Cyber attacks affected 31% * of small businesses according to a 2019 survey performed by the UK Government. Despite the drop in the number of businesses affected (42% said they had experienced a cyber attack or breach in the 2018 survey +), these kinds of attack continue to be a problem, with businesses losing files or network access, experiencing downtime on their websites, or having systems corrupted or damaged. That same survey reported that the annual average cost of recovering from lost data or assets ran to £3,650 * – a significant expenditure for a smaller business.
There is no one solution to the issue of cyber security – true protection requires a holistic approach that includes both human and technological solutions – but there are a number of measures that a business can put in place to reduce the risk or at least the impact of cyber threats.
You protect your business premises from unwanted access by locking the doors, so it would make sense that you do the same for your systems – especially if they are connected to the internet.
1. Virus and Malware Identification
This can be a plugin on your email client scanning incoming mail for attachments, or a program on your computer to scan its files. Some programs can remove or isolate viruses, others prevent identified viruses from running.
To shield your network from intruders looking to exploit vulnerabilities, you should employ a firewall. Firewalls can be set up and managed by your in-house IT team or through an external provider if you don't have the right staff.
Encourage the use of password management software so that your employees are more likely to use longer, more secure passwords for their devices.
Two factor-authentication is also a great way to reduce risk. Mobile phone apps or login keys that generate unique codes mean that access can only be granted with access to these devices.
Make sure that there are multiple levels of trust within your organisation – only those who are trusted the most should have access to all files or the ability to perform all actions. For example, you can prevent employees who don't need to see sensitive client information from accessing it, or stop them from deleting important files.
For a structured and guided implementation of information security measures, frameworks such as Cyber Essentials, ISO 27001 or BS 10012 can help. These frameworks not only ensure that your business has measures in place to address information security concerns, but some allow you to prove that you are following those recommendations with an accreditation or certification process.
With up to 80%* of the data breaches stemming from employees unwittingly installing malware, focusing on your employees can reduce your risk greatly.
To reduce the risk to your business and the information you hold on your customers, it is important to train your staff. Their actions, or lack thereof, can affect the security of your business so they need to know what is expected from them, and be clear on what to do if they spot an issue.
Phishing is a particular risk area as the techniques used are getting more and more sophisticated. Training your employees on how to identify phishing attempts, and what to do with unrecognised emails or attachments is an important data breach prevention technique.
Your files not only help you run your business, they can contain sensitive client data. Protecting these files is therefore paramount.
A backup is a copy of an important file, allowing that file to be restored should the original be lost or deleted.
Although not a preventative measure, regular backups of company files as well as an effective disaster recovery plan can help to restore a business to a workable state should the worst occur.
Encryption of files renders them useless without a special key needed to decode the file again. Think of it as translating your file into a language that no-one can read without a code to decrypt it. It is especially important to encrypt sensitive information such as passwords.
Again, encryption is not a preventative measure but acts as damage mitigation should your files be stolen.
Whether you are answering emails on the go, or have team members working from home, remote working is a potential risk to your information security.
9. Remote Access
If you allow employees to work from home, consider how they are accessing your network. You may wish to consider having employees login using a Virtual Private Network (VPN) which usually come with security features that will reduce the risk of unauthorised access to your network.
10. Device Management
Consider how your remote workers access your network and emails – is this from a personal device? If so, this is a high risk to the security of your business. With personal devices, there is a higher risk of them being used on websites or having apps installed that contain malware. If a personal device is infected with a virus, this could then infect your business network too.
Most companies have a strict policy for the use of personal devices, and some ban them outright due to the complications they cause.
QMS have produced a visual guide to cyber security which provides an overview of some of the most popular information security products available, and which areas they cover. This guide will enable you to see which products offer the level of cover you need for your business.
To find out more about information security, or how QMS can help your business, please get in touch with one of our helpful Certification Development Consultants on 0333 344 3646 or email firstname.lastname@example.org.