In this article you will learn:
- Why is cyber security so important?
- What are the main cyber security risks for SMEs?
- Risk management regimes and cyber security for SMEs
- Prevention and protection
- Protecting your business against key threats
- Data protection
- Key cyber security tips and techniques
- Staff training
- Monitoring your small business cyber security
- Responding to a cyber attack
- More helpful resources
With an increasing amount of business conducted online, it’s more important than ever for companies to protect themselves and their customers from cyber threats.
From your computer systems and networks to hardware, software and personal data, businesses have a responsibility to safeguard their systems. In this guide, we’ll cover everything you need to know about SME cyber security including awareness, prevention and protection and how to respond to an attack.
Why is cyber security so important?
An incredible 65,000 attempts to hack small to medium-sized businesses are made in the UK every single day. Of these, approximately 4,500 are successful. This means that 1.6 million SMBs fall victim to cyber crime every single year.
If that’s not scary enough, one small business is successfully hacked every 19 seconds in the UK according to Hiscox.
Aside from the fact that the risks are high, why is SME cyber security so important?
- It prevents data breaches. The last thing any company wants is sensitive information leaked via the internet. Whether it’s your own or your customers’, personal information needs to stay exactly that
- A data breach can permanently damage your reputation, making it difficult to retain existing customers and acquire new ones
- A cyber attack can destroy important files, hardware and software resulting in downtime for your business. For every minute your company isn’t operational, you’re losing money
- Downtime can have a negative impact on employee productivity
- Ensures you’re compliant with GDPR
- If you’re not prepared for an attack, you could lose important data and work
- Having a response plan in place means you can get back up and running quicker
What are the main cyber security risks for SMEs?
When it comes to cyber crime, SMEs are unfortunately promising victims. With limited budgets and a lack of security expertise and awareness, these businesses are often seen as easy targets.
When it comes to small business cyber security, what are the main threats?
Malware is malicious software designed to cause damage to a computer, server, client or computer network. You get many different types of malware including viruses, worms, Trojan horses, spyware, ransomware, scareware, Botnets and rogue software.
What malware does and how it works can vary but a few examples include:
- Trojans – disguises itself as legitimate software and creates backdoors in your security to let other malware in
- Spyware – spies on you to gain access to information such as passwords, credit card information and browsing habits
- Worms – infect entire networks of devices
- Botnets – networks of infected computers that are designed to work together under the control of the attacker
A type of malware, a computer virus is a type of programme which replicates itself by modifying other computer programmes and inserting its own code.
Viruses attach themselves to clean files and infect other clean files. They can spread uncontrollably and damage a system’s core functionality as well as delete or corrupt files.
Users are often tricked into clicking on links which can then infect their computer.
Phishing scams are used to obtain sensitive information such as usernames, passwords and credit card details. This is done by being disguised as a trustworthy entity in an electronic communication – typically an email or sometimes, a text message.
Approximately half of cyber attacks in the UK involve phishing which is 20% higher than the global average.
Ransomware infects your computer and holds data to ransom, often demanding significant amounts of money for its release. Typically, it gains access to computers through convincing phishing emails with infected links or attachments which employees can unwittingly click.
Ransomware can also sneak malware in through vulnerabilities in your systems and software.
Image source: https://brightlineit.com
The statistics surrounding ransomware are worrying. Attacks are costing UK businesses around £346 million every year and it’s estimated that over half of those targeted still can’t recover their files or data even if they pay the ransom.
In the first half of 2019, there was a 195% increase in attacks with the UK being the second most attacked country in the world.
Common signs of a ransomware attack include:
- You can’t access your desktop or files
- Your files have a new extension appended to their name. While a word document will have .doc at the end for example, an infected file might have a strange extension such as .ezz
- Software tools you haven’t installed are appearing on your network
- Unexplained administrator accounts have been created
- Your system detects MimiKatz – this is a popular tool used by hackers
If you’re hit with a ransomware attack, it’s important that you don’t pay the demanded fee. Paying provides no guarantee that you’ll get your files back and it can only encourage future attacks.
The NCSC has some top steps to follow if you think you’ve been subject to a malware attack, including disconnecting infected devices from network connections and the internet, resetting passwords, wiping devices and updating and running anti-virus software.
4. DDoS attacks
A distributed denial-of-service attack (DDoS) attack is a malicious attempt to disrupt normal traffic to a machine or network. Even huge corporations such as Twitter, Netflix and Airbnb have fallen victim to these attacks, highlighting just how sophisticated they can be.
Typically, a DDoS attack works by flooding a company’s servers with requests so they can’t cope and eventually shut down. This can leave a business unable to trade for minutes, hours and sometimes days, having a potentially catastrophic impact.
Hacking occurs when criminals obtain unauthorised access to your computer, emails or system and manipulate the information or data within. Common hacking techniques incorporate many of the threats we’ve already covered including:
- Browser hijacks
- DDoS attacks
“Cyber security is a team sport, played at speed, but in the dark by too many people. What are the blind spots? Who are the crucial third-parties that your business depends on?”
Kevin Duffey, Managing Director of Cyber Rescue Alliance
Risk management regimes and cyber security for SMEs
The technology that organisations use to run their businesses often store highly sensitive information about their financial records, employees and customers. Using these systems puts companies at risk of information being deleted or stolen which could result in downtime, a breach of legislation, financial loss and a damaged reputation.
“Risk is an inherent part of doing business. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with the organisation’s risk appetite. If an organisation does not identify and manage risk, it can lead to business failure.”
Without identifying and managing risks, they can be more likely to happen and the effects can be more devastating. This is why SMEs should have a risk management regime in place. To help you understand more about this, below is a short beginner’s guide to cyber security risk management:
A good risk management regime will allow you to manage any potential risks by:
- Determining your organisation’s risk appetite
- Maintaining your Board’s engagement with information risk, if applicable
- Producing supporting policies
- Adopting a lifecycle approach to risk management
- Applying recognised standards
- Making use of endorsed assurance schemes
- Educating users (usually employees) and maintaining their awareness
- Promoting a risk management culture within your organisation
You can find out more information about all these points on the NCSC website.
Prevention and protection
43% of cyber attacks target small businesses, having a prevention and protection plan in place can be the difference between an organisation surviving or not.
Let’s take a look at what you need to know about SME cyber security including how to protect data, utilise encryption, create secure passwords, train staff and more.
“How are you going to be ready when things go wrong? That’s the principle of cyber resilience”
Kevin Duffey, Managing Director of Cyber Rescue Alliance
Protecting your business against key threats
Earlier, we discussed what the main cyber security risks are for SMEs. Let’s go into further detail about how you can protect your business against these key threats.
There are a number of small business cyber security tactics you can implement to protect your organisation from a malware attack.
- Update your operating system, browsers and plugins. Don’t forget this should also be done with mobile devices for anyone who uses their phone to access work files
- Enable click-to-play plugins. You don’t even need to click on malicious ads for them to infiltrate your system. Click-to-play plugins will stop Flash or Java from running unless you specifically tell them to by clicking on the ad
- Remove software you no longer use. Microsoft stopped releasing software patches for Windows XP in 2015 and Windows 7 and 8 are only under extended support. Using software without support or the ability to implement patches leaves you open to attacks. Delete any software you no longer use as well as old versions of Adobe reader and media players
- Watch out for fake tech support numbers. Pop-ups from fake companies offering help with malware infections are common. They tell you that your system has been infected and to call them. A real security company would never market to you via a pop-up. If you have security software and it genuinely detects malware, it will often show up in a scan and won’t tell you to call and shell out money to remove the infection. If you’re unsure, visit your provider’s website and use a number they’ve provided
Image source: https://www.fixmestick.com/blog/
- Always use a strong password. When choosing our own passwords, we have a tendency to choose things that are easy to remember such as a pet’s name. This is information hackers can get hold of easily if you use social media. Instead, use passphrases or link together random words, adding length and complexity where possible with numbers and symbols. If you use a password manager, these can also generate random secure passwords for you
- Make sure you’re using secure websites. Check the domain is as expected and look for the lock icon to the left of the URL of the website you’re on. URLs should also read https, not just http
- Log out of websites and online accounts when you’re finished
- Use firewall, anti-malware, anti-ransomware and anti-exploit technology. These software applications can help to fend off sophisticated attacks. Here is a roundup of some of the best anti-virus solutions for small businesses
Computer viruses are easy to pick up if you’re not protecting your systems effectively. Fortunately however, there are a number of simple steps you can take to reduce the likelihood of a cyber attack.
- Use reputable anti-virus software and ensure it automatically updates on a regular basis
- Anti-virus programmes don’t automatically mean you have a firewall. A firewall is a network security system which monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between a trusted and untrusted network. Macs and PCs come with pre-installed firewall software so ensure it’s enabled to provide an extra layer of protection from viruses
- Many viruses infiltrate computers through users innocently clicking on a bad ad or link. You can reduce the likelihood of this happening by installing a popup blocker. This will also stop unwanted pages from opening automatically
- Never click on, open or download anything unless you know the sender, and are expecting something from them, or trust the website
It’s also important to ensure you’re aware of the signs of a virus so you can deal with the problem quickly. Signs that your computer has picked up a virus include:
- Unexpected shutdowns
- Your computer has slowed down and/or takes a long time to shut down or restart
- Repeated error messages
- New toolbars you didn’t install
- Changes to your homepage
- Your battery drains very quickly
Phishing scams most commonly come in the form of emails. They’re very popular with cyber criminals because it’s easy to send to large numbers of people in one go, they can add company logos to make communications seem authentic and most of us receive genuine emails from the companies being imitated so it’s easy to be fooled by a convincing email.
The example email below is a convincing example of a phishing attack.
It has the HMRC logo, links to their social media pages and even a section in the footer telling recipients how to stay safe online. With many businesses worried about surviving Coronavirus, it would be easy to fall into the trap of clicking on the button to complete the claim and submitting bank details to fraudsters.
Phishing attacks will often tell a story to try and trick you into clicking on a link or opening an attachment. This usually includes them claiming:
- You’ve missed a payment and must pay urgently or further action will be taken
- There has been suspicious activity or log-in attempts with your account
- There’s a problem with your account or payment information
- You need to confirm some personal information
- You need to pay an overdue fake invoice
- You’re eligible for a tax refund
It’s not unusual for phishing emails to be confrontational – they are designed to scare people into acting fast. Even if you don’t usually fall for things, the threat of a big fine, a lawsuit or even imprisonment could cause you to act without thinking.
Other signs an email might not be genuine include:
- Spelling and grammar mistakes
- It’s from a shop or provider you don’t use
- They might be pushy, rude or demanding
- They ask for financial or other personal information. A genuine company would never ask you to supply this type of information over an email
- It includes a suspicious attachment
- The email address looks suspicious. Before responding to anything, always check the email address, this is a big giveaway even with the most convincing attacks. You would never know the example below is a phishing attack unless you noticed the strange email address at the top
- The link looks suspicious. If you hover over the links in the email and they don’t show the URL of the company the email is apparently from or are lengthy and confusing, this is another sign of a phishing attack
When trying to protect your organisation from phishing attacks, it’s very important to ensure your employees are well-informed about these signs. Educate them to implement the following steps:
- Know the signs of a phishing email
- Always think twice about clicking or downloading anything from an unknown source. You should only open attachments, click on links or download files if you’re expecting them or are certain it’s from a genuine company
- Never give out personal or financial information. Phishing emails will often create fear by telling you that you’ve missed a payment or you’ll be in trouble if you don’t pay now. If you’re concerned and have an account with the company in question, go to their website and call them via a number from there. Never reply to the email or phone using a number provided on the communication
- Only use trusted websites. When inputting bank or card details, only use trusted websites, checking the domain is as expected and ensuring the website is secure with the lock symbol before the URL
- Use different passwords for different sites. This means that if you do fall victim to an attack, only one account will be compromised instead of all of them
- Enable two-factor authentication. This is a security process that requires two methods of verification to log in
- Use a good email provider. It’s worth paying more for an email provider who works hard to identify phishing and other scams
For more tips and advice, head to this blog on ‘how to protect your business from phishing scams.’
Ransomware typically exploits both software vulnerabilities and human behaviour. This means that when it comes to cyber security for your small business, it’s important to protect both.
Have you identified the employees who are most likely to receive emails from external sources? Do staff know how to spot the signs of a fake email? Is there a procedure in place for users to report suspicious emails?
When it comes to protecting your equipment:
- Do regular back ups so you don’t lose data if you’re hit with an attack
- Keep all your software up to date
- Use robust security software that employs a layered approach to block both known and new threats
- Cyber criminals can embed macros in Office documents to manipulate or delete files in your hard drive, as well as download malware from the internet. When using Microsoft Windows with the applicable version, set the group policy setting for macro settings to ‘disable macros with notification.’ to stop macros from running automatically when a document is opened
- In Office 2013 and 2016, edit the group policy settings to block macros from running when using Word, Excel and PowerPoint documents from the internet. You can find out more about macros and how to block them on the Microsoft website
- If you don’t use Java and Flash Player, uninstall it. If you only use it occasionally, disable it until you need it. Many vulnerabilities have been discovered in both programmes over the years, leaving businesses open to attack. These articles explain how to disable Adobe Flash and Java
“Make a regular daily/weekly back up copy of essential information. Regularly test that the backup is working to ensure you can restore information from it.”
NCSC SME Engagement Lead
5. DDoS attacks
A common misconception with DDoS attacks is that hackers only attack large companies. Unfortunately for SMEs, this simply isn’t the case.
Fortunately, however, there are a number of simple ways you can protect your business including:
- Know the amount of bandwidth your site typically uses. DDoS attacks offer visual clues so the more familiar you are with your network’s normal behaviour, the more likely you are to catch an attack early
- Add more bandwidth. This ensures that your server capacity can handle heavy traffic spikes if you’re overloaded with a sudden increase due to a DDoS attack
- Do your updates. This includes updating and patching your firewalls and network security programmes
- Secure your network infrastructure. This consists of all your IT which is used to provide network services so that your devices can connect and communicate. Examples include routers, hubs, gateways, servers, ethernet cables, wireless access points, firewalls, VoIP and VPN
- Practice basic network security. This includes having secure and complex passwords and implementing anti-phishing methods and secure firewalls that allow little outside traffic
- Prepare for an attack. Ensure you have a cloud-based DDoS mitigation system in place that can handle attacks. This will help to get your business back up and running much quicker. You can find out more about DDoS mitigation and how to choose the right service here
Businesses get hacked for many reasons. It could be financial gain, a political agenda or even just for criminals to gain notoriety. Below are some tips to prevent hackers getting into your system:
- Use strong passwords
- Use two-factor authentication
- Have different passwords for everything
- Choose an Internet Service Provider that offers built-in security features
- Keep anti-virus and anti-spyware software up to date
- Install a network firewall
- Encrypt customer data and sensitive information
- Limit access to certain online information
- Block high-risk sites from being viewed by employees
For more advice on keeping your business safe, have a read of ‘How SMEs can improve their online security.’
Earlier we discussed why cyber security for your small business is so important. As well as protecting your organisation, customers and employees, personal data protection is in fact a legal requirement.
Both GDPR and The Data Protection Act 2018 require your business to take steps to protect personal and sensitive information including:
- Email addresses
- Telephone numbers
- Bank and credit card details
- Health information
Failure to comply can result in very heavy financial penalties or even action which could result in a prison sentence. The GDPR changes which came into force in 2018 – in the UK these are addressed in the Data Protection Act 2018 – are important for a business of any size. You can find out more about GDPR on the ICO website here.
How to protect your data
Fortunately, there is plenty your business can do to reduce the risk of a data breach.
1. Secure any wireless networks
Criminals often plant ransomware and other malware on systems by exploiting security weaknesses in wireless networks.
From managing your Preferred Network List (PNL), using a Virtual Private Network (VPN) to keep local traffic encrypted, disabling auto-connection and WPS functionality, you can read more about seven Wi-Fi security tips here.
It’s also a good idea to regularly run a wireless network penetration test to help you identify any vulnerabilities in your network.
2. Keep software updated
It’s tempting to ignore update notifications, especially when you’re busy or in the middle of something. Software providers regularly release updates to fix security flaws they’ve discovered so it’s important to run them on all your devices as soon as they’re released. Not doing so puts you at risk from criminals who have discovered these weaknesses and can use them to target your business.
3. Control access
Do you know who in your organisation has permission to access personal information? This should always be kept on a need-to-know basis. Sensitive information such as payroll or employee health data should be kept out of the hands of anyone who doesn’t need it to do their job.
4. Back up data
Suffering a cyber attack could see you lose all your data. However, regular backups can ensure you can still access your data in the event of a breach or event.
There are a number of options available. One option includes copying files to USB flash drives or external hard drives, although this can be time-consuming and leaves you more vulnerable to fire, theft and hardware failure.
Cloud services are a popular option for a number of reasons:
- You don’t need to purchase any equipment or install new systems because you’re taking advantage of an existing infrastructure. Once backups are complete, your encrypted files are stored at an offsite data centre
- It’s reliable and even in the event of a breach, you will be able to restore any lost data quickly and easily
- It’s a low-cost solution for data protection
- You don’t need an IT expert to protect your data
If you’re looking for a safe solution for your business, here are the best cloud backup services as rated by Tech Radar.
5. Train employees
Human error is one of the leading causes of data breaches. When it comes to SME cyber security, it’s important that your staff know how to identify potential threats and exercise good practices such as running updates and not clicking on suspicious links. We’ll go into more detail about staff training later.
For more information about protecting your data, have a listen to our webinar: Protecting your small business, customers and data.
Working with suppliers
Every business needs software and is also likely to be working with a third-party supplier when it comes to their IT needs. Perhaps someone built and hosts your website for you, you may use a company like Sage for your accounting and HR software or you may conduct regular data or file transfer and sharing.
While all of these processes help you to run your business more efficiently, having a third-party involved does increase your risk of a breach or attack. Data protection and cyber security are therefore extra important when working with external suppliers. You will also need to ensure that your supplier contracts cover data protection and are GDPR compliant.
GDPR and third-party relationships
Under GDPR regulations, when you outsource data processing activities to another organisation, you are classed as the data controller. The third-party you appoint is the data processor.
It’s important to remember that data controllers (you) are responsible for their own compliance as well as that of their processors. In order to safeguard your business and avoid a potentially hefty fine, it’s absolutely crucial that you research the security practices of any suppliers you’re working with.
Outsourcing data processing activities will not relieve the data controller of its legal responsibilities and so it is important to ensure that your contracts with your suppliers cover this fully.
Staying safe when transferring and sharing data
When you’re running a business, there are plenty of occasions when you’re going to need to share data with customers, suppliers and other employees. You’re probably also likely to transfer information from computer to computer and person to person.
Fortunately, there are many apps and services which allow you to do this quickly and easily. The key is of course, for these activities to be carried out safely and securely.
If you need help with data sharing or transfer, below are some great resources:
Of course, sharing any personal data will need to be done in accordance with the Data Protection Act 2018.
Key cyber security tips and techniques
Now we’ve covered specific cyber threats for SMEs and what you can do to protect your small business, let’s take a closer look at some of the tips and techniques mentioned.
What is encryption?
Understanding encryption, how it works and being able to implement it can be a valuable part of SME cyber security.
In its simplest form, encryption is when information is converted into a secret code so that unauthorised parties can’t read it. It’s a method used to protect sensitive and confidential information stored on computers, storage devices and even while in transit over networks (such as sending an email).
Encryption is used in many of our everyday activities without us even realising. Every time we visit an ATM for example or buy something online with a smartphone, encryption is being used to protect the information being relayed. Even search engines encrypt your search data so they can protect users’ information.
How does it work?
Encryption uses an algorithm to scramble or encrypt data so that it can only be read by certain people. It then uses a key so the receiving party can unscramble (or decrypt) the information.
The text contained in an encrypted message is called plaintext whereas when it’s in its unreadable form, it’s called ciphertext. There are many different levels of encryption, some as simple as switching letters whereas others add more steps, making decryption a lot more difficult.
Encrypting your devices can be quite straightforward, with many operating systems providing native tools to complete this. This blog explains how to encrypt all your devices regardless of whether it’s a PC, Mac, iPhone or Android.
Alternatively, you can install software which does this for you. Popular programmes include Folder Lock, AxCrypt and CryptoExpert. Here you can find the best encryption software as voted for by Tech Radar.
Creating and storing secure passwords
We all use passwords throughout our business and personal lives. They’re an integral part of keeping personal and financial information safe and secure. Despite this however, many of us still aren’t practising good password hygiene.
- 51% of us use the same passwords for work and personal accounts
- 57% of people who have fallen victim to a phishing attack still haven’t changed their password
- 42% of organisations say they use sticky notes for password management
While it may be tempting to use an easy or obvious password so you don’t forget it, doing so makes you vulnerable to cyber attacks. What’s more, a 12-character password takes 62 trillion times longer to crack compared to a six-character password.
Top tips to creating a secure password:
- Don’t use obvious and common passwords. Avoid sequential numbers or letters and don’t use ‘password’ or simply add a 1 to the end
- Don’t use personal information. Many of us use the name of a loved one, birthdays, place of birth, favourite colour or dream destination as a password. This type of information is often found by hackers
- Use long passwords. Experts say passwords should be at least 12-15 characters and include a mix of characters. The more you combine upper-case, lower-case, numbers, symbols and spaces, the harder your password will be to guess
- Avoid memorable keyboard paths. Such as qwerty for example
- Choose bizarre and uncommon words. You can then add these together to create a very random password that gives you a mental image you won’t forget
- Adopt the Bruce Schneier Method. This involves thinking of a random sentence and transforming it into a password using a rule. For example, taking the first two letters of every word in “The Rising Sun is my favourite pub in Oxford’ would give you ThRiSunIsMyFaPuInOx. This makes it easy for you to remember but it would be very impressive if any hacker managed to crack the code
- Use a password manager. Not only can password managers securely store all your credentials, but they’ll also often have a generation tool which can produce random passwords for you
- Use two-factor authentication. This requires two methods of verification to log in. You may for example be sent a text message asking you to input a secondary code alongside your username and password. You can find out how to set up two-factor authentication here
Some other tips for keeping your passwords safe include:
- Use a VPN when on public Wi-Fi. This means that when you log into accounts, nobody can intercept your name and password
- Never text or email yourself or anyone else your password
- When selecting security questions while creating an account, choose hard-to-guess options. Your pet’s name for example could be very easy to find on your social media pages
If you’re creating complex passwords for all your online platforms, you’re going to lose track of what’s what very quickly.
A secure approach is to use a password manager. This is a computer programme which allows you to store, generate and manage all your passwords. It encrypts your password database, allowing access with a master password. Many password managers also allow you to share login details securely and can often generate strong passwords for you.
Some password managers are free and others you can pay for depending on the level of security you’re after. Here are some of the best password managers in 2020 as voted for by Tech Radar. Here at UK Domain, we’ve also put together five top password managers for small businesses.
Wi-Fi is what most of us use to access the internet. It’s a high-speed wireless network and providing you’re connected to a personal, private source, it’s generally pretty safe.
When you sign up with an Internet Service Provider (ISP), you will receive a router and a secure password. You use these to connect to your own private Wi-Fi which can only be accessed in your home or office.
Public Wi-Fi is also widely available these days. While convenient when on the go, using it comes with a number of risks. The main threat is that it requires no authentication to establish a network connection. This means that hackers can gain access to unsecured devices (such as your mobile phone) using the same network. Cyber criminals can also use public Wi-Fi to distribute and install malware.
Tips for staying safe when using Wi-Fi:
- Don’t access or divulge personal information when using a public network
- Only provide your password to those who need it
- Ensure your Wi-Fi is password protected so that not just anyone can access it. Secure passwords should be at least 15 characters long with a mix of letters, numbers and special characters
- Use a guest network. This is separate from your primary network and can be used for customers, visitors or anyone else on-site for a short period
- Keep your router up to date and disable any features that make your network more vulnerable
- Keep your router in a secure location, preferably in a locked room which few people can access
- Change the default router login information. Most come with default usernames and passwords which are easy to guess
- Change the network name. The service set identifier (SSID) is the name that’s broadcast from your Wi-Fi so people can find the network. While you want employees to be able to find this, you don’t want to broadcast the make and model of the router you’re using to the outside world
- Update your firmware and software when prompted to do so
- Turn off Wi-Fi Protected Setup (WPS) unless you need it for something specific. This is the function to make pairing a device with an encrypted network quick and easy
- Limit or disable the Dynamic Host Configuration Protocol (DHCP) – these are the IP addresses which are assigned to each device on the network
Using a Virtual Private Network (VPN)
VPNs use a private network to mask your IP address. They allow you to use the internet via a secure connection, adding an extra layer of security for your business.
Tips for staying safe when using a VPN:
- Choose a trusted provider with a good reputation, even if it’s more expensive. You want to choose a VPN with no history of leaked IP addresses
- Use multifactor authentication – the same as two-factor authentication, this requires users to verify their identity with multiple methods
- Find a provider that gives the option for a kill switch. This will automatically quit preselected programmes if your connection becomes unstable
If you don’t already have a VPN, here are five great providers for small businesses.
Computer and software updates
An important part of your SME cyber security is running regular computer and software updates. As mentioned earlier, software providers do these updates to protect against newly discovered threats. If you don’t run them, you’re putting your systems and business at risk.
The best thing to do is to set your computer up so that it does updates automatically. You can find out how to turn on automatic updates in Windows 10, 8.1 and 7 here.
“Software and computer updates are so important as they often fix vulnerabilities that leave your computer exposed to malicious software such as a virus or ransomware.”
Cath Goulding, CISO at Nominet.
This is another great article explaining how to keep your PC software updated automatically. If you’re using a Mac, this article explains everything you need to know about software updates including how to check, download and install them as well as set up automatic updates.
Don’t forget about updates across other company devices. For example, your employees might be using a company phone or working remotely. When employees are office-based, you or your IT team can check computers have been updated. If employees are based at home, it’s important to remind them when updates are available and to check they have been installed.
Being able to work from home was once a perk only a select few got to enjoy. Over the years, however, it has become increasingly common with 1.7 million Brits now mainly working from home and 8.7 million enjoying remote working on an occasional basis.
Although figures were on the rise anyway, Coronavirus has seen a rapid increase in the number of employees adopting remote working.
This sudden change puts many organisations at risk as they find their security systems simply are not robust enough to protect their entire workforce working from home. 85% of Chief Technology, Information and Security officers have in fact said that they don’t believe their workforce had been adequately equipped to work from home.
The all-important question is, how do you protect your business when employees are working remotely?
To get started, have a read of our blog ‘Working from home: seven ways to keep your business and staff secure.’ This covers many important aspects including password management, two-factor authentication, staying alert, regular training and more.
Some other tips include:
- Ask employees to encrypt their home Wi-Fi and change their router’s default password as these tend to be weaker
- Ensure you have a policy in place for remote working
- Ensure employees know where to report a suspected or actual breach
“Continue to be wary of phishing emails and call the sender or your IT support/security team if unsure.”
Cath Goulding, CISO at Nominet
- Employees may work elsewhere for a change of scenery, such as a coffee shop. Make sure they know that they should never access or send sensitive information while using public Wi-Fi
- Ensure all mobile devices including phones, USB and portable hard drives have been secured
Keeping your business safe when using mobile devices
From checking emails, downloading attachments, logging into apps and work systems and making and receiving calls, mobile phones present a number of security risks. Regardless of whether you’ve supplied employees with a phone or they’re using their personal device, any mobile they’re using to perform work-related emails and activities should be secured.
You can do this by:
- Encrypting data on smartphones. This will protect sensitive data such as telephone numbers, email addresses, text messages, company documents and emails if a device gets lost or stolen. Some mobiles can encrypt data as standard whereas others require a special app. Find out how to encrypt the data on your Android or iPhone here
- Back up data so that if a phone gets stolen or lost, staff can get valuable information back
- Make sure all phones are set up with a password, fingerprint or face verification
- A lot of people don’t know that you can get security software for mobile devices. This will help protect against viruses, spam and other threats
- Install software or an app that will allow you to wipe the data on your devices. Some examples include Android Device Manager and Find My iPhone. The later will also allow you to track your device if it gets lost or stolen
- While you can’t control what an employee does with a personal device, if you’re providing a work mobile, prevent them from installing their own apps
- Remind employees to do software updates when prompted. Mobile device management (MDM) software allows you to manage devices and software updates centrally
- Make sure all your policies include smartphone use
- Encourage staff to turn off their Bluetooth unless they’re using it
- Only allow staff to install apps from a trusted App Store and ensure policies for work devices include safe processes for requesting and installing apps
Universal Serial Bus (USB) is a cross-platform technology used to connect computers to devices such as digital cameras, printers, scanners and external hard drives. As using them involves the transfer and storing of information, all USB devices should be secured.
You can do this by:
- Ensuring you’ve set up a password for your USB stick
- If you’re using Windows, you can use BitLocker to protect your drive
- Installing password protection software
- Encrypting the data stored on your device
- Encouraging employees to store their device somewhere safe, preferably locked away
- If possible, avoid removing the device from the office or home
- Ensuring all data is also backed up in case a device gets lost or stolen
- Buying a USB that comes with built-in security features
- Not accepting USB devices from untrusted sources
- Ensuring any new USB devices are scanned or wiped before use
Portable hard drives
A magnetic disk drive that plugs into a USB port on a computer, portable hard drives are used for transporting data, providing backups and freeing up space on internal hard drives. With the potential for plenty of sensitive information to be stored on these devices, it’s imperative they’re protected should they fall into the wrong hands.
You can do this by:
Malicious or not, human error has been found to be responsible for an incredible 95% of cyber attacks and data breaches. From accidentally sending sensitive information to the wrong email address and losing a company phone to poor password management and clicking on malicious links, insider threats are common and easy to fall for.
A crucial aspect of small business cyber security is educating staff about the risks and how to mitigate them. How exactly can you do this?
1. Implement a policy
A cyber security policy sets the standards of behaviour for all your online activities. This can include the use of social media, restrictions to certain websites, encryption of emails, which employees have access to sensitive information and how you will respond to an attack.
It is essentially, your defence strategy against online criminals and insider threats – whether this is deliberate or due to negligence. It explains the assets that must be protected, outlines the potential threats to your business, the security controls which have been implemented to reduce them and how you will act if there’s a breach.
“If in doubt, call it out. Reporting incidents promptly – usually to your IT team or line manager – can massively reduce the potential harm caused by cyber incidents.”
NCSC SME Engagement Lead
It’s important that every single employee is aware of this policy, especially with so many people now working from home.
Here are some great resources to get you started with your cyber security policy:
- The importance of cyber security policies
- How to develop a robust cyber security policy
- Cyber security policy template
2. Hold regular training sessions
Despite firewalls and other security software, employees are still the most common entry point for cyber criminals.
Regular and continuous training is key to protecting your business. You can implement the best strategies and have an excellent cyber security policy but if your staff don’t know about them, it has zero benefit. After all, how can an employee recognise, report or eliminate a threat if they don’t know how to recognise it?
Topics to cover in employee training
To ensure your staff are up to date with all the latest threats and know how to stay safe online, keep them well-informed on the following topics:
- The different types of cyber threats, how to identify them and how to prevent them
- Password management – how to create and store secure passwords
- Reporting threats and breaches – do your employees know how to report any red flags and suspicious intrusions? Adopting a positive approach to this means employees are more likely to report incidents, worries and concerns. Here the NCSC explains how to grow a positive security culture
- Email, internet and social media policies
- Running software updates when alerted
- Confidentiality – employees who have access to sensitive information should be well-informed about the importance of privacy, personal data protection and GDPR
- How to respond to an attack
It can also be a good idea to provide helpful resources to employees. These can be included in new starter packs and when running training days. This allows staff to read things in their own time and do further research if needed. Another tip is to stick posters around the office highlighting risks, how to reduce them and how to report them.
Here’s a blog explaining how to create an effective cyber security training programme for your employees.
The NCSC has also created an e-learning package which offers top tips for staff when it comes to cyber security.
3. Implement stricter controls
An important part of cyber security is implementing the right controls and for many, this is likely to involve becoming stricter with who can access what.
62% of employees say they have access to data they probably don’t need to see. When it comes to sensitive information, only those who have to see it should be able to. Not only does this reduce the risk of a breach, it also means that you will be able to identify if something untoward is going on much quicker.
Introducing user roles and permissions is an effective way to tighten up online security. A user role is a built-in collection of permissions specific to particular job titles. Within these roles, you can assign permissions for each user. By delegating responsibilities and permissions to certain users only, it reduces the risk of human error and therefore security breaches.
“Configure accounts to reduce the impact of successful attacks. You should configure your staff accounts in advance using the principle of ‘least privilege’. This means giving staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.”
NCSC SME Engagement Lead
Below is an example of how you might separate delegate user roles and permissions.
It’s also recommended that organisations implement steps to control misuse of the internet. You can do this by:
- Limiting personal use or restricting certain websites during office hours
- Controlling downloads
- Creating guidelines surrounding the use of social networking sites
- Educating employees about safe browsing habits when using company devices even when not at work (if they have a company mobile phone for example)
- Prohibiting the installation of software from unknown sources
- Informing employees that they can only enter into contracts on the company’s behalf if they have permission to do so
- Only allowing online purchases from approved suppliers or by authorised employees
- Removing all access permissions when an employee leaves the company
Monitoring your small business cyber security
As the modern workplace becomes increasingly digitalised and cloud-focused, cyber security monitoring should become a normal process for all businesses. This involves identifying cyber threats and data breaches so that organisations can detect attacks in their infancy and respond to them before they cause too much damage and disruption.
Log files and alerts generated by your systems can provide a vital audit trail to help identify the cause of breaches. They can also be used to detect security incidents or suspicious activity that could lead to an attack.
What exactly is cyber security logging however? Every activity conducted within your business from sending an email to logging into a website is a security event. All of these events are, (or should be), logged so that you’re aware of every potential threat to your business.
Organisations should be monitoring these logs for signs of unauthorised activities. If suspicious activity is found, the data can be moved to a central database for further investigation and action.
This introduction to logging for security purposes explains everything you need to know including how to implement and retain logs. The NCSC has also released ‘Logging made easy’ which aims to provide a practical way for SMEs to set up basic monitoring.
“Prior to any incident, make sure you do backups and practice recovering from different scenarios such as lost data, ransomware attacks or DDoS attacks.”
Cath Goulding, CISO at Nominet
Earlier, we covered the importance of having a cyber security policy and how to implement one. A monitoring policy will also help to manage risk in your organisation by ensuring that the appropriate controls are in place to secure your systems.
While a cyber security policy focuses on the overall picture, such as identifying risks and how to avoid them, your monitoring policy is designed to detect actual or attempted attacks.
One of the many benefits of security monitoring is that it enables you to identify any wrongdoing or vulnerabilities early on. It also helps organisations with audit compliance, service level monitoring, limiting liability performance measuring and capacity planning.
Your policy should be set up to monitor:
- Internet traffic
- Email traffic
- Any automated intrusion detection system logs you have
- Firewall logs
- User account logs
- Network scanning logs
- System error logs
- Application logs
- Data backup and recovery logs
- Telephone activity
- Network printer and fax logs
“Identify critical systems and assets. Identify what electronic information is essential to keep your organisation running, such as contact details, emails, calendars, and essential documents.”
NCSC SME Engagement Lead
Another way to monitor the ongoing effectiveness of your cyber security activities is to conduct regular reviews. You can do this in-house or outsource to an independent agency who will be able to analyse your security measures.
One type of assessment you can conduct yourself is a ‘lessons learned review’. By looking back at past successes and failures, you can identify which of your security measures are working, which aren’t, prevent future attacks and leaks, avoid making the same mistakes twice and save yourself a lot of time and money in the long run.
These reviews should include:
- Failures and their consequences
- Trace cause and effect – this will help you understand how certain actions lead to consequences
- Recommendations to improve future activities
For further information on this, here is everything you need to know about holding a lessons learned review.
Responding to a cyber attack
Unfortunately, no matter how many precautions you implement or how careful you are, cyber attacks can still happen.
What should you do if you fall victim to an attack?
1. Contain the breach
Some immediate actions you can take to contain a breach include:
- Disconnect your internet
- Disable remote access
- Review your firewall settings
- Isolate devices from the internet and any neighbouring devices/networks
- Install any pending security updates or patches
- Change passwords
It’s also important to identify which servers, computers, software or systems have been compromised so you can contain them as quickly as possible. You may be able to pinpoint how the attack happened by checking your security data logs through your firewall or email providers or via your anti-virus programme. Try to collect as much evidence as possible so you can determine how the breach happened.
2. Restore any lost data
You will hopefully have backed up any important information. Once you’re certain your systems are safe again, you can restore any data which was lost in the attack.
3. Conduct an investigation
An investigation will help you to determine how the attack happened, if there was an employee involved, how it could have been avoided, where there are weaknesses in your prevention policy and which of your security systems needs to be updated.
4. Identify and notify those affected by the breach
One of the many reasons your SME cyber security is so important is because when an attack occurs, it’s not just you who’s compromised. After a breach occurs, you will need to identify everyone who has been affected by it, including employees, customers, third-party vendors and also consider any legal obligations to notify relevant regulators (such as the ICO for GDPR breaches).
You will also need to determine how severe the breach was and what information was targeted. It is important to have a clear data protection policy in place and a process which can be followed as soon as a breach is identified.
An assessment will be needed on the impact and what notification requirements apply. Although there is some general guidance below, this is an area which your organisation will need to be familiar with in terms of the legal requirements and the ICO website is a good source of information for organisations of all sizes.
Employees will generally need to know if their personal data has been compromised and in order to help protect the organisation, they will also need to do things like change their passwords, be on the lookout for other breaches and attend further training.
You will usually have to notify your customers if their personal information has been compromised. Let them know what has happened, how they’ve been affected, steps they need to take, what you’ve done to fix the problem and how you’re going to prevent future breaches. This is never easy but it’s important to be honest and transparent. Here are some examples of breach notification emails you can send.
5. Manage public relations
Although a breach occurring within a small organisation is unlikely to become public, it’s still a good idea to manage your PR. This is especially the case if customers’ personal data has been compromised and is now in the public domain.
While you may not be on the front page of the paper, affected customers can still post negative comments on social media and review sites.
As well as notifying customers directly, be timely in managing announcements to the public and be accurate, open and honest in the messages given.
It’s a good idea to be extra vigilant with your social media accounts at this time. Angry customers may post on your page, leave bad reviews, have conversations with other affected parties or send you a message asking for further clarification. It’s important that you respond to show you’ve taken the incident seriously and you genuinely care about your customers’ security.
6. Update staff training
We mentioned ‘lessons learned reviews’ earlier and this is a good example of when these should happen. After discovering the cause of the breach, adjust and communicate your security protocols to reduce the risk of the same type of incident occurring again. It’s important for both you and your employees to learn from any mistakes, update your security procedures and prepare for the unexpected.
For further information about avoiding and reporting internet scams and phishing attacks, please head to the gov.uk website.
More helpful resources
While cyber attacks are on the rise, by implementing all the steps and advice in this guide, you can begin to improve your cyber security and put together robust security policies for your business and employees. With secure systems in place and employees who are trained to recognise the signs of a potential attack, your business can continue to thrive in the online world.
Below is some further reading which includes helpful websites where SMEs can find trusted information about cyber security:
- Top tips for staying secure online
- Staying safe online during the COVID-19 outbreak
- 10 top tips for keeping your business safe online
- Cyber security advice for SMEs
- Learn more about data protection and GDPR on the ICO website
The information in this guide is for general guidance about cyber security good practice only and is not legal advice.
We have tried to ensure that this guidance is accurate and relevant as at October 2020. However, Nominet UK does not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or failure to use any information contained in this guidance.