NCSC: Small business guide to cyber security

NCSC: Small business guide to cyber security

UK small businesses can shield themselves from potential online attacks, thanks to a new guide created by the National Cyber Security Centre (NCSC). For those that may not know; NCSC provides advice and support for the public and private sector on IT security.

"45% of all small businesses identified a cyber security breach or attack in the last year"

NCSC aim to make cyber security a second nature to business owners; the same way it is to locking the doors at night or cashing up. Cyber crime is one of the fastest growing risks to small businesses and support to tackle it is essential.

"Cyber attacks on small businesses now cost the economy over £5bn a year"

The small business guide includes five simple steps organisations can follow being:

1). Backing up your data

  • Tip 1: Identify what data you need to back up.
    Usually this would be data that is essentials for the business to function.
  • Tip 2: Keep your backup separate from your computer.
    This separate backup should not be accessible by staff, neither should it be connected to the device holding original copies.
  • Tip 3: Consider using cloud backup.
    Using a cloud back up means that your data is physically separate from your location. MSP's like us (ATG) can provide data storage and web services without you investing in expensive hardware up front.
  • Tip 4: Make backing up apart of your everyday business.
    Majority of network or cloud storage solutions allow you to make backups automatically.

2). Protecting your organisation from malware

  • Tip 1: Install (and turn on) antivirus software
    This should be used on all business computers and laptops.
  • Tip 2: Prevent staff from downloading dodgy applications and software.
    You should only download apps from manufacturer approved sources (E.g. Google Play or Apple App Store). You should prevent employees from downloading third party apps from unknown vendors/sources as these wont have been scrutinised.
  • Tip 3: Keep all your IT equipment up to date (patching).
    'Patching', simply means updating the software or firmware to it's most current state. This is one of the most important things you can do to improve security. In the event that the device reaches the end of its supported life you should consider replacing it with a modern alternative.
  • Tip 4: Control how USB drives (and memory cards) are used within the organisation.
    How you can do this, is by enforcing 'external storage use' rules in your company policy to prevent your organisation being exposed to unnecessary risks.
  • Tip 5: Switch on your firewall.
    Firewalls create a 'buffer zone' between your internal and external networks (E.g. the internet).

3). Keeping your smartphones (and tablets) safe

  • Tip 1: Switch on password protection
    This will prevent the average criminal from accessing your device. Many devices now include fingerprint recognition to lock your device, without the need for password.
  • Tip 2: Make sure lost or stolen devices can be tracked, locked or wiped.
    Fortunately most devices have a contingency solution, in the event you lose possession of your device. However you need to ensure you know how to use these features such as location tracking, remote locking, data erasion and backup retrieval.
  • Tip 3: Keep ALL  your device up to date (phones, laptops, tablets etc)
    All manufacturers release regular updates that contains critical security fixes which keep your device protected. Its a quick, easy and free process which is crucial for the security of your device. If your device has reached the end of its support life, we'd suggest replacing it with a modern alternative.
  • Tip 4: Keep your apps and software up to date
    Its also just as important to update your applications, as these updates provide patches for security holes as well as providing new features. Ensure all staff are aware on how to install them and how important it is to do so.
  • Tip 5: Don't connect to unknown Wi-Fi hotspots
    If you are transferring any kind of sensitive information, its more advisable to use a Virtual Private Network (VPN) or your 3G/4G mobile network; as these both have built in security. Public hotspots are extremely easy to compromise, don't let the convenience  outweigh the potential consequences. If you'd like to find out the type of attacks and how you can safeguard yourself: click here

4). Using passwords to protect your data

  • Tip 1: Make sure you switch on password protection
    All devices including laptops, mobiles, tablets should have password authentication; whether that be a PIN, facial or fingerprint recognition.
  • Tip 2: Use two-factor authentication for 'important' accounts
    Simply enabling 2FA gives you a greater level of security for little effort it takes to set up. If you have the option on your device we highly recommend you utilise this feature.
  • Tip 3: Avoid using predictable passwords
    When conducting our employee 'cyber security training' schemes, we always suggest using strong alphanumerical passwords. Your password should be easy to remember but hard for someone else to guess.
  • Tip 4: Change ALL default passwords
    A common mistake is keeping the default password the manufacturer has given. All default passwords should be changed before devices are distributed to staff.

5). Avoiding phishing attacks

  • Tip 1: Configure accounts to reduce the impact of successful attacks.
    Meaning, give staff the lowest level of user rights required to perform their job. This way your reducing the potential damage if you do happen to be a victim.
  • Tip 2: Think about how you operate
    Think about ways someone might target your organisation and make sure staff are aware of the normal working operations. For example, you could be sent fake invoices that when opened, unleashes malware onto your systems. All staff need to be trained and highly knowledgable to spot any unordinary request.   
  • Tip 3: Check for the obvious signs of phishing
    Its impossible to spot every phishing attempt as they get more and more complex. However their are some common signifiers, which staff should be aware of such as: spelling/grammar errors, is it addressed directly to you or is it generic?, does the email ask you to act urgently within a certain time frame (usually 24 hours)? is it an email from management asking you to do something out of the ordinary (e.g. transfer money)? Moral of the story is if it sounds too good to be true, most likely it is. 
  • Tip 4: Report all attacks
    Make sure all staff know how to report an attack and who to report it too. If you do suspect an attack all password should be changed immediately and reported to Action Fraud. Action Fraud is the UK's national fraud and cyber crime reporting centre.
  • Tip 5: Keep up to date with attackers
    Attackers are always developing new and more deceitful ways to compromise data. So its ideal to make sure your aware of the most current methods used. Consider signing up to our mailing list, to receive direct verified and accurate information about scams and fraud. Alternatively connect with us on Facebook, Twitter or LinkedIn if you prefer this information on your news feed.

You can view the full guide here - Cyber security: small business guide. 

Unfortunately, this guide doesn't guarantee protection from all types of cyber attacks, however they reduce the chances of your business being a victim. If you'd like to demonstrate a higher level of security we can help you obtain certification under the cyber essentials scheme. Or If you'd like to assess the current state of your security, we can audit your systems. Click here to book a call with one of our consultants, alternatively contact us here.