Barely a day passes at the moment where there is not some kind over cyber incident taking place. Whether this be the Ransomware Outbreak creating havoc in the nhs or data being left exposed on the Amazon Storage Cloud, there is something big hitting the news. Many of these incidents take place in large organisations where they have budgets of hundreds of thousands of pounds each year to keep systems safe, you may be left wondering what chance small businesses have.
As a small business there are a number of small simple steps to help keep your systems protected for Cyber incidents.
The simplest way for a security incident to take place on a business network is through a lack of awareness or understanding by those who use the systems, your employees. A crucial part to any business strategy has to be to educate the people that use the systems what they should be doing and what they should look out for when using the business systems. Here are some key points that should be made to all users:
- Keep it clean – never install software on to a work computer without authorisation from your IT administrator. Installing unapproved software can introduce security vulnerability to the business
- Keep it safe – make sure you save your work in the right place. It is very easy to fall into the trap of saving to the desktop or documents folder on the local PC, don’t! If you do save to anywhere other than the server then your files are not backed up. Should the worst happen and your PC is infected you’ll have to say goodbye to those files.
- Keep it secure – any system is only as good as the locks placed on it, one such lock is your password. While the business will likely have a password policy which requires a minimum length and complexity, this can easily be by passed by adding letters and numbers to a simple password; this does NOT make it complex. Use a complex password that you can remember and don’t write it on your monitor!
- Keep “in the know” – if you don’t know what it is then don’t touch it. Should you come across an email that you don’t recognise, a post online that looks suspicious, an odd attachment – even if you know the source, you should not open it. I promise you, there isn’t really someone in Nigeria who wants to wire $33,000,000 to your account!!
Do your users know what they should and should not be accessing? Do they know what information is “company confidential” and what information is safe to be made “public”?
Employee’s should have been given an orientation on how information in the business should be handled. Typically, information can be classified as “Secret”, “Confidential”, “Internal Use Only” or “Public”, that being said there may be other categories specific to your organisation. You should have a clear understanding of how each of these types of information should be handled and who can have access. Confidential or Secret documents will typically be encrypted or password protected with restricted access to authorised users. When information is no longer required, then it should be removed from the system
System logon details should not be shared with other users. When leaving your workstation unattended it should be locked to prevent unauthorised access to the system. Any activity performed on the system in your name will typically be deemed to be your own actions, make sure no-one can do anything in your name without your knowledge.
Laptops and tablets
If you have a laptop which is used for business purposes then it is critical that it is never left unattended in a car, even if it is out of sight, or anywhere else. All data held on the laptop should be secured at the minimum with a secure password but ideally using Full Disk Encryption (FDE) and fully shutdown when not in use, the laptop should not be left in “sleep” mode. By allowing the laptop to be left in “sleep” mode, this leaves the hard disk “unlocked” and the encryption disabled. If data is stored on a laptop, you should ensure that the information is regularly backed up to the server or a portable hard disk using a secure backup program.
When using public Wi-Fi, as in a coffee shop, it is important to understand the security of the connection you are using. Many of these Wi-Fi hotspots you will simply connect to and then login via a webpage, this is not a secure connection. Since there was no requirement to use a passkey to access the Wi-Fi, all data you transmit over the wireless is insecure and subject to “eavesdropping”. Eavesdropping is a technique used by individuals who want access to your information. Even on networks which require a passkey for the wireless, the connection is still not secure as someone could still be “sniffing” the traffic from your laptop/phone. The only way to defend against this is to secure your traffic using a secure connection such as a VPN.
For more information on eavesdropping see the video below.
The last piece of advice to close with is to keep vigilant. A recent study of people who’s computers have infected with Ransomware revealed that 100% of them had anti-virus installed, most reported they knew they had done wrong as soon as the “clicked” on it…….but it was too late.
In almost all cases we have come across, the individual has only been caught out because they were not “on the ball” that day.
Stay vigilant and stay safe online.
5th September 2017
28th June 2017
15th May 2017