You need to care about cybersecurity.
If you run a business, you really need to care about cybersecurity.
Although your IT department takes plenty of measures to keep your business protected from malicious cyber threats, they aren't the only ones responsible for cybersecurity at your company.
All managers and employees should play their part.
In today's blog post, we look at cybersecurity basics that all businesses should strive to achieve. But before we move onto how to protect your data, first let's explain why cybersecurity is important to your small business...
[This article was updated on 17th May 2017 following a major cyber attack on the UK's National Health Service.]
Why Does Cybersecurity Matter?
Almost every business uses electronic devices of some form.
You might use desktop PCs to create and manage spreadsheets, laptops for meetings and presentations, and smartphones to check emails.
You probably transfer company data electronically via email, cloud services or through removable devices such as SD cards.
It's likely you collect data from your customers and clients: contact details, names, bank account information, and whatever else you need to do business with them.
Today, hard drives, Google Drive and email attachments act as your filing cabinets. Between them, they contain almost every document relating to your business that exists.
You lock up your office at the end of the working day, so why not lock-up your virtual office cabinets, too?
If you're not yet convinced, here are some figures:
- 74% of SMEs reported an information security breach in 2015.
- The average small business data breach costs the business between £75,000 and £311,000.
- Only 27% of small businesses have insurance cover for data breaches.
- Employees are as likely to cause a breach as viruses and other malicious software.
- Half of the worst breaches reported in 2015 were caused by human error.
The source for all these sobering stats is the 2015 Information Security Breaches Survey by PWC, carried out for the UK government.
Even if you think these figures are exaggerations, the reality is that small businesses are as much of a target as larger businesses.
If you suffer from a cybersecurity breach, costs can take many forms, including:
- Fines due to loss of customer data
- Reputational loss
- Disruption to trading
- Financial losses due to compromised bank account details
- Time spent regaining control and 'cleaning up' compromised systems
Cybersecurity is a complex issue, particularly for small businesses. You may not have the expertise of big businesses to help you plan your defenses.
This comparison might help.
A Physical Security Comparison
If you're new to cybersecurity and the threats your business faces, you can think of it in a similar way to physical security.
Say you own a fancy mansion.
Even if you protected it with your own private army, guard dogs, and 10 metre high fences topped with barbed wire, it would be impossible to protect it from the most determined, well-equipped burglar.
But you'd certainly be making it difficult for them!
Here's another scenario: what if your property was a cheap one-bed flat?
If you left your keys on the doorstep and had your new MacBook Pro in plain sight of passersby, you wouldn't be surprised if you were targeted by burglars.
Most importantly, even if your security-lax flat was next to the fancy mansion with guard dogs, a smart burglar would opt for the easy target - regardless of the perceived value of the contents of each property.
Similar scenarios apply in cybersecurity.
Even if you use all the security measures you can, an incredibly determined network of hackers might still be able to gain access to your company data. You would, however, be able to dissuade opportunistic hackers.
Similarly, weak passwords or outdated versions of software are 'open doors' for attackers.
Small businesses are typically seen as easy targets. Even though the potential gains for attackers aren't as large as those at bigger companies, smaller businesses are less likely to have the defensive measures in place to fight off an attack quickly.
As we said right at the start of this article, although your IT specialists (if you have them!) should manage the technical aspects of cybersecurity, all employees need to understand the basics.
- Strong passwords
- Software updates
- Signs of phishing emails
- Bring-Your-Own-Device policies and risks
- Data transfer and removable media concerns
- User privileges
- Data breach response
Now let's look at each point in greater detail.
We all know that we're meant to choose unique passwords for every website and account we use, and that 'password1' or '123456' should be avoided, but what actually makes a password strong, yet memorable?
The strongest passwords are lengthy combinations of upper and lower case letters, symbols and numbers. Yet something like '7`%n_/We76rm!Daz' isn't exactly easy to remember. You'll probably end up having to write it down, which defeats the point of creating a secure password!
Instead, some experts (including the UK government) now suggest that users should use 3-8 random, unconnected words as their password. These tend to be easier to remember but still challenging to crack. You can still add symbols and numbers or change cases if you like.
For example, 'glittery opens lobster offensive boop' is completely nonsensical but certainly is a memorable image that's easy to recall!
To ensure these random passwords are secure, avoid using words that are personal to you such as street names, the name of your partner or anything to do with your favourite sports team. It's also best to try and include at least one word that doesn't appear in a standard dictionary to give hackers another obstacle to scale.
This approach isn't perfect. Your passwords will still be able to cracked, but it'll take a few months rather than five minutes!
You could also look into using a password manager and creating a single extremely long and complex master password to access all your other passwords.
Attackers look for vulnerabilities in software when attempting to get to your data.
Software providers update their products regularly when vulnerabilities are discovered. It's therefore essential to keep software updated.
This includes web browsers, accounting software, database software, smartphone apps and the operating system itself.
These days, most devices are set to automatically download and install critical updates when they become available, but this option may have been disabled in some instances.
Remember that any device that is used to access company data (including emails) must have up-to-date software - not just your office PCs.
It's also important to switch to software that's still active. That means moving away from operating systems like Windows XP and software that no longer receives frequent updates.
The dangers of using outdated software were clearly illustrated by the recent ransomware attacks on the NHS and other organisations around the globe.
Hackers used loopholes in an operating system no longer supported by its creator to seize control over sensitive data and demand money for its release, putting lives at risk and causing real panic both within the organisation and among the general public.
It may cost money to keep your machines updated with the latest software, but consider how much it could cost you if you don't...
Most of us are now aware that it's best to ignore emails from Nigerian princes, but phishing emails are becoming ever more sophisticated - and believable.
Phishing emails aim to gain personal information or other data from users by posing as a trusted party. The senders pose as PayPal, Apple, Amazon, banks, and even the government in an attempt to get users to download malicious software or even directly send them their personal information.
Here's how you can avoid falling victim to phishing emails:
- Look for spelling mistakes, formatting errors or grammatical errors.
- Hover over links and where possible check HTML before clicking on links in emails from unknown senders.
- Only open attachments from trusted senders - and ensure that you know what you are opening before downloading the attachment.
- If you receive an email from a colleague that seems odd or suspicious, immediately ask them if they sent it.
- Move phishing emails to your spam folder and report them as phishing scams.
- Remember that the name of an email sender can easily be changed to match that of a trusted company.
- If you're unsure if an email is legitimate, use a search engine to find out if anyone has received a similar email. You can also check the supposed sender's FAQ section to find out what to do if you suspect an email with their name on is fraudulent.
- Never send personal information or passwords through email.
Above all, think twice before you click on links or download files through emails or other forms of online messaging.
It's vital that all staff members know how to identify and deal with phishing emails - don't assume that your younger employees are wise to phishing emails just because they're digital natives!
Bring-Your-Own-Device Policies and Risks
Bring-Your-Own-Device (we'll call it BYOD from now on) refers to the practice of employees using personal devices for work.
There are many benefits of BYOD: businesses reduce their spend on company devices, employees prefer to use devices they're familiar with, and workers only need to carry one device with them.
In fact, there might even be a security benefit to BYOD - users tend to leave apps and software to update automatically, whereas corporate devices may not be set up to update so frequently.
However, if you allow employees to use personal devices for work, you must be aware of the numerous security risks associated with this policy, such as:
- Risk of theft. Can you count on employees using personal passwords that are as strong as their work passwords? What if an employee is using a device with obsolete software that's no longer secure?
- Lack of control. Your business can't impose its policies on personal devices as easily as work devices. You can't usually monitor usage, for example.
- Data remaining on devices after an employee leaves. Once an employee leaves the company, their personal devices stay with them. Unless you take swift action, they'll retain access to that data.
- Legal concerns. Regardless of where the data is stored, your company must still meet data protection standards.
Some businesses have tried to gain additional control over the data stored on personal devices by using mobile device management software. Simply put, this software provides employees with a secure way of accessing the company network while restricting how company data can be used on their personal device.
Even if you don't want to use device management software, you still need to plan a BYOD policy to limit its security issues. We recommend you take a look at the UK government guidance on BYOD and BYOD policies.
Again, informing staff about the risks of BYOD is key. Awareness can resolve many of the security problems associated with BYOD.
Data Transfer and Removable Media Concerns
You share company data with third parties frequently. If you use HR software (including RotaCloud), accounting software, or any other cloud software, you're reliant on the security of a third party's servers.
Of course, the vast majority of cloud software providers will be cybersecurity experts (get in touch with us if you want to know more about how we look after your data), but some services may be a little more lax when it comes to security. Don't be afraid to grill software providers about data protection and security.
For readers in the EU (that still includes in the UK, by the way!), it's worth noting that the EU has tough rules on data transfer to countries outside of the EU.
Essentially, data cannot be transferred outside the EU unless the country ensures an adequate level of data protection. You can see the list of countries that meet the EU's requirements on the Commission's website.
In particular, it's worth noting that the US and EU negotiated the EU-US Privacy Shield, a certification scheme that US companies apply to in order to be allowed to receive customer data from the EU. US companies must meet strict data protection requirements under the Privacy Shield.
Don't get caught out and ensure that any data you send abroad complies with EU regulation.
Now let's move on to the matter of removable media. Removable media includes CDs, DVDs, USB drives, external hard disks and SD cards. Aside from the obvious physical security risks (an employee leaving a drive on the bus, for example), external devices can also act as a vector for malware.
All removable media should be scanned for malware when connected to a device. You should be able to set-up your anti-virus software to do this.
Ensure that you control access to data on external storage devices in the same way that you restrict other data.
If you don't have an IT department, senior management will need to deal with user privileges.
Essentially, you should have a hierarchy of IT users where access to certain software, documents and folders is restricted based on the user's position in the hierarchy.
You can set up access levels per user, or create specific user categories to make management a little easier. User privileges are usually defined with each software package or service.
As a general rule, it's better to be too strict about user privileges than too generous. You can always allow users more access later, if required - but there's no point risking the security of your data if the user doesn't currently need access to it.
You may be reluctant to treat your staff with distrust, but the reality is that employees are just as likely to cause a data breach as malware, through their intentional or accidental actions.
Reasonable employees should understand that access levels are a sensible way to manage cybersecurity risks.
Responding to Data Breaches
If your security fails, you can still limit the impacts of a data breach - but only if you act quickly.
Leave the IT experts to pinpoint the exact nature of the data that's been compromised. You should also inform the relevant authorities.
Your next job is to inform affected customers and clients if their data may have been stolen. Ideally you should let them know the type of data that was stolen and its level of encryption, actions that you're taking to resolve the breach and prevent it from happening again, and whether they need to take any immediate action.
You should release a statement to the press. Apologise, be honest and accept responsibility for the issue. Explain what happened and how you'll prevent future attacks, and be sure to end on a positive note.
Any statements you send out should be looked over by a legal expert.
Final Thoughts and Checklist
This article only covers the basics of cybersecurity - there's plenty more to learn. However, by gaining a solid understanding of the most common sources of data breaches you can shield yourself from all but the most determined cyber attacks.
All employees should receive cybersecurity training and regular refresher courses. Staff should also learn what counts as a data breach (yes, losing a USB drive does count!) and how to report them.
Think back to that one-bed flat we mentioned at the start of the article. If you hide your valuable items, check that you've locked the door and only give the spare key to people you trust, you eliminate a large proportion of the risk of being burgled.
By taking a few similarly basic steps to combat hackers and improve employee cyber-awareness, you can drastically reduce the chance of your business suffering a data breach.
Want to keep track of your current cybersecurity efforts? Download our handy cybersecurity essentials checklist!