Tip 1: Create an Internal Cyber Security Policy
Do you know what the biggest cyber security risk is for your business? Many business owners are surprised to learn that it may be their employees.
In many cases, criminals will get inside a network thanks to one of your employees clicking on a link in an email or using a poor password. It is important to stay updated on the latest fraudulent schemes that are going around and to keep your employees aware and appraised of these.
Tip 2: Regularly Back Up All of Your Data
Encourage your employees to back-up all of their data frequently. Implementing regular back-ups ensures that critical data is not lost in the event of a cyberattack. There are a number of automated backup solutions such as Rack Space, IBM or Microsoft Azure to manage this for you, and many allow you to test restores to ensure that they can be deployed effectively during an incident.
Data should be stored in remote locations away from the office, such as in the cloud, and all sensitive data regarding the company and its clients should remain fully encrypted.
Tip 3: Be Vigilant and Look Out for Red Flags
With UK phishing schemes rising 20% per year, train employees to keep a watchful eye out for such harmful emails. While email providers and antivirus vendors are continually improving their detection procedures to spot these potential threats early, some of the more fraudulent schemes can still find their way into your inbox. These emails may be disguised as a trusted client’s email or a recognisable brand, but will tend to have a few dead giveaways.
Employees should always be on the lookout for emails with suspicious attachments, messages that ask for personal or credit card information and emails that make requests for immediate action. Sophisticated phishing attacks, known as spear phishing, appear to come from individuals that you know and you should alert employees to these potential threats.
With the right training, employees can effectively deal with these threats and ensure that viruses and malware are not downloaded. Where potential threats have been identified, you should ensure that everyone in the organisation is aware, to avoid others from becoming victim to the same incident.
Tip 4: Change Your Passwords Frequently
Once a cyber-criminal has access to a corporate password, they have access to do as they please. It is vital that your employees change their passwords on a regular basis and don’t use the same password for multiple accounts. A good benchmark is to change passwords once every 2 months and include different classes of characters. Avoid dictionary words and never write your password down.
Tip: An effective approach to creating a secure corporate password is to use the first letters of a well-known song which all of your employers should be familiar with.
For example, ‘Summer Holiday’, where the first line is “We’re all going on a Summer holiday” and then take the first letters of each word, alternate with upper and lower case letters and add a couple of numbers, and your password would translate as something seemingly meaningless, such as ‘WaGoaSh27’.
Tip 5: Control the Paper Trail
Even with the best security measures in place, companies can still be exposed to threats through employee negligence. For example, an employee might leave a printout of a sensitive document, or a device full of confidential data in a public place.
The issue can be addressed by fostering a corporate culture that strongly emphasises the proper disposal of paper-based documents, and encryption of removable and mobile devices.
Tip 6: Never Disclose Sensitive Information Over the Phone
We’ve all heard of phishing, but many companies aren’t aware of another worrying phenomenon – vishing. Vishing is the act of using the telephone in an attempt get users to surrender private information that can later on be used for identity theft. Again, the solution to dealing with vishing is raising awareness.
Encourage employees to end the call if they have any doubts about the caller’s identity. They should refrain from giving out PIN numbers, web passwords, credit card details and addresses over the phone.
Tip 7: Keep Your Servers and Computers Updated
One of the simplest strategies you can use immediately, is ensuring that your entire network is up to date. This means paying attention to all notifications regarding updates to your operating systems, antivirus software, web browsers and firewalls. Ignoring any of these essentially leaves cracks in your defence system.
Sample Cyber Security Policy
The purpose and objective of this Information Security Policy is to protect the company’s information assets (including data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation), from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise business damage and maximise return on investment and business opportunities.
- Information will be protected from a loss of: confidentiality (ensuring that information is accessible only to authorised individuals); integrity (safeguarding the accuracy and completeness of information and processing methods) and; availability (ensuring that authorised users have access to relevant information when required).
- Regulatory and legislative requirements will be met (this includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act).
- Business continuity plans will be produced, maintained and tested (this will ensure that information and vital services are available to users whenever they need them).
- Information security training will be made available to all staff.
- All breaches of information security, actual or suspected, will be reported to, and investigated by, the Information Security Manager.
- Guidance and procedures will be produced to support this policy. These may/will include incident handling, information backup, system access, virus controls, passwords and encryption.
- The role and responsibility of the designated Information Security Manager (Depending on the size and nature of the business this may be a part or full-time role for the nominated person) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
- The designated owner of the Information Security Policy [insert name] has direct responsibility for maintaining and reviewing the Information Security Policy.
- All managers are directly responsible for implementing the Information Security Policy within their business areas.
- It is the responsibility of each employee to adhere to the Information Security Policy.
The Policy will be reviewed by the designated owner of the Information Security Policy – typically not more than 1 year from the date approved.