you deal with the communication.

If you actually have a relationship with the organisation the email claims to be from, e.g. an account with a bank, you will be familiar with how they communicate with you.

If you receive an out of pattern communication from a supplier or customer, treat it with suspicion. 

Minimise risk by adopting the principle of least privilege - making sure that access levels on your systems are kept to the minimum required for your staff to do their jobs.

Minimise risk by adopting the principle of least privilege - making sure that access levels on your systems are kept to the minimum required for your staff to do their jobs.

Don’t automatically give everyone the same level of access – this is rarely necessary or appropriate and just exposes you to greater risk.

Most people just need a standard user account. Administrator level accounts, which give access to features such as adjusting security settings, accessing all files and installing software, are far more open to abuse by a phishing attack.

Encourage openness about suspected phishing attacks, and do not attach blame if someone in your team does fall victim. Remember the reason these scammers can sometimes succeed is that some attempts are so convincing. A culture of transparency and no blame is essential so that both suspected attempts and successful attacks are reported and the rest of your team can be warned to look out for a specific threat.

.

You can also help your customers to avoid phishing attacks by letting them have a mini code of conduct for your own communications. For example, you might want to assure them that you will never ask for money other than via your standard invoicing process and that you will never advise any change of bank account or other payment details via email.

You can also help your customers to avoid phishing attacks by letting them have a mini code of conduct for your own communications. For example, you might want to assure them that you will never ask for money other than via your standard invoicing process and that you will never advise any change of bank account or other payment details via email.

If you have concerns about a particular threat, or if your small business does unfortunately become a victim of a cyberattack, you can report it to Action Fraud, the national reporting centre for fraud and cybercrime
 

Get a free cyber security audit of your business today!