The internet has brought huge advantages to small- and medium-sized businesses. But it also brings the risk of cyber attacks, attempts to steal information or money, or to disrupt your operations. While a multinational corporation typically has the organisational resilience to deal with the devastating effects of a breach, your business may not have the resources to respond and recover. So, it's vital to manage these risks and prevent or detect online attacks with basic security practices for your people, processes and IT systems. The following simple steps, plus a liberal helping of common sense, can make a real difference.
Cyber security tips to implement straight away
Tip #1: Keep your software up to date.
In addition to anti-malware, using up-to-date versions of operating systems, applications, firmware and browser plug-ins helps protect against the latest threats by patching security vulnerabilities. The sooner these are patched, the lower the risk of your systems being compromised. Most software updates run automatically so you don't even need to do anything, but double check to be sure.
Tip #2: Strengthen password security.
Weak, easy-to-guess or shared passwords are a classic vulnerability. Use a password manager tool to generate unique passwords and securely store your log-ins, so you never have to worry about writing them down or forgetting them.
Tip #3: Lock down your devices.
Mobile devices should be locked to prevent a would-be thief from gaining immediate access. Encryption should also be used to protect sensitive data from falling into the wrong hands, and built-in tracking (standard with Android and iOS) can be used to locate and remotely lock or wipe lost devices.
Tip #4: Think twice before downloading.
If you manage your own computer, be ultra-cautious when downloading and installing software or browser plug-ins. If it's free, or not from a recognised, trusted software vendor, it may well include features that spy on your activity or install harmful programs. Ideally, your security policy and settings should permit users to install only those programs enabled by your system administrator.
Tip #5: Deny criminals a phishing permit.
If you receive an unsolicited email with attachments or hyperlinks, treat it with caution. Phishing attacks attempt to trick users into opening a file loaded with malware, or to visit a site that will run malicious scripts on your computer. Notify your administrator if you receive anything suspicious.
Employees looking at peak times and risk periods for their company
Tip #6: Don't get held to ransom.
Ransomware – when hackers use a virus to encrypt files and hold them "hostage" until you pay up – is a growing concern for small businesses. Frequently back up your data using the 3-2-1 rule: keep three copies of any important file on two types of storage devices, one of which must be in a different location and not connected to other back-ups. The cloud is a great way to provide instant off-site back-up and fundamental security protection.
Tip #7: Go private.
If you have remote, mobile or field workers, you need to provide them with a secure data connection to your network. Invest in a virtual private network (VPN) that enables employees to securely access company files, applications, printers or other resources via an encrypted connection. It will also keep them off a hacker's radar while using public Wi-Fi hotspots, which can otherwise be an all-you-can-eat buffet of personal information to the tech-savvy criminal.
Tip #8: Check your privilege
Don't log in to your computer using an account with administrative privileges for day-to-day work and web browsing. Ever. An account with lesser privileges will notify you if a program tries to install software or modify your computer's settings, so you can actively decide whether it's safe before clicking. You can also use tiered administration or role-based access control to define permissions, to ensure users can only perform functions or access systems appropriate to their jobs.
Tip #9: Don't send it – share it.
Sending an attachment by email effectively means you lose control over that file – the recipient could forward it or store it on an unprotected device, increasing the risk of it falling into unauthorised hands. Use a reputable file-sharing app or cloud storage service which allows you to limit who can access shared files and for how long, and send a link to the file instead.
Tip #10: Move beyond passwords
A password doesn't confirm who you are – it just demonstrates you know the user name and password. Biometric authentication technology – such as fingerprint readers – are becoming more widespread, and offer an inexpensive and simple way to secure a device, software application, folder or file without relying on PINs and passwords.
If your company hasn't carried out penetration testing, now might be the ideal time. Discovering your vulnerabilities can be an eye-opening experience, but it pays to gain feedback on the most at-risk routes into your company or applications, and uncover aspects of your security policy that may be lacking.
- Read next: Could Legacy IT Sink Your Ship?
- See how our Security Services can help
