Jeremy Swinfen Green, Head of Training and Consultancy at Teiss, offers some very practical advice to small organisations that want to keep cyber safe.
Good cyber security doesn’t need to be difficult. And it doesn’t need to be expensive. But it does require some attention to detail.
There is a great deal that any organisation, even a small one, can do to keep safe. And it can do this without breaking the bank or spending all day managing software tools.
Also of interest: Arresting ethical hackers could damage security
13 tips for cyber security
Here are 13 things you should be considering.
Use Strong Passwords
Make sure you and your staff use strong passwords. A strong password is far, far better than a weak password that is changed regularly. You should have a different password for each account you log on to. Sounds difficult? Here’s how.
Choose a series of random words and number. Use a phrase you can remember that contains eight to ten words such as “I was attacked by 1 small green pickle yesterday” (thanks Rick and Morty).
Use the initial letters of each word in the phrase to create a base password: “Iwab1sgpy”.
Customise the password for each account. Do this by taking 3 or 4 letters from the name of the account. So for a Microsoft login you might use “Micr”. Disguise the account by using a keyboard shift – swop each letter for a letter that is 1 space to its left on the keyboard to get “nuxe”. Add that to the base password to get “Iwab1sgpynuxe” or “nuxeIwab1sgpy” or even “Inuxewab1sgpy” (It’s up to you what you do so long as you can remember what the rule is!)
Use Two Factor Authentication
Many accounts offer the opportunity to use two factor authentication (2FA) when you log in. With 2FA, as well as your password, you need to input a code that the site sends you. This will typically be to your mobile phone. That way, even if someone has your password (perhaps because they have hacked the site) they can’t access your account unless they have also stolen your phone.
Lock up your devices
It shouldn’t be necessary to say it, but lock any devices you use to store company information. Use a password on your phone and tablet as well as on your laptop. And ideally use software that will allow the data to be wiped remotely if you do lose the device.
Set up admin accounts that allow software on computers to be updated. Then set up guest accounts that don’t. Use the guest accounts on a day to day basis. That way, if your computer does get infected by some malware there is less chance of damage to the data on your machine.
Use security software
Security software will provide you with a Firewall to prevent people from using your connection to the web to gain access to your computer. It will also provide you with antivirus software to screen out at least some of the malicious software that is so prevalent on the internet or in email attachments. Some also provides you with warnings if you are thinking of visiting a dodgy website.
If you are taking security seriously it’s best to pay for a security package from a company like Norton or McAfee. But if budget is an issue, then you don’t need to pay. There are many excellent free security packages. MoneySavingExpert has a link to some.
Keep software up to date
Software is updated regularly to add new features. But it is also updated as security flaws are discovered. So make sure that any software (and not just the software you use most often) is kept up to date (“patched”).
Public Wi-Fi and VPN
Be very aware of the risks of using public Wi-Fi. Set your devices so that they don’t connect automatically to the nearest Wi-Fi (which may be provided by an obliging criminal). And never do anything confidential, such as banking or logging in to your company network, over public Wi-Fi. If you have to then make sure you use a “Virtual Private Network” (VPN). Again, there are good free versions as well as ones that you can pay for.
Manage employee accounts
Manage the information your employees can access. You should do this on a “least privilege” basis by allowing people access only to information they need rather than by forbidding them access to information (like your HR and Finance files) you don’t want them to see.
And do make sure when people leave that their access to your account (including your social media accounts) is terminated.
Back up data
You will of course have heard of ransomware. It is unlikely to affect you if you have good security software in place. But it might, so you need to be prepared. And being prepared means having a back-up of your data. Make back-ups as a matter of course. You can automate back-ups and store them on a separate server or in the cloud.
But take care – back-ups that are connected to your network could get infected by the same ransomware that affects your network. So, at least once a week, take a separate back up on a drive which is then disconnected from your network and (just in case your office floods) take it home with you. (And remember to protect the data on it by locking it with a password.)
Anticipate DDoS attacks
If you are reliant on your website for trading then you need to take steps to stop criminals and vandals flooding it with traffic as a way of causing you harm.
As a small business there isn’t much you can do about this traffic. But you can kae sure your website is hosted in a place that is reasonably resilient to a sudden peak in traffic. A server in your office probably isn’t. A server owned by a large commercial specialist such as Amazon web services probably is.
Watch out for “Autorun” and “Autoplay”
The Autorun and Autoplay features of Windows are a bit of a problem. They controls what happens when external devices like USB sticks are inserted into your computer. Most of the time, this is a convenient function as it means that programs get started once you put a disk or USB stick in your computer.
But if that disk or USB stick contains malware then the malware gets started along with the programme you are trying to use. Ideally then you will disable Autorun as this will give you some protection.
Only some mind. It is never a good idea to put a strange USB stick or disk in your computer, even if you have Autoplay turned off.
Physical security is an important part of cyber security. Not just because you don’t want strangers off the street walking away with your laptops and smartphones.
But also because a stranger in your office could download malicious software to your network, upload your secret data or install bugs and key-logging software somewhere in your office.
Allow physical security to become lax and a sneak thief taking someone’s handbag could be the least of your problems.
Almost everybody uses social media. And most people are unaware of the risks that poses. It’s not just that social media sites are frequently riddled with malware. It’s also because unwary posts about work activities may well accidentally result in secret information being leaked.
There is a simple rule here. Make sure everyone knows that they shouldn’t say who they work for or mention their work at all on social media, except perhaps on LinkedIn. And if you do allow people to mention where they work on LinkedIn make sure that they take care with what they post.
Keeping 100% secure
Nothing will keep you 100% safe. Even large organisations can get hacked, especially when determined hackers such as national governments, vengeful insiders or organised crime are involved.
Using the 13 tips we have given you will keep you pretty safe most of the time. But there is one more thing that you can do to reduce your risk of being hacked. Educate your staff. If they know why cyber security is important, if they know what they personally can do to keep your organisation secure, and if they are willing to help (don’t assume they will be!) you will have done all you reasonably can to keep your organisation and your employees cyber safe.
Jeremy Swinfen Green is Head of Training and Consulting at Teiss. He has worked as a digital strategist for over 20 years. His latest book The weakest link (Bloomsbury Press, 2016) explains why employees are a threat to cyber security.
Follow him on Twitter @mosocoLondon and @jswinfengreen
Image of fashion business under licence from Thinkstockphotos.co.uk copyright Wavebreakmedia Ltd