It happens every day: an employee clicks on a benign-looking link in an email, infects the company’s computer network, and threatens the entire business. Yet many small businesses continue to bury their heads in the sand when it comes to cyber security. According to insurance provider Hiscox, a small business in the UK is successfully hacked every 19 seconds, with an average cost of £25,700 to resolve. Many are unable to survive the financial hit and loss of confidence in their brand and go under.
“Over the years my team has helped countless small and larger businesses recover from devastating cyber security attacks,” says Intersys MD Matthew Geyman. “In so many cases there were no security protocols in place at all, often because they didn’t believe it would happen to them.”
Yet, some smaller businesses can’t – or let’s be honest, won’t – invest in comprehensive cyber security services. Recently the National Cyber Security Centre (NCSC), part of GCHQ, published advice to help individuals and small businesses stay safe online.
“When it comes to small business cyber security, we have to be realistic,” says Matthew. “Some businesses will want to take care of their own cyber security needs and will be content with a ‘good enough’ setup. This is why I’m pleased to see that the National Cyber Security Centre has hit upon a succinct list of simple and effective ways for small businesses to protect themselves.”
The six key actions recommended by the NCSC are:
- Use a strong and separate password for your email
- Create strong passwords using three random words
- Save your passwords in your browser
- Turn on two-factor authentication (2FA)
- Update your devices
- Back up your data
Before moving on, we should reiterate that GCHQ’s advice is a pragmatic approach: some businesses are doing very little in terms of cyber security and for them these recommendations are a step up. However, if you take your business’s cyber security seriously (and you definitely should), a more robust approach across the board is recommended.
Let’s take a look at these suggestions in a bit more detail.
Six Simple Steps for Small Business Cyber Security
1. Create a strong, unique password for your email account.
Your email account: “If you don’t use unique passwords for each of your accounts, make an exception for this one,” advises Matthew.
Your email account is one of the most important accounts you have, and it must be secure. If a hacker gains access to it, they essentially have the keys to any other account linked to your email address. Most online services ask users to sign up via email and rely on that email address to reset passwords and send important information. Once inside your email account, hackers can look up your registrations and change your passwords. “If you don’t use unique passwords for each of your accounts, make an exception for this one,” advises Matthew.
2. Use three random words when creating new passwords
Many of us are aware that the safest passwords are lengthy strings of random upper and lowercase letters, symbols and numbers generated by password managers. But let’s be honest — an awful lot of people simply don’t take this approach and create their own passwords. These are inevitably weaker than those created by password managers, partly because they are often based on common words or expressions.
GCHQ suggests a simple way to make these self-created passwords more robust: choose three random words, such as picturewindowjupiter.
While Matt agrees with the spirit of this advice, there are certain caveats. He says, ‘This may be useful for people who create easily guessable or crackable passwords based on common expressions — anything that will increase security is a good thing. However, in these cases, I would use not three but four random words, as GCHQ advised in an earlier post. This will make the password somewhat harder to crack. Most importantly, I would only use this method for creating passwords for lower-value, lower-risk data. You are almost certainly going to want to use more robust methods for sensitive information and for your business. Is this suitable for an enterprise? Categorically not.’
These robust methods include using a password manager. Ideally, you would use a password manager along with two-factor authentication, which is discussed in point 4 below.
3. Use your browser to save your passwords
Whether you use Chrome, Firefox, Microsoft Edge or Safari, your browser can store your passwords for you, so that you don’t have to remember countless different ones. This is a much more secure approach to passwords than simply reusing the same four or five ones across multiple accounts. It’s quick and simple to do. Below are links for saving passwords in these common web browsers.
While this advice is better than reusing passwords across multiple sites, the best solution for most organisations is to use a password store service. This gives you granular security control, ensures multi-factor authentication (more on this below) is enabled across all employee accounts, securely stores any ‘interdepartmental’ credentials (for instance, accounts sharing a credit checking log on), and also resets access when master passwords are forgotten.
4. Use two-factor authentication (2FA) or multi-factor authentication (MFA)
While not completely foolproof, 2FA will protect against 99.9% of attacks according to a security report by Microsoft.
If you do any online banking, you’re probably already using 2FA to supplement your login and password. It might be a passphrase, a pin, a fingerprint or a code sent to your mobile. While not completely foolproof, a security report by Microsoft shows that 2FA will protect against 99.9% of attacks. A report by Google had similar results: adding a recovery phone number blocked up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.
While banks usually require 2FA, your email and social media accounts will need to be set up manually. It’s easy to do – well worth the five or ten minutes it’ll take.
5. Keep your devices updated
You know those annoying reminders you get on your phone or your computer asking you to update your operating system or an app? While it’s tempting to click ‘later’, or simply ignore them, doing so makes your device vulnerable to hackers. These patches or updates are designed to repair known weaknesses in software.
Similarly, immediately stop using operating systems that are no longer supported, such as Windows 7. Unsupported operating systems no longer receive security updates, leaving them vulnerable to malware attacks.
6. Regularly back up your data
By creating another copy (backup) of your data to the cloud or another device (such as an external hard drive or a USB stick), you will always have the means to restore your data if it is lost or stolen.
Back up personal devices at least once a week. Business devices — especially if they contain important information such as employee files and billing information — should be backed up at least daily, if not continuously.
While you can back up your data manually, automatic backups make it less likely you’ll forget. Using automatic backup is easy.
- Windows 10 automatically backs up your data to OneDrive by default
- Apple Mac can automatically back up your data using iCloud or Time Machine
- Apple iPhone/iPad can back up your data using your computer or iCloud
- Android can back up your data to your Google account
Says Matthew, “My advice would be, if you don’t come to a company like ours for cyber security, then do take the advice from GCHQ. It’s clear, it’s achievable and it could save you an enormous amount of lost time and money.”
If you want to step up and protect your business with a robust, cost-effective cyber security solution, Intersys offers a range of managed services, including small business cyber security and a security operations centre as a service. To find out how we could help your business, give us a call on +44 (0)20 3005 4440.