Top 8 tips to protect your business, manage the risk and help you to recover from a disaster . . . it’s all about getting the basics right
With multiple passwords for numerous sites, it is a natural habit to make your password easy to remember as well as using the same password across all of the sites. Whilst this makes it easy for you, it also makes it easier for hackers too. If hackers get access to one website that holds your details and you use the same email address and password for others, they then have access to any of those accounts.
So what is good practice with your passwords?
- Use a different password for every website, or at the very least for websites that have your personal or financial information
- Password length is more important than complexity X%4_$t0 might look like a good password, but it’s very easy for a computer to crack, whereas RollingTomatoCloudJuice would be extremely difficult to crack (and much easier for a human to remember)
- Don’t use a single word, or even two words from the dictionary for your password – the first thing a computer cracking program will try is every word in the dictionary, and then it will try every combination of two words.
- Don’t substitute numbers or symbols for letters (e.g. replace a with @ or S with 5) – P@55w0rd might look like a good password, but cracking software knows this trick and will try all the combinations of a word with replaced letters
- Don’t use your own name, company name or other personal information such as birth date
Always make sure you update your software. You will often hear software updates being referred to as ‘patches’ or ‘service packs’. Often these will be vital security upgrades responding to new security vulnerabilities. As well as this, the updates also help fix glitches and improve the performance of the software, so updates are important for your business and its productivity.
Internal threats are as big as external – according to Axelos’s Cyber Resilience: Are your people your most effective defence? report, when asked about the greatest source of risk for an information security breach, UK organisations cited:
49% said intentional attacks by external hackers, criminals, terrorists or activists
45% said unintentional error by employees or contractors.
Employee awareness training would address the 45% immediately!
Employees require training that is up to date covering the latest tactics being used, relevant to your business and the jobs they do. Security has to be at the forefront of every employee’s mind to minimise cyber security breaches.
Seeing is believing and a simulation of phishing attacks is often a great starting point for any business. By checking employee’s awareness through simulating attacks, you can congratulate success and provide follow-up materials for those found vulnerable. By engaging and equipping employees to better manage risk, businesses can minimise human error.
Identifying suspicious emails
Even with anti-virus software and firewalls in place, sophisticated phishing emails can still reach your inbox. Some things to look out for:
- Don’t always trust the display name – check the email address that is sitting behind it.
- Links on the email – hover over the link first and see if the address that shows is consistent with the company you think the email is coming from. If you are unsure, open an Internet tab/window and type the main web address e.g. www.companyname.co.uk, in there to see if it is legitimate.
- Don’t give out detailed personal information – legitimate businesses won’t ask you to do this over email.
- Beware of anything ‘urgent’ or trying to create fear. If there was a rush for anything, you are more likely to get a call and if your ‘account has been suspended’, log into that account rather than go through a link on the email to double check.
- Don’t click on attachments in emails you weren’t expecting. This is a common route for hackers to access your systems through malware.
Be sceptical about incoming emails – if it looks suspicious or you weren’t expecting the email, don’t open it and speak to someone in IT who can check it for you.
This is essential for every PC to detect and remove as many threats as possible before causing harm. The software can protect your PC against viruses, Trojans, botnets, Rootkits, rogue security software, ransomware and all types of malicious software.
It can scan incoming emails for attached viruses, monitors files as they are opened or created to make sure they are not infected and performs periodic scans of all the files on your computer. However, it won’t protect you against spam, fraud or criminal activity that is not initiated by a virus and hackers who are trying to break into your computers.
Make sure you keep the software updated and buy reputable software from reputable companies.
Clear screen and clear desk policy
This is simple good practice to lock your screen whenever you are away from your computer. This will stop anyone from seeing anything confidential or anything others shouldn’t generally see. Ideally every computer should be set to automatically lock when it goes to sleep.
A clear desk policy can be used to encourage employees to clear their desks at the end of each day. This reduces the chance of information theft and security breaches caused if sensitive information is left out and visible. And of course, this also makes a good impression if clients come to your office.
Test your back up
Your backup is running every night, isn’t it? When did you last check the amount of data being backed up, whether the right files are being backed up and that the backup is completing successfully every time it is run? What is the password to access the backup? Whose email address is used to access the backup if you need to reset the password? Is that person still with you?
Test the important and most challenging documents such as your mission critical information e.g. email and finance systems, pictures/large files and then randomly select some other files on each test you run.
Organisations need to continually monitor and manage information and processes to mitigate the risk of an attack and the impact of a breach. For example:
- New employee – security training as part of their induction
- Leaver – remove all access to your systems
- New piece of software or more people using that software? Does this affect your recovery plan?
- Employee updates – at least monthly
And finally, if your security and back up processes are working correctly, do you know how to run the restoration process and where you do this? This requires certain skills and software – you need to make sure you have this in place to get back up and running.
We hope you have found this of use. However, if you are feeling overwhelmed about your security and recovery processes and would like to understand more, please call us on 01727 843888 or click here and we will be in touch to discuss this further with you.