The 7-Step Plan for Small Businesses for Essential Cyber Security

We discussed in an earlier blog how 80% of cyber-attacks could be prevented, simply by putting simple cyber security controls in place.

So, what practical measures can help to ensure your business doesn’t fall victim to these avoidable attacks?

1. Install anti-virus software on all PCs and tablets.

This doesn’t have to be expensive or onerous. If you have just a few users, you can protect each computer locally with one of the many affordable, business-quality solutions available.

If you don’t have anti-virus on your machines, make installing one of these business-quality solutions the first job you do today.

2. Update your anti-virus regularly.

Updates are important because they include essential security patches created in response to new and emerging viruses and threats.

If you don’t ensure that you are running the most up-to-date version of your anti-virus software with all the latest security patches, you are leaving yourself open to cyber-attack.

This means saying “yes” to updates and educating users that they need to say “yes” to updates too.

If you have a large number of users, managing all the single free versions of the anti-virus software and ensuring everyone is up to date can become an onerous task.

At this point, it may be worth investing in a small business solution that can cover all users and your central servers and network. This won’t be free, but it might save you money overall, thanks to the reduction in effort.

Good value solutions you might like to investigate include: BitDefender, Avira, Webroot, Symantec, and Kapersky.

3. Don’t run out-of-date software.

As with your anti-virus software, if you don’t ensure that you are running the most up-to-date version of your business applications (that include all the latest security patches) you are leaving yourself open to cyber-attack. Cyber attackers frequently exploit known security weaknesses in common software applications.

You’ll need to ensure that all users are updating their software regularly if you want to ensure you have the best protection against attack.

Again, as with your anti-virus software, this can become an onerous task if you have a large number of users. Tools like SCCM can push updates out to users and help to ensure you aren’t exposed to vulnerabilities.

Managing updates and upgrades is one of the key advantages of cloud solutions – they certainly make the IT administrator role less repetitive. If you’re not already using SaaS versions of your business applications, this might be something you should consider.

Grant McGregor can help you weigh up the alternatives and relevant advantages, as well as helping you with the migration process – speak to one of our consultants if you would like advice about this.

4. Run the latest versions of your operating systems.

One of the reasons the WannaCry "ransomware" spread so virulently through the NHS IT estate was because the virus exploits a Microsoft Windows vulnerability.

Although Microsoft released a patch to fix this vulnerability in March, if this patch wasn’t installed users were still exposed to the vulnerability.

This was made worse in the NHS because so many NHS organisations are still running Microsoft’s XP operating system, an out-dated system which Microsoft stopped supporting in April 2014. When a Microsoft product reaches its “end of support”, Microsoft no longer releases essential security patches for it – which means even if users knew about the problems and wanted to update to protect themselves from the vulnerability they couldn’t.

Microsoft publishes very long lead times when retiring operating systems. It’s vitally important you keep updated with this news and make plans to upgrade your operating systems when appropriate.

If you are running bespoke software, it is even more important to start planning to migrate onto a new operating system early; you will need to talk to your software suppliers to understand what they are doing to support the transition and how they will support your migration.

5. Have backups.

Backup everything. Always. To multiple targets.

If the worst happens, you need to restore your files.

Having a backup also protects you against ransomware attacks because you won’t need to pay a ransom to restore your systems and files.

To protect yourself, making a backup of all your data and systems should be an essential part of your daily processes.

If you can automate the backup process, this is the ideal. That way, you can’t forget to run your backup and find yourself unable to retrieve your most recent files.

With just one or two users, it is simple to find free or cost-effective ways to run backups.

A portable external hard drive, such as the WD My Passport, can be a quick and easy solution. Or, for something a bit more extensive, its My Cloud system is a step up.

For small networks with a number of users, QNAP offer a range of network attached storage solutions (NAS drives) which come with bundled backup software.

Alternatively, a cloud-based backup system can be a cost-effective and low-maintenance solution. Solutions for small businesses include: CrashPlan Pro, MozyPro for Business, CloudBerry Backup Ultimate, and Zetta Data Protection.

Or for virtual environments, the Altaro service is worth investigating.

6. Remember that security isn’t only about technology and processes.

Security is also about people – so don’t overlook this vital factor.

Make sure everyone is aware of the dangers and what to look out for – this will include educating all staff about phishing, spear phishing, clicking on links, installing non-approved software or (especially) freeware, bringing in new devices, and the risks involved in not keeping tight control on data (especially customer data).

Whatever size of business you are, formalising IT security policies is a valuable exercise. Classifying all the data and IT assets in your business, the risks they pose and are exposed to, and the best way to mitigate these threats, forces you to think seriously about IT security.

Once you have been through this process, it can form the basis of staff training and – especially – induction.

Remember that like any other staff development initiative, IT security training isn’t a one off. Assets, risks, and policies need to be reviewed and communicated regularly.

7. Ask for help when you need it.

If you’re not sure where to begin with assessing risks – or think there is more your business could be doing to protect itself from cyber-attack, then seek professional assistance.

If you lack the skills internally, or aren’t confident in your IT abilities or knowledge, don’t wait for an attack to happen before you reach out. There is a lot of advice available, including government and sector-specific resources.

Grant McGregor’s specialist advisors can help you apply this advice and good practice to your small business. Don’t muddle along and leave yourself exposed to unnecessary risk, when you could easily ask for practical help.

Where to start?

If you want to embed knowledge in your organisation and demonstrate your commitment to IT security, the UK Government’s new Cyber Essentials accreditation is a good place to start.

Grant McGregor can help you to prepare and apply for a Cyber Essentials accreditation. If you’d like to know more, please get in touch 0808 164 4142.

Photo by Hope House Press on Unsplash