3. Business Online Safety
Online Business Security
For detailed advice, please refer to the National Cyber Security Centre’s advice for small businesses, which can be found here.
Backup your data
You should identify all your essential data i.e. all information that your business cannot function without. Normally this will be documents, photos, emails, contacts and calendars – most of which are kept in just a few common folders on your computer, phone or tablet or network. It is important to keep your backups separate from your computer. You could consider adopting the ‘3-2-1’ strategy – Three copies of your data on two different mediums that are not always connected to your main network, and one backup offsite.
Patch your systems
For all IT equipment, make sure that software and firmware is always kept up to date. Applying updates is one of the most important things you can do to improve your organisation’s cyber security. Your applications, operating system, programmes and phones should be set to auto update wherever this is an option. If you have ‘legacy’ software (software that is no longer supported by the manufacturer) you should consider replacing it with a modern alternative.
Protect your organisation from malware
Install and turn on antivirus and anti-malware software. Antivirus software – which is often included for free within popular operating systems – should be used on all computers and laptops. Smartphones and tablets may require a different approach.
Protect your mobile devices and tablets
You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware that might cause harm. You should prevent staff from downloading third party apps from unknown vendors/sources, as these will not have been checked. Make sure that you also install anti-virus and anti-malware on your devices where possible.
Principle of least privilege
Staff accounts should only have enough access required to perform their role, with extra permissions (i.e. for administrators) only given to those who need it. When administrative accounts are created, they should only be used for that specific task, with standard user accounts used for general work. By applying the principle of least privilege, if staff with limited access were accidentally to download a malicious file the damage done would be contained. If somebody with full access was to do it, the damage done would be significantly worse.
Restrict the use of removable media
Ensure that USB port access is blocked, and that if a removable device has to be used it is checked and approved by the company first. If staff members need to transfer data between machines, encourage the use of secure cloud transfer services. It only takes one infected removable device to cause significant damage to an organisation.
For further advice, please refer to the NCSC pages for businesses, charities, clubs and schools here. If you are a larger organisation (250 employees or more with a dedicated IT team) please refer to the large organisation guide here
- Use three random words to create a strong password. A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!
- Switch on password protection (screenlock password, PIN or other authentication method)
- Consider using encryption products on your desktop and laptop computers such as Bitlocker (using a Trusted Platform Module with a PIN) or FileVault in order to start up.
- Switch on 2FA (two-factor authentication) for any of your accounts. 2FA requires two different methods to ‘prove’ your identity before you can use a service, generally via a password plus one other method.
- Help your staff avoid ‘password fatigue’ by NOT enforcing regular password changes unless it is suspected a breach has occurred. Another suggestion by the NCSC is to provide secure storage so staff can write down passwords for important accounts (such as email and banking) and keep them safe (but not with the device itself).
- Make sure staff are able to reset their own passwords easily
- Consider the use of password managers
- Make sure that all default passwords are changed on office and network equipment like routers, smartphones, laptops and firewalls.