Top Tips to Improve Your SME’s Cyber Security
The recent cyber-attack which claimed the National Health Service among its worldwide victims has highlighted the need for organisations of all sizes to take proper internet safety precautions.
At Basepoint, as a supplier of managed offices to let, we are committed to giving help and support to all the businesses based in our centres. Here are our top tips for SMEs to help you minimise the risk of any internet-related attack.
Updating Your Systems
To keep your business safe, you will need to ensure there are no weak links in terms of either hardware or software. This means not only having computers and programs which are suitable for your needs, but ensuring they are constantly updated. It is important that software updates and patches are loaded as soon as they appear, to avoid risks from the latest threats.
The same applies to anti-virus software. It could be well worth spending a bit more on installing a program with a good reputation to provide sophisticated protection.
Firewalls are another important tool, since they act as a buffer between your SME and the outside world and stop people or systems from reading, adding or altering data on your files. Businesses are also increasingly taking the step of encrypting data, so that, if sensitive data does fall into the wrong hands, it cannot be read.
You might also need to make policy decisions about who has access privileges to what. Restricting entry to parts of the system will give your data greater protection.
Best Practice over Security
Many SMEs will not have a separate IT department. This means that each member of staff will need to know what best practice is when it comes to internet security. You need to make sure that this is clearly spelt out, whether in a policy document or in their employment contract, and also that staff members are regularly reminded about the precautions to take.
There are a number of safeguards which, if followed by all staff, should greatly reduce the risks. These include:
- Being aware of suspicious emails. The risk of viruses being transmitted by this method is well-known, but, as the recent NHS incident showed, emails can also contain attachments known as ‘ransomware’. Once opened, one of these attachments locks a computer or device and demands payment to unlock it. Staff should be trained to look for suspicious or unexpected messages, maybe from someone who is not on your list of regular clients.
- Guarding against data being taken away. This means not letting people download valuable information onto a memory stick or laptop or other non-secure device, as there is a risk it could then be lost or left behind somewhere. As well as losing potentially sensitive information, you could also be more vulnerable to a cyber-attack.
- Being wary of the damage that can be done by cross-contamination. It is possible to transfer a virus from a staff mobile to a main computer system. You should also be wary of allowing people such as outside contractors access to your system, for similar reasons.
- Keeping passwords protected. Encourage members of staff to make any of their own as complicated as possible, and to change them at regular intervals.
Planning for the Worst
The old adage of ‘fail to prepare, prepare to fail’ applies just as much to internet security as anywhere else. It should be everyday practice to back up all your files, so if the office system goes down you will still be able to retrieve your data. Cloud-based systems are now often preferred to a hard drive as back-ups, but of course you will want to make sure that any cloud system has high levels of security.
You might also consider having Plan B in place in the case of a cyber-attack; for instance, by arranging for some staff to work remotely on a temporary basis if computers are down. However, another factor to bear in mind here is that devices in employees’ homes can be just as vulnerable to attack, if not more so, so you might need to check on the level of security they have before you explore this option.
Keep Updating Your Policy
Internet security is not something which stands still; you should constantly be updating not just passwords but your whole policy. Make sure that everyone new is fully trained and have regular training, so existing staff are brought up to date. You should also ensure ex-employees can no longer get hold of company information, for instance by changing logins and passwords after someone leaves and deleting their company email address.