The UK Government-endorsed Cyber Essentials scheme identifies 5 basic measures all businesses should take to protect their business online.
Adopting these measures should guard you against 80% of the most common cyber threats.
- Keep Devices and Software Up to Date
- Protect from Viruses and other Malware
- Secure Devices and Software
- Control Access to Data and Services
- Secure our Internet Connection
I always recommend a 6th – Back-Up Data
In this blog I’ll explain why you need to take each of these measures.
Future blogs will provide practical advice on how to do this.
Don’t believe the SME Cybersecurity Myths
Don’t fall for these 3 myths:-
1 But – My Business Is Not Online
Really? Even if you don’t have a website, you’ll have online interactions
- you’re reading this
- you get emails from YBC
- you probably communicate with clients by email/ social media
- even if you send letters, if they’re written on a computer connected to the internet then you’re online
- you may manage your business on a computer – budgets, making payments, tracking clients, checking websites…
You’re almost definitely online, if only a little bit. Which is enough to be attacked.
2 But – My Business is Too Small to be Under Threat
Up to 2/3rds of small businesses were attacked or breached in the last 18 months.
• inability to access files
• websites taken down
• systems damaged or corrupted
Small businesses are targeted
• as a way into larger businesses
• in their own right, in the expectation that their security is weaker than the Big Boys.
3 But – My Business doesn’t Have Anything Worth Stealing
We all have money and data – nectar for the cybercriminal
Our bank accounts are vulnerable to fraud:
- a ‘customer’ persuading us to pay a non-existent invoice
- a ‘creditor’ giving us a new bank account details for our payment
Our data can be stolen and sold on. Any sensitive data makes a business a target :-
- our own business’s data, including personal data
- data you hold about customers and suppliers
- information about our business’s ideas, formats, plans…
The sooner you stop thinking any of the myths above are true, the safer you will be.
While it’s impossible to completely prevent cyberattacks, they can be controlled and minimised by some simple security measures.
Basic measures we should be taking to protect our Businesses
1 Keep Devices and Software up to Date – also known as Patching
Why? By installing security patches we minimise the impact that malware might have on our devices, software and networks. When known security flaws are patched, the cybercriminals are kept at bay.
Malware developers are known to target machines which have not updated security vulnerabilities
In practice we can protect our business by making sure that:-
- All devices and software are licenced and supported
- All critical and high risk security patches are quickly installed, where possible by automatic update
- We keep track of when manufacturers stop supporting software and devices and stop using them and remove defunct software from any devices.
This last is important. For example, did you know that
- Windows 10 version 1803 stops being supported in November 2019? Even if you have been accepting all updates you may still have to go and manually update to a newer version.
- Apple will no longer support iPhone 6 and 6 Plus when iOS13 gets released in September 2019
2 Protect from Viruses and Other Malware
Why? Minimise the chance of devices and networks being infected with malware.
Impacts of malware include:-
- Devices and networks running slowly
- Devices and networks being damaged
- Files being stolen, changed, deleted or blocked, compromising our business, and potentially our partners’ businesses too.
- Costs including Lost productivity, cleaning devices, fines, reputation, lost business…
Cyberattacks have cost SMEs up to £115,000.
We can protect our devices by ensuring that antivirus software is installed and only use applications which have been approved (whitelisted).
3 Secure Our Devices and Software – choose Secure Settings
Why? Devices and Software come with default accounts and settings, which are particularly at risk from cybercriminals. They often also have unnecessary pre-installed software which may contain malware.
Before we start using devices (computers, smartphones, tablets, servers etc) and software we need to secure them and clean them up – and then also plan to regularly check that they are still secure. Checks we should make include:-
- User accounts – Make sure access to devices and software is limited to those who need it.
- Passwords – Have a password policy which requires strong, individual, managed passwords
- Require extra authentication to sensitive data – make sure that we secure our businesses sensitive data and know which individuals are accessing it
- Software on devices - remove where possible (or disable) unnecessary software or preinstalled trials that are not going to be used and licenced
- Review settings- review ALL the settings and consider how they should be set.
4 Control Access to Data and Services – Know who is accessing our data
Why? Our business has valuable data, and we need to know who has access to it and how we are sharing it.
Anyone who is running a business is liable to have personal data – be it customers, suppliers, partners, staff – all of which is covered by GDPR (or the UK equivalent Data Protection Act 2018).
We need to be able to
- Keep track of who has access to our data and services, and what data they have.
- Manage and limit the use of Admin accounts. That includes both the accounts on devices with Admin access and individuals in outsourced IT companies with Admin access.
Why have special considerations for accounts with Admin access? Did you know that about 1% of websites globally are infected with malware? Some of these include websites of household names. If you browse to one of these sites when using an admin account, any inadvertently download malware will have Admin permissions too.
5 Secure the Internet Connection – use a Firewall and Configure It
Why? A firewall helps stop unauthorised entry to either an individual computer or a network.
Our home and office networks. Most routers which come with our broadband provision will have a firewall which is set up to protect our networks included in the router.
All our laptops and desktops should have a firewall turned on. Microsoft Windows and Apple IOS come with a firewall.
For smartphones and tablets, should have a firewall where possible.
It’s important to check our firewalls are on, and to configure them eg:-
- Default passwords make cybercriminals very happy. Change the admin password.
- Screens used for router settings and configuration should, if possible, be unavailable from the internet
- The firewall should block connections starting from the internet
- More ‘how to’ in future blogs…
BUT… don’t install a firewall if it’s going to compromise the security of the device. NEVER, for example, install a firewall on an iPhone
6 Back Up Data
Why? There are four reasons why we should all backup our data
- Mistakes – accidentally deleting data or files, overwriting or entering the wrong data
- Failure – without warning, hardware or software can fail, this can be an issue with the manufacturer or something more mundane eg caused by a power cut
- Disaster – an unpredicted incident causing unavailability of devices and software eg fire or flood in either office or datacentre, failure of a supplier
- Malicious attack – Cyberattack, software or devices infected with malware, co-workers with malicious intent
No business is immune to such incidents. We should all have some basic plans to ensure that our business can continue to function:-
- Make regular backups of business data
- Have at least 2 copies of backups, and keep them in different places eg one in office and one in cloud
- Test our backups regularly
In this blog I hope I’ve explained why the 6 Cyber Security measures are needed.
My future blogs will provide practical advice on how to do each one.
These measures should be applied for ALL the devices that are used to access and store our business information regardless of who the device belongs to. When we allow individuals to access email via an app on their smartphones (eg mail, Gmail, outlook apps), or to access data on their home PC’s then we should require that they follow the same advice.
More detailed information on each of the topics will follow over the coming weeks.
If you are interested in achieving the Cyber Essentials certification YBC have a discounted offer – read more here.