Use passwords to keep your data safe
Passwords protect your devices and data from unauthorised access and use. All your laptops and PCs should have an encryption product which requires a PIN or password in order to start up. This is incorporated as standard on most devices today, particularly laptops, tablets and mobile phones. However, if you have older computers, you should check them, and where necessary have a start-up security product installed. Alternatively, you should ensure there is no sensitive or business-critical data stored on older and unprotected devices.
It is important to have guidelines for all your staff on password security.
Guidelines should include how to set a strong password, and rules on saving passwords on devices, which may vary depending on whether devices are shared or for a sole user. Your team should understand to avoid the obvious – if you use 1234 as a PIN or the word “password” as your password, you cannot expect to keep your data safe from an unauthorised user. Combinations of upper case and lower case letters, with numbers and special characters, will give far greater security. The use of two-factor authorisation, or 2FA, offers additional protection for important files and accounts.
Back up your data
When it comes to data backup, you need to consider what, how and when.
Begin by identifying what your business-critical data is. For most small businesses, this will include customer records, other contacts, emails and financial accounts.
Use separate storage for backups. Users can use a USB or standalone drive to do manual backups, but cloud storage is a more convenient alternative. Cloud storage providers run automatic back-ups at least daily, and most offer a free storage allowance, with a small charge payable for additional storage.
For guidance on choosing a cloud storage provider, look at the National Cyber Security Centre’s advice. Ideally, your business should back up essential data every day. Backing up may seem onerous, but protecting your data is a good business practice and should be done routinely to ensure that you do not lose data in the event of loss or damage to your devices.
Protect your mobile devices
Carefully manage mobile devices. More and more work is done on mobile devices, and there is, of course, a greater risk of loss or theft associated with devices that are taken out of the office.
Switch on location tracking services on all work mobiles and tablets. Encourage your staff to do the same for personal devices, especially if they use mobile devices for work and sensitive data is stored on them.
Make sure PINs or passwords are in operation and fingerprint or facial recognition security features are activated.
Keeping devices up to date affords another layer of security protection. Updates to operating software and apps should be installed promptly, as these may contain new elements of security protection designed to combat recently discovered cyber threats.
When out and about, avoid using unknown WiFi hotspots. It is much safer to tether a laptop to your mobile to access your network data service. Similarly, treat Virtual Private Networks with caution, as these can have security issues such as leaks and malware infections.
Get malware protection
Malware is short for malicious software. This is software which is created specifically to cause damage to targeted devices and associated systems. There are several key types of malware including:
Viruses are used to infect files on your devices, they are usually found as executable files, with the format .exe.
Worms: Worms pass on viruses from one device to another as they communicate, infecting each one in turn.
Trojan: Trojans breach the security of your device, thus enabling other malware to access your files.
Ransomware: This locks up your device and will send a ransom note demanding money in order to get it unlocked.
Spyware: Spyware keeps a low profile as it spies on activity on your device, recording key data such as passwords, credit card details and other confidential data.
Phishing attacks, where scammers attempt to steal your login details, data or money from you, are increasingly common and becoming harder to detect.
Look out for phishing attacks
It is important that all of your staff know what to look out for when it comes to phishing. Some scams are more sophisticated than others, and many phishing emails may appear to be completely genuine at first glance.
Phishing may also be attempted via texts, and staff should be made aware of this.
Malware usually accesses your device via an email – often in the form of an attachment or link. An email may appear to have been sent from a large organisation, such as a known bank. If your business does not already have any connection to the sender organisation, this should trigger alarm bells, and you should be wary of how you deal with the communication.
If you actually have a relationship with the organisation the email claims to be from, e.g. an account with a bank, you will be familiar with how they communicate with you.
If you receive an out of pattern communication from a supplier or customer, treat it with suspicion.
Adopt the principle of least privilege
Minimise risk by adopting the principle of least privilege - ensuring that access levels on your systems are the minimum required for your staff to do their jobs.
Don’t automatically give everyone the same level of access – this is rarely necessary or appropriate and exposes you to greater risk.
Most people need a standard user account. Administrator level accounts, which give access to features such as adjusting security settings, accessing all files and installing software, are far more open to abuse by a phishing attack.
Encourage openness about suspected phishing attacks, and do not attach blame if someone in your team does fall victim. Remember, the reason these scammers can sometimes succeed is that some attempts are so convincing. A culture of transparency and no blame is essential to report both suspected attempts and successful attacks. Users can warn the rest of your team to look out for a specific threat.
You can also help your customers avoid phishing attacks by letting them have a mini code of conduct for their communications. For example, you might want to assure them that you will never ask for money other than via your standard invoicing process and that you will never advise of any change of bank account or further payment details via email.
If you have concerns about a particular threat, or if your small business, unfortunately, becomes a victim of a cyberattack, you can report it to Action Fraud, the national reporting centre for fraud and cybercrime.