Cyber security is a hot topic in the business community — and with small to medium enterprises being at high risk from cyber attacks, it's more important than ever to take steps to secure your small business.
Cheltenham-based North Green Security specialises in education, training and testing in cyber security — and SoGlos rounds up its top tips for SMEs in this hot list.
Raise awareness with staff
Making sure staff are aware of cyber security risks is perhaps the most important way businesses can protect themselves from cyber attacks. Ensure the entire team is aware of how important cyber security is; embed processes and best practices within the day-to-day workflow; and ensure guidance is always easily accessible throughout all areas of the business, so cyber-safe behaviours become routine.
Be on the lookout for phishing scams
Phishing scams are some of the most common cyber security risks, so ensuring teams know what phishing is and what to look out for is key. Make sure they know to check for things like typos and errors throughout the message; check whether the email address matches the person or company it claims to be from; be wary of urgent requests to follow links or download files and not to open attachments or click on links from unknown senders; and to highlight any suspicious emails to the IT department.
It's important to look out for more sophisticated email and SMS scams involving messages which appear to be from someone you know or contain information which makes it seem that way, too. If in doubt, don't open it!
Make sure issues are reported
We're only human and mistakes can happen, especially when we're busy, so if any member of the team does think they've fallen for a phishing scam, it's important that they report it immediately to the relevant member of staff or the IT department. Cyber criminals rely on human error, so knowing who to talk to if you think you've been tricked is key to mitigating any potential consequences.
Introduce a password policy
With so many people using the same password for everything from their email account to their online banking, it's easy to see how cyber criminals can gain access to a whole host of sensitive information by guessing just one password.
Introducing a password policy for your business, which includes guidelines on how to create a strong password; bans the use of default or duplicate passwords and password sharing; and recommends using three random words when choosing passwords, can really help mitigate this risk — as can introducing two factor authentication (2FA) for all web and cloud-based systems.
Create an asset register
You can't protect something if you don't know who has it or where it is, so an up-to-date asset register of all your business's kit is vital. Make a record of all the hardware the business owns; which person has which device; and which devices have access to your network and applications — then check to make sure that only the correct devices have access.
It's also advisable to lock down USB ports so viruses can't be introduced by rogue devices — and sensitive information can't be transferred to unauthorised hardware.
Audit user permissions across all software, apps and data
Alongside making sure only the right devices have access to networks and applications, it's also important to make sure that only the right users have access to software, apps and data, too. Businesses should audit and review these permissions regularly and work on the principle of least privilege — which means giving all users the lowest level of access possible, only granting additional permissions where it's necessary for their role.
Everyday users shouldn't be admins, for example, but department heads may need to be. It should also be part of the company's standard procedures to revoke access and reset passwords when an employee leaves, as well as removing any unnecessary user accounts.
Create a record of cloud services
Most businesses nowadays use the cloud to back up their systems and data, but it's not as simple as uploading and forgetting about it. Businesses should create a record of what cloud services are being used by who, as well as what data is stored and where. Make sure to understand and regularly review your supply chain, to prevent potential breaches along the way.
Have a backup plan
Even with your data stored securely in the cloud, it's vital to know what data is being backed up, where it's backed up to, how frequently it gets backed up and how long it would take to restore, if need be. Ensuring the company has a tried and tested continuity process is essential to keep the business running in case of a failure.
You'd also need to establish how much data would be retained, how up-to-date it would be and whether a backup would provide full access to systems, or just access to that data — and what to do about that.
Consider using VPNs
With remote working being standard practice in a post-Covid world, it's important to make sure staff understand the risks that come with using public and personal WiFi networks when working remotely. Provide guidance on which networks are safe and secure to use and which ones aren't — and consider introducing Virtual Private Networks (VPNs) for laptops and mobile devices to use when working on unknown or untrusted networks.
Install antivirus software across all devices
It sounds like a no-brainer, but making sure antivirus software is installed on all company devices for all users really is cyber security 101. Make sure that the software is kept up-to-date and that all updates and notifications are actioned, too.
Keep operating systems and software up-to-date
It's also vital to keep operating systems and software up-to-date, as new versions and updates often contain patches to fix bugs or security vulnerabilities and respond to malware. Patches and updates should be installed as a priority — and it's worth investigating if you can set machines to auto-install or 'force' updates to operating systems like iOS and Windows, as well as software, so users can't snooze or delay updates.
Create and update IT and web policies
Even for small businesses with only a few members of staff, creating IT and web policies which communicate best practice can really help employees understand how to keep the business – and themselves – safe from cyber threats.
Create an easy-to-understand document setting out the rules, such as don't download or run software or files; check that sites are secure by looking out for the HTTPS extension; be aware of spoof and cloned sites; and potentially include a list of banned sites that staff mustn't use — or even better, lock down access to them at server level. This document should be regularly reviewed and updated to respond to the latest information, too.
Take the first step
While the world of cyber security is fast-moving and ever changing, there's lots of information out there to help businesses take the first steps to securing themselves. The National Cyber Security Centre (NCSC) and IASME websites and newsletters are full of useful resources, such as a free Cyber Essentials questionnaire to work through, even if you're not looking to achieve certification just yet.
North Green Security recommends starting with a 90-day plan with weekly, monthly and quarterly action points to work through, to break things down into bitesize chunks. Involve the whole team and make it a permanent agenda in any board meetings and you'll be well on your way to building your cyber resilience.