Cyber security for your business
Cyber security is essential for all businesses and needn’t be daunting. Following our guidance can significantly reduce the chances of you and your business becoming a victim of cyber-crime.
You can also read more about keeping your small business safe online in the National Cyber Security Centre’s Small Business Guide.
Operating online – simply using email or having a website – creates the risk of cyber attack. If you want to protect your business, then understanding and implementing basic cyber security measures is critical.
Back up your data
No matter what size your business is, you should regularly back up your data and make sure it can be restored. This will help to ensure the business can still function if there's a fire, flood, physical damage, theft or ransomware attack.
What to consider when backing up your data
What do you need to back up?
You should regularly back up the data your business needs to run. This could include documents, photos, emails, contacts, or calendars.
Store your backed up data on a separate device
This can be on a USB stick, a separate drive or computer. Restrict access to these data backup devices so that they are:
- Not accessible by staff
- Not permanently connected (either physically or over a local network) to the device holding the original information. A local network is a collection of devices connected in one physical location, such as a building, office, or home.
A useful rule for backups is that you should have three copies of your data, on two separate devices, one of which is offsite (not in the same place as your main copy).
If you store your backup data in a different location and a fire or theft occurs, you will be able to recover your critical data and get back to work.
Using cloud storage, where a service provider stores your data on their infrastructure (which is a collection of hardware and software) means your information is physically separate from your location. Service providers can supply your organisation with data storage and web services without you needing to invest in expensive hardware. Most providers offer small businesses a limited amount of storage space for free and larger storage capacity for minimal costs.
Read the National Cyber Security Centre’s (NCSC) cloud security guidance collection alongside their Small Business Guide Step 1. To help you decide if a cloud service is secure enough to handle your data.
Back up your data as part of your everyday business tasks
Backing up data is not as time-consuming as you may think. Most network or cloud storage solutions can be configured to back up your data automatically. This saves you time and ensures you have the latest versions of your files. You should set automated backup periods that work for your business.
Most off-the-shelf backup solutions are easy to set up and affordable. When choosing a solution, consider how much data you might need to back up and how quickly you need to access this data following an incident.
Keep mobile devices safe
Mobile devices – from smartphones to laptops – are essential to modern business. Even phones and tablets can be as powerful as desktop computers, and need even more protection as they often leave the safety of the workplace.
Keep your device secure by:
- Switching on password, PIN or biometric (e.g. fingerprint or face recognition) protection. A strong PIN or password to prevent criminals from accessing data" (A strong PIN or password can be used to prevent criminals from accessing data)
- Ensuring lost or stolen devices can be tracked, locked or wiped
- Regularly updating your devices’ operating system. Tell your staff how important these updates are, as they contain critical security updates to protect the device
- Encrypting your device. For laptops and PCs, use an encryption product (such as BitLocker for Windows). Most modern devices have encryption built in, but encryption may still need to be turned on and configured, so check you have set it up.
- Keeping your apps up to date. Like the operating systems on your organisation's devices, all the applications you have installed should also be updated regularly
- Not connecting to unknown Wi-Fi Hotspots. If you connect to these, someone could access what you're working on and personal login details
Use a strong and separate password that’s different from your email account and social media account
Your most important, key accounts will include email, banking apps, and your mobile devices. You should use strong passwords for these accounts which are not shared with any other account you use.
Email is particularly important, as if a hacker gets into your email account, they could:
- Reset your other account passwords
- Access information you saved about yourself or your business
Tips for creating and protecting your passwords
Ensure you use password protection
Set a screen lock password, PIN or other authentication method (such as fingerprint or face unlock) on your devices.
Use two-factor authentication (2FA) for important accounts
2FA (also known as multi-factor authentication (MFA) requires two different methods to prove your identity before you can use a service. One factor is usually a password, while the second is often a code sent to your mobile phone or registered email address, or generated from your bank's card reader.
Change default password
- One of the most common mistakes is not changing the manufacturers' default passwords on smartphones, laptops and other equipment. Ensure you change all default passwords before distributing devices to staff
Avoid predictable passwords
- Avoid using number or letter sequences such as 12345, or guessable passwords such as your pet’s name. Instead try using three random words which is an excellent way to create a strong, unique password that you will remember
Use a password generator
- Online password generators create and store strong passwords for you, and make it possible to have a different password for every account
Avoid phishing attacks
A phishing attack is when scammers send fake emails to thousands of people asking them to click on a link or provide sensitive information. Phishing emails are becoming harder to spot, but some things to look out for are:
- Authority - Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.
- Urgency - Are you told you have a limited time to respond (such as 'within 24 hours' or 'immediately')? Criminals often threaten you with fines or other negative consequences.
- Emotion - Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
- Scarcity - Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.
- Current events - Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.
Look out for unusual requests from people you work with – for example making a payment to a different account or by a different method. If in doubt, contact the person using details you already have for them (not those given in the email) and ask if the request is genuine.
If you have received an email which you’re not quite sure about, don't use the links or contact details in the email, forward it to the Suspicious Email Reporting Service (SERs) using email@example.com
Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks. If you are unsure about where to start to prepare for Cyber Essentials, the Cyber Essentials Readiness Tool can help. It’s a series of questions that have been developed to lead you through the main parts of the Cyber Essentials requirements and will start you on your journey towards becoming Cyber Essentials certified. Check if your business is ready to become Cyber Essentials certified.