Cyber threats, hackers and online criminals pose a significant risk to your business, so protecting your IT system and the information it holds is critical. An IT system failure or data loss can be catastrophic for your reputation and your future.
Thankfully, improving your digital security is straightforward. You'll need to ensure that your crucial IT systems are protected, and the data they hold is safely stored. But you also need to improve your physical security too. An effective backup routine is important and can get you back on track if things go wrong.
1. The threats
Computer viruses could infect your IT system
- Viruses are malicious computer programs created to damage IT systems and steal your data.
- Some viruses can be relatively harmless. For example, they may flash an annoying message on your screen. Adblockers can often remove these annoying and intrusive adverts.
- However, some are very dangerous. They can destroy data and disable your systems.
- Anti-virus software can protect your IT systems from attack, but only if it's updated regularly.
Spyware could become installed on your computers
- Spyware is a type of software which runs on your computer without you knowing about it.
- It secretly sends details of the websites you visit to someone else.
- Some spyware may record information that you enter online. For example, it may note your online banking login details, and send them to fraudsters who can then access your business bank account and transfer funds.
- Spyware can also slow down your computer, affecting its performance and your productivity.
You could be victim of a phishing scam
- Phishing scams involve fake emails and websites created by hackers who pose as legitimate companies or organisations.
- They try to dupe you into entering sensitive information into a website, like your name and bank details.
- This information can be used to steal your identity and/or your money.
- Phishing scams can be highly sophisticated and difficult to spot.
- Always exercise caution and if you are suspicious then trust your feelings.
Trojans could become installed on your system
- Trojans are harmful pieces of software which appear to be useful, but actually damage your computer's systems.
- Much like viruses, they can destroy data and cause serious harm to your business.
You could have problems dealing with spam
- Spam is another term for junk email. It is also sometimes called 'unsolicited bulk email'.
- Receiving a large volume of spam can clog your email system.
- Spam messages often contain offensive or illegal content.
- Some spam promotes further scams; for instance, phishing emails are a kind of spam.
- Your email system could be hijacked to send spam. This can cause your server to be blacklisted, so you cannot send or receive legitimate messages.
You should also consider physical security threats
- An unlocked computer may be accessed by an intruder or criminal who can access your online systems.
- A lost or stolen laptop, mobile phone or tablet that hasn't been disabled or blocked could give someone access to your IT system.
- Fire, flood and other natural disasters could damage key hardware.
2. Security software
Install comprehensive security software on every computer in your business
- High-quality security software should include all the key protection you need.
- It is usually easier to buy a suite of security products, but you can buy each piece of software separately. For example, you can buy separate virus and firewall software.
- At a minimum, a computer security suite should include virus and Trojan protection, spyware protection and a firewall.
- Many packages also include spam filters, anti-phishing functions and more.
- The software should be set up so that it scans every computer regularly for threats.
- Security software should run automatically and be set up so that your employees cannot disable it.
- You should regularly check the status of your anti-virus software and review any threats or attacks that your business has been exposed too.
Only use security software from reputable companies
- Free anti-virus software may not provide total protection for your business. We recommend investing in a brand that you can trust.
- You can check out user-reviews and ratings online to see others' experiences.
- Well-established security software is available from trusted brands including McAfee and Symantec.
Make sure your firewalls are set up correctly
- A firewall blocks dubious internet traffic and stops hackers from attacking your network.
- At minimum, ensure there's a firewall on every computer in your business.
- Consider adding a hardware firewall too. This sits between your company network and the web, providing a first line of defence.
- If you have a server, a hardware firewall is essential.
- Firewalls should be set up to allow only essential network traffic through.
Keep all security software up to date
- New security threats are identified daily.
- Security software companies regularly update their packages to protect against new risks.
- Set your security software to check for updates at least once a day.
- While anti-virus software should protect you from most viruses and threats, hackers and cyber-criminals are sophisticated, so stay vigilant to emerging threats.
- You should ensure that all other software your business uses is regularly updated too. Hackers can exploit vulnerabilities in software that hasn't been updated, or 'patched'.
- Ensure al staff are aware of the importance of keeping anti-virus and security systems updated.
3. Software control
Any software from outside your system can create a security risk
- External software installed on your system may have security weaknesses or could create vulnerabilities in your system. For example, software which allows external access to your network can become compromised.
- The software may be infected with a virus or leave your systems or network vulnerable to attack.
Control software installation
- Staff should only use and install software that has been approved for use and is relevant to the business.
- Ensure only designated employees have the authority to install software and carry out regular software audits to identify unauthorised installations.
- Software downloaded from dubious sources is a major source of security problems.
- You should ave appropriate licenses for all software that you use. As a director you can be prosecuted and fined if your company uses pirated software.
Keep all your software up to date
- Software manufacturers release regular updates to fix bugs in their programs.
- Install updates as soon as possible once they are released. Most software programmes, including Microsoft Windows and Microsoft Office, will update automatically.
- Updates can occasionally conflict with other programs. If you have a large number of computers, test updates before rolling them out across your business.
4. Access control
You can reduce security threats by controlling access to your systems.
Provide each employee their own username and password
- Your staff should be required to log in to use any part of your systems.
- Set up the network so that employees can only access the parts of the system they need. For example, only those in the HR department should be able to view employee records.
Establish password control procedures
- Use strong passwords. They should be longer than eight characters and use upper- and lower-case letters, numbers and symbols.
- Many operating systems (such as Microsoft Windows) can be set up so employees are forced to choose strong passwords.
- Make sure passwords are kept secure. For instance, advise employees not to write their passwords down.
- Do not let employees share log in details.
- Make sure employees lock computers or log off when they leave them unattended, even when leaving their desk for a few minutes.
- Change passwords regularly. You may want to set them to expire every month, so users are forced to change them.
- Change passwords when an employee leaves, or when a security breach is suspected.
- Promptly remove the accounts of former employees once they have left the business.
- Consider creating a password policy for your business.
If you allow remote access, it is wise to add additional checks
- A virtual private network (VPN) is the most secure way to provide remote access to your network.
- For additional security, many VPNs require users to insert a smartcard in addition to entering a username and password.
- Setting up a VPN can be complicated. Your IT administrator or supplier can advise on the most appropriate VPN for your business.
Control points of entry through which problem material could enter your system
- Make sure material entering your system is automatically checked for viruses.
- Consider disabling disk drives and USB ports on computers to prevent employees copying files onto your system.
- Ensure that wireless networks are using appropriate wireless security settings.
- Regularly change your wifi password and don't make it publicly visible or share it with people outside your organisation.
- Get staff to sign-up to a digital security policy with clear guidelines on acceptable use and the dangers of accessing or downloading non-work-related material.
- Advise staff never to download attachments from unknown sources, including private email accounts.
Without regularly backing up your information and files, any loss of your business data could be disastrous.
A backup system creates a safe copy of your important business data
- If anything goes wrong with your systems, you can restore the data from the backup and continue working.
- Backups do not help prevent security problems, but they do make recovery easier.
Your backup system should be robust
- You can backup files onto removable media, such as external hard-drives, or to the cloud.
- Online backup services allow you to run backups across the internet. They can be very convenient but ensure the backup company is trustworthy.
- As a director, you are responsible for GDPR, including where customer data and information is stored, do ensure all backups are protected.
Put procedures in place to ensure your backups run correctly
- Create a procedure for taking partial and complete backups.
- Make one staff member responsible for ensuring the process works. Appoint a deputy to cover for their absence.
- Software is available to automate backups. Microsoft Windows includes a basic backup application that will ensure all software is updated to the latest, and most secure, version.
Regularly test your backup procedures
- Many firms only discover their backup procedures have failed when trying to restore data after a disaster.
- You should test a full restore from your backup media every three months.
- Identify any weak points. For instance, does it take a long time to restore your data? Are you saving everything you need or are there files or folders missing?
- Make contingency plans for disaster recovery. For example, what would you do if both your system and your backups became infected by a virus?
You may benefit from seeking help with your backup strategy
- Backups can save your business. If you lack in-house expertise, ask your IT supplier for assistance, or bring in a security consultant.
6. Physical security
You should take precautions to secure your hardware from theft and physical damage.
Isolate and protect your most important hardware
- Make sure critical hardware is kept in a secure location. For instance, your server can be locked in a separate server room with restricted access.
- Make sure you control the environment your servers are kept in.
- Ensure servers are regularly serviced according to the manufacturer's maintenance schedule.
Be aware of the risks posed by unforeseen events and natural disasters
- Water damages and destroys computer hardware. Keep all servers off the floor in case of flooding.
- Install a fire suppression system in your server room.
- Have a plan in place so you can relocate your main server(s) if necessary.
- Server rooms require ventilation and cooling. Regularly check the temperature of your server room and consider installing a temperature alarm.
Keep individual computers secure
- Encourage your employees to follow good practice when out and about with IT equipment. For instance, issue employees with plain laptop bags or sleeves, rather than prominent branded bags.
- Staff must always lock their devices when they are not being used.
- Keep a log of all company IT equipment that can access your network and regularly check it.
- Immediately disable any lost or stolen equipment that can access your network.
Control how data is distributed in your business
- Do not allow employees to store sensitive data on their own computers. Instead, keep it on your server or password-protected cloud storage.
- Consider encrypting the hard drives of laptop PCs. This ensures thieves will be unable to access the data if the machine is lost or stolen.
- Avoid copying important data onto removable media like memory sticks. If you have to do this, ensure the data has been encrypted first.
The biggest risk for most businesses comes from their employees
Deliberately or accidentally, an employee may:
- fail to follow security procedures (for example, using another employee's password to save time);
- load harmful software onto computers;
- reveal confidential security information;
- fail to install essential security updates;
- bypass or disable security software.
Where appropriate, make security a recruitment issue
- The person who controls your passwords and security procedures is the greatest risk.
- Test attitudes to security in interviews and check the qualifications and references of IT employees carefully.
Make security a part of employees' contracts
- Clearly set out your security procedures and policies. Include computer security training in your staff induction sessions.
Contractors and temporary workers are a specific risk
- Issue them with their own passwords. Only give them limited access to your systems.
- Create accounts for temporary staff that expire automatically.
Your security will not work unless you set up good procedures and follow them
- Make security a key element of your internet and email policies and distribute them to all employees.
- Taking immediate disciplinary action for security breaches can be counterproductive, encouraging employees to cover up future problems. Apportioning blame is less important than fixing the problem.
- Try to create a culture where everyone helps to identify potential security issues.
Assign clear responsibility for security
- Your network administrator is usually responsible for selecting and implementing security solutions.
- Senior management must take overall responsibility. Directors can be held legally liable for the security of certain types of data.
- Taking security precautions could save your business, so bring in a consultant if you lack in-house expertise.
"Protecting your business against Internet problems isn't difficult, but it is important. According to the government's latest figures, nearly half of all small businesses and three-quarters of larger companies had a security incident in the last year." - Tony Neate, Get Safe Online