Cybersecurity incidents happen every day and the vast majority go unreported in the press. Group Sales Director, Sean Arrowsmith, talks us through some simple steps small businesses can take to protect themselves, their employees and their partners and reduce the risk of cyberattacks.
**Cybersecurity Awareness Month offer: Free Cyber Essentials pre-assessment. Self-assess your cybersecurity alignment with the UK Government’s Cyber Essentials scheme.**
The impact on a small business in the event of a cyberattack can be huge. Victims could be faced with the reputational damage and cost of having to inform and compensate customers for the theft of banking or credit card information, for example. Losses could also be incurred due to business disruption and the cost of replacing or installing new security systems and devices.
However there is a number of measures companies can take to reduce these risks and increase cyber defences.
Employee negligence is a huge contributing factor into organisational cybersecurity breaches. There are many scenarios that could result in employee-initiated attacks. These can be an employee losing a work tablet or giving away login credentials. They can also include opening fraudulent emails, which deploys viruses on the network. To protect against threats from within, invest in cybersecurity training for your employees to educate them on the following:
How to create secure passwords
Not clicking on links or attachments in emails, unless you know the sender
Being aware when downloading software on your computer
How to tell if a website is legitimate
What they should do if they get for example a suspicious email.
Resources: NCSC Small business guide
Have a cybersecurity plan
Developing an incident response plan can help to limit downtime in the workplace while also preventing your confidential data from falling into the wrong hands. But to increase security and reduce risk of incidents in the first place, It is also important to have a number of protective measures and practices in place.
For example, where possible only access your corporate email from trusted corporate devices.
And when sending sensitive email attachments, consider using encryption to protect the files. Encrypted zip files are acceptable for this purpose. Share a complex password to decrypt via a different channel such as text or instant message. Finally, consider the use of a laptop lock and a privacy screen filter when working in public places and create strong passwords
Resources: NCSC Action Plan
Use security software
It is extremely important to use an antivirus software that can protect all of your devices from viruses, spyware, ransomware and phishing scams. This needs to be installed on every computer used by your business, including those used by remote employees. Where possible set up the software to update automatically.
Deploying a firewall on your network will also provide an added layer of protection to your business. Firewalls prevent an unauthorized user from accessing a computer or network.
Employees should also use multi factor authentication (MFA) and a virtual private network (VPN) when working outside of the company network.
Back up your data
Have a copy on a hard drive or cloud drive of all of your data in case you get hacked and your data gets erased. Backing up data at least once a week is highly recommended. The frequency of your backup plan will depend on how often your business acquires new and critical data.
You can back up data to the cloud (just don't save passwords or sensitive financial data there), but it's also a good idea to save your important data to an external hard drive that is not connected to a network. It is also a good idea to keep a physical hard drive backup offsite in case of physical theft or fire.
Risk assessment and management: getting the basics right
Consider the following when conducting a risk assessment:
Evaluate potential risks that might compromise the security of your company's networks, systems and information. Identifying and analyzing possible threats can help you formulate a plan to plug any gaps in security.
Ensure that all vendors, particularly those with access to sensitive data and/or systems, are actively managed and meet agreed levels of security.
Perform regular security audits and updates – This will ensure that there will be no vulnerabilities in your network and reduces the chances of a cyber attack.
Get Cyber Essentials certified. Opting to get certified with a cybersecurity standard is a great way to give your business additional protection. Cyber Essentials is a certification scheme originally formed in the UK in 2014, overseen by the National Cyber Security Centre (NCSC) and backed by the UK government. Placing the necessary IT security protocols in place will help you to get certified while greatly reducing the chance of a cybersecurity incident.
Further reading: Becoming Cyber Essentials certified
**Cyber Awareness Month offer: Free Cyber Essentials pre-assessment. Self-assess your cybersecurity alignment with the UK Government’s Cyber Essentials scheme.**