Online security is key for businesses — breaches can cost you time, money and even your reputation!

Unfortunately, cyber criminals are always innovating and adapting their techniques and methods. What’s more, there’s more of them — almost half of businesses (46%) reported a cyber security breach or attack in the last 12 months. 

If you’re the owner of a small or medium-sized business, it can be hard to find the time to dedicate towards online security. It can be daunting — but it doesn’t have to be.

To help, we’ve put together some easy, practical cybersecurity top tips and steps for SMEs. Grab a brew and take a look over these simple recommendations from our team of business IT support experts!

1. Back up your business’ important data

Cyber ransom attacks are becoming more commonplace.  A criminal looking to hold you to ransom isn’t really interested in your data — all they know is that if they control access to your data, they control you. Your data’s disappearance can be catastrophic.

The solution: take regular backups of your most important data so it can be easily restored should the worst happen. Don’t think that losing data won’t happen to you. It will, at some point. So be prepared.

Decide what data is most important

What data can’t your business live without? As well as the obvious such as client information, accounts and personnel information, important content might also include documents, photos, calendars and contacts.  

Don’t think that cloud based data storage is safe either — it is not a backup and can be lost if your account is compromised.

Choose a method of backing up

The key is to ensure that as a minimum you have one backup that is kept separate from your business’ main method of data storage. Traditional methods of backing up include using a separate drive, Network Attached Storage device, or even a separate computer.

Having multiple backups is even better to spread the risk further. The best tactic is to have an on-site backup solution in the form of some hardware, and then a backup to a dedicated cloud-based data storage centre.

Remember that cloud based data drives (such as One Drive, Google Drive, Drop Box, etc) are not backups. Whilst reputable, your data is still at risk — read their small print and you’ll see.

For more enterprise solutions, there are some excellent products out there that can provide you with a very robust disaster recovery system — even to the point that they can virtualise your business IT system within a matter of hours of your data being compromised or lost.

Ensure backups take place daily

Making the backup process part of your everyday business operations can certainly save you a headache further down the line — most cloud-based backup solutions allow backups to take place automatically and more frequently. 

If you’d like advice with any aspect of backing up your business’ data, don’t hesitate to get in touch with our team of experts.

2. Use passwords and two-factor authentication on devices & accounts

Your business’ hardware will naturally contain a range of important data including customer details, client invoices, orders, email threads, business account details and more. Standing between this data and any would-be scammer are your login credentials.

Any attempt to extort your credentials from you is known as a phishing scam. The goal of these attacks are to hold you to ransom in order to get your data back. It’s the modern day highway robbery!

Any login or access credentials that you have must only be accessible to you and those who need it. To stop any would-be nefarious cyber criminals, be sure to keep things under a secure lock and key… 

Make use of two-factor authentication for important business accounts

Two-factor authentication (2FA) is an extra layer of protection in addition to a username and password, ensuring only those who are permitted access to an account can gain it. For only a few seconds’ hassle, it adds a huge chunk of cybersecurity.

One of the most common ways of authenticating is with a code that’s sent to your smartphone. By verifying it, this proves that you’re the one trying to gain access to an account at that certain time — it’s unlikely that a cyber criminal also has your phone!

Securing your devices: smartphones, tablets, PCs and laptops

Make use of any screen-lock passwords or other ways of authentication. This can include pin codes, fingerprint or facial recognition unlock.

Your office equipment also needs to be secure. Most modern devices have encryption built in, so be sure to explore and configure this. Consider making use of encryption products, so some authentication is needed for start up. Popular solutions include BitLocker (for Windows Pro licences) and FileVault (for macOS).

Also, be sure to change any default passwords that come with your business’ devices from the manufacturer — these are some of the first ones that would-be cyber criminals try.

Use difficult-to-guess passwords

These don’t have to be unintelligible mashups of characters, but perhaps just a unique collection of words that is simple for someone to memorise, but difficult to guess.

There are many useful generators online for creating ‘memorable’ yet difficult-to-guess passwords. Personal information is a no-no. A good rule of thumb: choose a password that one of your best friends is not going to guess in 10 attempts.

Make it at least 8 characters long containing a mixture of numbers, letters and special characters.  For maximum protection, use 12 character length passwords and change it every 90 days or so.

‍

3. Keep your devices safe and sound

In a post-pandemic world, we’re as mobile as we’ve ever been with laptops, phones and tablets, using them out of the office — which is where they’re most likely to be stolen or lost. Ensure you’re best placed to avoid any mishaps.

• Enable tracking — most devices have built-in, web-based tools for tracking their location if they’re lost. These can also be used to wipe, disable or lock the device, as well as retrieve backup.
• Password protection — make sure you’re using a password, PIN or facial or thumb recognition on all your mobile or tablet devices.
• Stay up to date — if you’re running an older version of your device’s operating system, it’s more likely to have security flaws. Critical security issues are usually patched up when new versions of operating systems and apps are released, so ensure you’re always up to date.
• Be wary of unknown WiFi hotspots — it can be difficult to know who actually controls a publicly-available WiFi hotspot. When you’re connected, they may be able to see what you’re up to and may be able to access any of your private login details. 

4. Be on your guard against phishing scams

Phishing is where cyber criminals pose as a legitimate person or organisation — most often by email — in order to trick their victims into handing over sensitive information or login credentials. The motives of these cyber ne’er-do-wells are usually financial, aiming to directly steal your business’ money or thieve your data in order to hold you to ransom.

Operate the principle of ‘least privilege’

If you have staff, only give them the minimum access they need in order to do their jobs. That way, if they’re the unfortunate victim of a successful phishing attempt, they will have fewer secrets to reveal.

Most importantly, ensure that no user has administrator privileges who doesn’t need them. A user account that has administrative privileges can allow a potential attacker access to any information and more importantly control of your device/account.

Be aware of what to look for

Common attacks aimed at smaller businesses include raising fake invoices that contain malicious attachments, pretending to be a supplier who has changed their bank details or links to websites where you’re prompted to share sensitive information. Often, they impersonate a person from within your business or another organisation to make you think it’s relevant to the business, something known as spoofing.

There are a number of tell-tale signs of a phishing email… 

• Poor spelling and grammar — many phishing attacks originate from overseas; a discerning eye may be able to spot grammatical errors. That said, they can occasionally be well written, so don’t rely on this!
• Poor-quality formatting — are any of the logos used of poor quality? Does the email appear slightly unprofessional? If so, it could be a phishing email.
• ‘Dear valued customer/friend/colleague’ — does the email actually refer to you by name at any point? Is it from a business or individual that you recognise? If it comes across as quite generic and you don’t recognise the recipient, it’s likely to be a phishing attempt, sent to thousands of different addresses.
• Panic-inducing language — phishing attempts may try to scare you, make you panic or even make you curious. The aim: to make you take action and compromise yourself. They can often use language like ‘why haven’t you paid this invoice?’, ‘you are at risk, act quickly’, or even ‘claim your free refund’’ — and so on.
• Gobbledygook email addresses — check that the domain (the part that appears after the @ in an email address) looks legitimate. Often, but not always, phishing email addresses are jumbles of letters or numbers. That said, clever phishers can sometimes spoof email addresses.

Despite the sender’s claim to represent McAfee, a quick check of the email address’ domain shows that it’s bogus and doesn’t belong to the organisation.

‍

A phishing email showing all the hallmarks of a phishing attempt: poor grammar, bad formatting, dodgy links and too-good-to-be-true promises.

Empower any staff you have to report, question or query strange emails they may receive.

When you get an email from an organisation you don’t do business with, treat it with the utmost caution. If any of your staff fall for a phishing attack, don’t punish them — it can discourage future reporting. Any phishing attacks can be reported to ActionFraud, the UK’s national reporting centre for cyber crime.

If you think you’ve been the victim of a phishing attack, immediately change your passwords.  Then perform a virus and malware scan on the devices affected.

We’ve written in more detail about how to avoid falling victim to phishing attacks. 

Be aware of what’s publicly available about your business

Phishers often use information online to target your business in phishing attempts. To minimise this risk and any opportunities for would-be cyber attackers, managing your digital footprint is crucial. Are you sharing too much on your business’ website or social media channels?

‍

5. Protect against malware

Malware stands for ‘malicious software’. These intrusive programs aim to steal data or damage computers and computer systems. The most common types of malware are viruses, worms, Trojan viruses, spyware, adware and, perhaps most insidiously, ransomware.

Ransomware steals sensitive information from your business’ systems and then encrypts it before demanding a payment for the data to be released. These types of malware attacks often originate as part of a phishing scam, so being aware of what to look for might be helpful — as we highlighted just above.

• Turn on your antivirus software and firewall — most operating systems have antivirus and firewall software included for free. It’s usually as simple as clicking ‘enable’, and your smaller business’ computers will be safer for it.  There are third party pieces of software that will enhance the free software included with your operating system.
• Watch what you download — only download apps from official stores, like the Apple App Store or Google Play. Third-party apps from unknown sources are much riskier.
• Be aware of USB or memory stick use — although they’re becoming less and less common — surely soon to be as redundant as the ¾ floppy disk — it just takes one infected USB stick to wreak havoc on a computer system.
• Stay updated — manufacturers and developers always patch up security flaws in their latest updates. Whether it’s your business PC, laptop or an app you use for day-to-day operations, you’re more at risk if it’s not updated.

6. Consider enlisting the expertise of an IT support partner

Whether it’s a lack of hours in the day or a lack of in-house expertise — or perhaps a bit of both — most small or medium-sized business owners can struggle to dedicate time towards cybersecurity.

Responding to IT issues as they arise, let alone proactively guarding against ongoing security flaws, can be a full-time job itself. That’s why many small businesses choose to enlist the ongoing support of an outsourced team of IT experts (like us!).

The old adage applies: prevention is always better than cure. Remediation costs for a data breach can be astronomical. An outsourced IT partner gives you an expert pair of eyes for identifying any existing security flaws, updating procedures and proactively scanning for, spotting and defending against cyber threats before they arise.

In a nutshell, peace of mind.