In all stages of business development, from new start-ups to established businesses getting online for the first time, it’s vital to plan and put in place the basic steps to keep your business and customers safe online. With ever-increasing threats to online security your business needs to stay secure, but it can be daunting to know where to start and what you need to do. Here are 10 steps that you can follow to keep your business secure online.
Step One: Managing Risk
It’s helpful to think of cyber security as a continuous process, as threats to your business are constantly evolving with technology. These ten steps should be used repeatedly to keep your business secure. To begin you’ll need to invest time to plan and consider three key areas; what are your assets? What are the risks to your business? And what do you need to be doing about these risks? Advice for managing risk can be found in our cyber security guide for small and micro businesses.
Step Two: Passwords
Passwords keep your vital and confidential business information secure. It can be tempting to use the same password across multiple accounts but doing so can be putting your business at risk. We advise you change your passwords at least every six months (don’t worry there are password management services available to help you remember them all!). How can you make a strong password? Here are five tips:
1. Passwords should contain a minimum of 8 characters.
2. Avoid common passwords such as ‘password1234’.
3. Don’t use a number sequence (1234) or repeated numbers (1111).
4. Think of a passphrase rather than a single word, for example ‘I love green apples’ is more secure than a single word.
5. Use a mixture of uppercase letters, symbols and numbers, for example ‘I love green apples’ could become ‘i10v3gr33[email protected]’.
It’s important you create password guidelines based on the above and ensure this is also included in your security policy so this can be circulated to everyone in your business.
Step Three: Preventing Viruses
Although computer viruses aren’t new they are becoming much more sophisticated and regardless of the size of your business you are vulnerable to attacks. One of the key steps to becoming secure online is to understand how your business could get infected with a virus, some examples include:
• If attachments on suspicious emails are opened.
• If links are clicked on from suspicious emails.
• If files (usually free) are downloaded from untrusted sources.
• If pop-ups are clicked on or accepted when using the internet.
• If USB memory sticks from third parties are connected to computers.
There are some simple steps you can take to protect your business against viruses such as installing a trusted antivirus software and ensuring a firewall is active. Top Tip: read customer reviews of antivirus software to help assess what’s good (and what’s not). Following your gut instinct is also important, if you’re not sure you should open an email or click on a link, the short answer is don’t!
Step Four: Security Settings
Regardless if you are using a Mac or Windows computer it’s important to ensure all your software is up to date including updating any trusted programmes as soon as you’re prompted to do so. Also consider how you protect your business equipment and whether it is as secure as it can be; do you have all serial/asset numbers for your computer? And are you backing up your data regularly? Alongside securing your equipment you need to ensure you’re securing how you use it, such as having the latest web browser, activating the pop-up blocker, encrypting confidential data and using reputable domain name providers/hosting companies.
Step Five: Browsing and Sharing Safely
As part of a small business you’ll most likely find yourself out of the office at some point, whether you’re meeting clients or fitting personal commitments into your schedule, and this will involve working from multiple locations. In these situations, public Wi-Fi can be invaluable (especially if it’s free) but it is public therefore other users could potentially intercept what you’re doing. If you’re sharing documents and data it’s important you encrypt all personal and confidential information you send in a way that only authorised parties can access the data. You may also choose to use cloud services to host your files. These are cheap and convenient as the information then does not sit on your machine. You could have a look at services offered by Google, Dropbox or Microsoft OneDrive but you may have to pay for some security features. Browsers are also pretty good at warning us when something is suspicious, so do pay attention when they do.
Step Six: Securing Your Own Equipment
If you are using your own personal equipment, such as your phone, for business activities there are steps you and all your employees should follow to keep secure when using personal devices; here are some examples:
• Check all company files are protected and encrypted where necessary.
• Only use personal devices when running official operating systems.
• Set a passcode or ensure biometrics (fingerprint /iris scanner) is set up on all devices.
• Consider installing mobile antivirus software.
• Ensure all passwords and permissions are changed when an employee leaves the business.
• Enable remote wiping and search tools in case a device gets lost
Step Seven: Peripherals
Portable devices, such as USB memory sticks or hard drives, have their uses to effectively store and transfer business information but they also have their drawbacks – particularly as they’re susceptible to picking up viruses. Are these devices valuable to your business? If they’re fundamental to the running of your business you’ll need to encrypt the data on them to help ensure confidentiality. Some devices have their own encryption. If this is not the case you can always use encryption software such as PGP or VeraCrypt.
Step Eight: Training
If you have employees, making sure they’re trained and have up to date knowledge of security policies is vital. Good security training should cover all bases and set out clear codes of practice, for example:
• Identifying and listing all potential cyber threats.
• Identifying and outlining the main risk areas.
• Explaining the consequences should security be breached.
• Establishing controls, including what is currently being done and what procedures are in place.
• Establishing staff roles and responsibilities.
• Covering all legal issues and criteria that might apply to your business so employees are aware how important it is they comply.
Step Nine: Monitoring
As mentioned cyber security is a process and you’ll need to schedule some time to regularly check your logs to make sure important systems are performing as they should be; security software can detect and record suspicious activity so monitoring the platform on a regular basis is vital. It’s also good to get into a routine of checking the logs for your operating systems and email accounts, these will provide you with insight into who is accessing them and what their activity is.
Step Ten: Managing Security Incidents
If a security incident does occur you might have to roll back your software so it’s essential that you run regular backups, not only will this protect data from loss but you could also be meeting your legal obligations. Backups simply mean copying your information over to another location so you have a copy. They are crucial to secure your business information and safeguard against human error, theft and damage.
Unfortunately there are a number of things employees can do to cause a security breach, therefore creating a clear policy outlining how employees can use the internet will definitely help. This way if a breach does occur you’ll have the documentation to help take disciplinary action against employees if necessary or defend your business against harmful activity.
For further advice on how you can keep your business secure, download our guide for micro and small businesses.
Cath Goulding is Head of Information Security at Nominet UK and Board member of the Women’s Security Society. Cath Goulding has over 15 years experience in the cyber security profession having worked for both UK Government and the private sector. A thought leader in her field, she frequently speaks at security and internet conferences and has provided articles and comments for multiple publications. Her career was recently profiled in the Financial Times and she was interviewed by BBC world promoting women into the IT profession. She also won Women in IT Security Champion of the Year in 2015.Read full profile