Top 5 Cyber Security Tips for Small Businesses
‘There are two types of organisations in the world, those that have been hacked and those that will be.’
1. Create security culture in your organisation
I’ve been banging on about this for years. Security has to be all pervasive in an organisation, GDPR started the ball rolling on data protection, but business owners have to be seen to be setting the example. Security should be at the heart of everything an organisation does, every single day. From decisions made on new products or systems to what is posted on social media by yourself and your staff. It then becomes second nature and a part of business process. Why not have a ‘Security Champion’ in your organisation to get the message out. But don’t use this employee as a ‘get out of jail free card’ for removing you from your responsibility as owner of the ship. Your staff, clients and suppliers are your responsibility, treat their data as you would want them to treat yours.
2. Training Training Training
This is vital, it needs to be continual, short, and engaging. The best training includes a short session with a test at the end which reports back to employers. That way you can have an overview of those that are the highest risk individuals in an organisation. They can then be targeted with courses that fill the gaps in their knowledge and regular phishing tests. Make it easy for them to access on any device and incentivise the ones that keep up to date and consistently get good marks. Its good for your business and also for them personally. Its not an expensive exercise either, no reason not to do it!
3. Secure passwords
It used to be the standard that you needed to change your password every few weeks. This is no longer common practice. As long as you have a good secure password, 8 characters or more with capital letters, numbers and special characters that is fine. Only change it if you feel it has been compromised. The reason for this is that people were using the same password with 01, 02 on the end each time they needed to change. I have seen Password67 more times than I care to mention. A good tip is to use a sentence with all the relevant punctuation if the site allows it. Also invest in a password manager, there are plenty great ones on the market, saves you having to remember them all, because you won’t be using the same password for every site will you! Also, although it is convenient, try to resist the temptation to save passwords in browsers.
This is absolutely crucial. Almost all web applications now have the option of 2 factor (2FA) or multi-factor authentication (MFA). Make sure you switch this on for all your staff, make it a mandatory requirement. They can use their phone, or an app, email address or even an office phone to authenticate. This ensures you are one step ahead of the hackers, as they need more than one method of getting to your data. Latest intelligence reckons that the app from your phone is the safest option as SMS messages are easy to infiltrate.
Make sure you always have a backup of your data AND your email, even better if it is 2 or 3 different places. Ensure it is kept somewhere safe, and include a cloud backup where possible. Remember also, data in the cloud is not backed up without using a 3rd party backup application. And test the restore regularly to ensure it is actually working. If you are the victim of ransomware you will not be paying a ransom as you can’t guarantee the hackers haven’t copied the data elsewhere or corrupted it. Also if you are an easy target they will come back from more. So you want to make sure you can restore quickly and easily in the event of a disaster
In a nutshell, cyber security doesn’t have to be a technical fix, or expensive, and has to start from the heart of the organisation.
Cyber Essentials certification is a great place to start and should be something every SME has to prove they are starting out on the security journey. But for those SME’s really serious about reducing the risks of being one of the businesses hacked every 14 seconds, look at Cyber Security as a Service (CSaaS) and ensure it includes a proper gap analysis and plan to plug those gaps within your budget and timescale.