Steps to take for Cyber Security Protection
Cyber security protection needn’t be a daunting challenge for any business but it’s certainly one all should be getting to grips with.
The recent exposure of vulnerabilities at the BBC, British Airways, Aer Lingus, Boots the Chemist, and others demonstrated that even the largest organisations can still become victims of cyber crime.
Although the alleged hackers, Clop, have now said via email that they do not have the data, raising the possibility they’re either lying, or it was another cyber criminal gang which created the MOVEit breach.
It’s not the only large-scale data breach to have occurred recently. On June 21st, Colchester City Council said it had emailed 3,488 people and sent 3,861 letters, following a data breach via outsourcing contractor Capita.
The council added that: “Capita reported a “security issue” when personal data including names and addresses had been found “on its unsecured data storage area.” No bank details had been leaked Capita said.
However, around 90 organisations had reported breaches of personal data held by Capita, according to the Information Commissioners Office (ICO), which deals with privacy and data in the UK. The company had suffered a cyber attack in March this year and it was later revealed that Capital had left a pool of data unsecured online.
If you’re a small or medium-sized enterprise (SME) then there’s around a one in two chance that you’ll experience a cyber security breach. The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim.
How to improve your cyber security protection
Following the quick and easy steps outlined below could save time, money and even your business’ reputation.
1 – Backing up your data
Your first step is to identify your essential data – the information that your business couldn’t function without. Make sure you keep your backup separate from your computer, whether that’s on a USB stick or external drive.
However, a safer option is to consider using Cloud storage. This means your data is completely separate from your work environment, it allows for accountability as the Cloud provider usually has high levels of data protection.
Check out the National Cyber Security Centre’s (NCSC) Cloud Security Guidance for details on what to look for in a service provider.
2 – Protect against malware
Make sure any device which connects to the internet has anti-virus protection installed and switched on, including firewall protection. NCSC also has guidance for how to make sure mobile devices are secured.
Your employees should only have access to programs they require for work, with extra permissions – i.e. for administrators – only given to those who need it. Apps for mobiles and tablets should only be downloaded from official stores as both Google and Apple provide checks before allowing apps to be uploaded to their platforms.
Ensure all software and firmware for all device types is kept up to date with the latest versions from software developers, hardware suppliers and vendors. When updates are no longer available, such as for operating systems, upgrade your devices to the latest versions where possible.
Reduce the likelihood of infection on shared drives or USB sticks by:
- blocking access to physical ports for most users;
- using antivirus tools;
- only allowing approved drives and cards to be used within your organisation – and nowhere else.
3 – Securing devices
Mobile technology is now an essential part of modern business, and these devices are often as powerful as a computer. Because they often leave the “safety” of the office or home, they require even more protection than a desktop.
Make sure to set up password protection, whether that’s by using a PIN code or using biometric safety such as a fingerprint or iris scan.
Use free web-based tools to track all your work devices, this means in the event of something being lost or stolen, you can perform several safety related tasks including:
- tracking the location of a device;
- remotely locking access to the device (to prevent anyone else using it);
- remotely erase the data stored on the device;
- retrieve a backup of data stored on the device.
Keep all devices up to date with the latest manufacturer software release, make sure your staff know how important it is to update as soon as a new release comes out and, if necessary, show them how to perform the task.
The same also applies to any apps installed on your devices, check with Google Play or the Apple App Store for the latest versions of products your business uses.
Check when using roaming Wi-Fi hotspots that it’s a legitimate provider. The simplest precaution is not to connect to the internet using unknown hotspots, and instead use your mobile network, which will have built-in security.
4 – Password protection is vital
Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices.
Use screenlock passwords, PIN or other authentication methods such as fingerprint or face unlock wherever possible. If you’re mostly using fingerprint or face unlock, you’ll be entering a password less often so consider using a long one which is difficult to guess.
If 2-step verification (2SV) is an option, always use it, it provides a larger amount of security for very little effort. 2SV requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method.
This could be a code that’s sent to your smartphone (or a code that’s generated via an authenticator app like Authy) that you must enter in addition to your password.
Passwords should be easy to remember, but hard for somebody else to guess. A good rule is ‘make sure that somebody who knows you well, couldn’t guess your password in 20 attempts’.
The NCSC has some useful advice on how to choose a non-predictable password. Three random words or #thinkrandom is one good way to create a strong password that is unlikely to be guessed easily. Or you can use a string generator which will pull random letters, numbers and special characters together.
Consider using password managers, which are tools that can create and store passwords for you that you access via a ‘master’ password. Since the master password is protecting all of your other passwords, make sure it’s a strong one.
And finally, make sure to change any default passwords that come with smartphones, laptops, and other types of equipment.
5 – Avoiding phishing attacks
Give staff the lowest level of user rights required to perform their jobs, so if they are the victim of a phishing attack, the potential damage is reduced.
Also consider ensuring that your staff don’t browse the web or check emails from an account with Administrator privileges and make sure that two-factor authentication (2FA) is on your important accounts such as email.
Think about the easiest ways criminals could target your business. Could they send fake invoices for goods or services you haven’t actually purchased? Or trying to trick staff into transferring money or information by sending emails that look authentic.
Look for the following warning signs:
- Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor.
- Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’?
- Does the email contain a veiled threat that asks you to act urgently?
- Look out for emails that appear to come from a high-ranking person within your organisation, requesting a payment is made to a particular bank account.
- If it sounds too good to be true, it probably is.
Most email providers have built in anti-phishing protection and those that do slip through are often sent to the Junk/Spam folders. But you can also use ‘Rules’ to set up additional filtering options.
Make sure that your staff are encouraged to ask for help if they think that they might have been a victim of phishing, especially if they’ve not raised it before.
It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred. If you believe that your organisation has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cyber crime reporting centre. If you are in Scotland contact Police Scotland on 101.
Attackers use publicly available information about your organisation and staff to make their phishing messages more convincing so check your website for any potential data which could help criminals.
Organisations can implement the actions outlined in the Small Business Guide Actions and significantly reduce the chance of becoming a victim of cyber crime.
About Veracity Trust Network
By protecting their website and advertising from bots, companies can ensure that their website runs smoothly, provides an optimal user experience, reduce the risk of security threats, reduce wasted ad spend and improve the data on which business decisions are made.
Veracity Trust Network is award-winning technology* applicable to any business operating a website and works to block a wide range of bot attacks, preserving website performance, while optimising infrastructure costs and security resources.
Start protecting your business from fake and malicious bot web traffic by booking a call now:
*Digital City Awards 2022: Innovation of the Year, Best Business Awards 2022: Best Innovation, Best Martech Innovation at Prolific North Tech Awards 2021, B2B Marketing Expo Innovation Award for Best Marketing Tool 2021, and the Tech Nation Rising Stars 3.0 Cyber Award 2021, as well as holding Verified by TAG status.