The cyber threat environment is more complex than ever before, and if you’re a small or medium-sized enterprise (SME), there’s a 1 in 2 chance you’ll experience a cyber security breach at some point. That’s why your cyber security checklist is so crucial.
While there are some scary statistics (80% of SME's don't think they are a target to cybercriminals, 60% of SME's were attacked in 2020, costing up to £210,000 and 89% of SME's that suffered a GDPR data breach lost clients) cyber security shouldn't be a daunting challenge for small business owners.
We provide you with an SME cyber security checklist that covers the five key areas that you need to cover. These easy checks could save your business time, money, and reputation. Whilst this guide can't guarantee protection for all types of cyber-attack, attention to the areas we have outlined can significantly reduce the chances of your business becoming a victim to cybercrime.
The 5 elements we cover are:
- Data backup
- Malware protection
- Device security
- Password best practices
- Phishing protection
Back up your data – Is your data secure and backed up?
Identify what data you need to back up
Your cyber security checklist needs to include data backup. 60% of businesses shut down within 6 months of data loss, so you need to identify which data is crucial for business continuity.
Keep your backup separate from your computer
Access to data should be carefully restricted so that they are not accessible by staff who don't need it and are not permanently connected to the device holding the original copy.
Consider the cloud
Using cloud storage means your data is physically separate from your location. As a result, you will also benefit from a high level of availability and can recover data quickly should the worst-case scenario occur.
Make backing up part of your everyday business
The majority of network or cloud solutions now allow you to make backups automatically. Many off the shelf backups are easy to set up, affordable, and safe. When selecting a solution, you will also have to consider how much data you need to back up and how quickly you would need it back following an incident.
Protecting your organisation from malware
Install (and turn on) antivirus software
Antivirus software should be used on all desktops and laptops. However, smartphones and tablets might require a different approach.
Prevent staff from downloading dodgy apps
You should only download apps from manufacturer-approved stores, such as Google Play or Apple App Store. These apps are checked to provide a certain level of protection from malware. It would be best if you also prevented staff from downloading third-party apps from unknown vendors.
Keep all your IT equipment up to date (patching)
For all your IT equipment, ensure that software and firmware are constantly updated with the latest versions. Applying these updates is one of the most important things you can do to improve your security.
Switch on your firewall
Firewalls create a 'buffer zone' between your network and external networks. Most popular operating systems now include a firewall, so it may be a simple case of switching this.
Keep your tablets and smartphones safe
Switch on password protection
A complex password or pin will prevent the average criminal from accessing your device. Although most phones and tablets now have facial recognition or fingerprint recognition, these features are not always enabled 'out of the box', so you should always check this has been switched on.
Keep your device up to date
All manufacturers such as Windows, Android and iOS release regular updates that contain critical security updates to keep your device protected. Make sure your staff know how important these updates are and explain how to do it. Also, be aware that at some point, the updates no longer become available if the product reaches the end of life, at which point you should consider replacing it with a more up to date alternative.
Make sure lost or stolen devices can be tracked or locked
Staff are more likely to have their devices stolen or lose them when they are away from the office. Fortunately, most devices include free web-based tools that are invaluable. You can use them to track the device's location, remotely lock access, remotely erase the data, and retrieve a backup of data stored on the device. You should also try and use MDM (Mobile Device Management) software.
Keep your apps up to date
Like the operating systems on your devices, all apps you have installed should be regularly updated. They not only fix security holes, but they add new features.
Don't connect to unknown Wi-Fi hotspots
When in a café or hotel, for example, if you use a Wi-Fi hotspot, there is no easy way to find out who controls the hotspot. If you connect to these, someone could access what you are working on when connected and any private login credentials that many apps and web services maintain whilst you are logged in. The safest precaution is to use your device 3G or 4G network. You could also use a VPN (Virtual Private Network), a system that encrypts your data before sending it across the internet. You should only use VPNs provided by reputable service providers.
Using passwords to protect your data
Switch on password protection
Password protection isn't just for smartphones and tablets. First, ensure your office equipment such as PC's and laptops all use an encryption product such as BitLocker for Windows. Most modern devices have encryption built-in but will most likely still need it turned on. Next, set a screen lock password, PIN, or other authentication methods (face ID or thumbprint). Using either of these methods, you will be entering a password-less frequent, so consider setting a longer, more complex password that is harder to guess.
Use two-factor authentication for important accounts
Two-factor authentication (2FA) can be a bit of a pain, and it's easy to understand why some people are against it; it's another thing to have to think about, however, if you are given the option to use it for any of your accounts you should do so. The main reason is it adds a large amount of security for not that much effort. 2FA requires two different methods to 'prove' your identity, usually a password and one other approach, most commonly a code sent to your smartphone. Then, you must enter in addition to your password.
Not sure how Two-factor authentication works? Read our blog post titled "What is Multi-factor authentication"
Avoid using predictable passwords
Make sure staff are given actionable information on setting passwords that are easy for them to understand. For example, a good rule when creating your password is 'make sure that someone who knows you well couldn't guess your password in 20 attempts'.
Help staff with 'password overload'
Your staff will have dozens of passwords to remember both inside and outside of work, so only enforce password access to a service if it's essential. Consider using password managers to create and store all your passwords via a 'master password'. Make sure the password to the 'password master' is STRONG.
Change all default passwords
One of the most common mistakes people make is not changing the default password that the product comes with. Change all default passwords before being distributed to staff. It also advised you should regularly check software and devices specifically to identify unchanged default passwords.
Avoiding phishing attacks
Configure accounts to reduce the impact of successful attacks
You should configure all your staff accounts in advance using the principle of 'least privilege'. This is essentially giving staff the lowest level of user rights required for them to perform their jobs. That way, if a phishing attack occurs, the potential damage is reduced. To further reduce the risk posed by malware, ensure your staff don't browse the web or check emails from an account with administrator privileges. Another tip here is to use 2FA (mentioned in the previous section).
Think about how you operate
Think about the ways someone might target your organisation. Common tricks include sending an invoice for a service that you haven't used; when the attachment is opened, malware is automatically installed (without your knowledge). Another trick is to manipulate staff into transferring money or information by sending emails that look authentic.
Check for the obvious signs of phishing
It's an impossible task to expect your staff to identify and delete all phishing emails. However, many phishing emails still fit the mould of a traditional attack, so here are a few warning signs to look out for. As many originate from overseas, spelling errors, grammar, and punctuation are generally poor. Others will try and create official-looking emails by including logos, is the design and quality what you would expect for a large organisation? Is it addressed to you by your name? Emails addressed to 'valued customer', or 'friend' can signify that the sender does not know you. Look out for emails that come from a high-ranking person in your organisation requesting a payment is made to a particular bank or account. Does it ask you to act 'urgently' or 'within 24 hours'. Other warning dialogue can be 'have you been a victim of cybercrime' or 'click here immediately'.
Report all attacks
Ensure your staff are encouraged to ask for help if they think they may have been targeted for a phishing attack. Do not punish the team if they get caught out, as it will likely discourage others from reporting in the future. If you believe that your business has been a victim of online fraud, scams, or extortion, you should report this via the Action Fraud Website Action Fraud. If you’re in Scotland, contact Police Scotland on 101.
Keep up to date with attackers
It's worth keeping on top of the techniques used by attackers as they are always trying different attack methods. Consider signing up for the free Action Fraud Alert Service to receive direct and verified information regarding scams and fraud in your area.
Don't leave the accountability and responsibility for cybersecurity with a single person in your organisation. Every team member (including board members) needs enough knowledge to understand how cybersecurity impacts their area of focus.
Cover all security bases with Netitude
Netitude's Managed Services is designed to take the cyber security burden away from you and increase your employee's security awareness. We offer comprehensive security services designed to help businesses stay protected and compliant at all times:
- Managed cyber security
- Cyber Essentials
- Cyber Essentials Plus
- Cyber security audit
- Backup and disaster recovery
If you’re interested in learning more, get in touch with a member of the Netitude team today!