Hacking, data breaches and ransomware attacks continue to be on the rise. With GDPR now in force, too, it is essential that all businesses be prepared for any situation.
Due to a lack of know-how and resources, small businesses are often less prepared and have less sophisticated cybersecurity defences than their larger counterparts. However, there are some straightforward steps that every organisation can take to make sure they have adequate protection in place and, in case they do get hit, they can quickly recover from an attack and incur only minimal damage.
Here are five things you can do now to improve your defences:
- Train your employees
Being forewarned is being forearmed, but a lack of cybersecurity awareness amongst employees is a leading cause of successful ransomware attacks against small and medium enterprises (SMEs). Many major hacks start with social engineering tactics – from phishing to hackers posing as IT staff – so being prepared is key.
Tailored training should be at the top of the list of any successful cybersecurity strategy. It is imperative that all staff members understand the cyber threats they face and that they have the knowledge that’s needed to avoid falling victim, from not opening suspect emails and unexpected attachments to not clicking on random links or visiting malicious websites. As many are visual learners, it is often best to provide employees with actual examples of these scams. If they know how to recognise the main characteristics of these attacks, it’s less likely they will fall for them.
Following on from employee training, every business should have clear security policies in place and enforce them where required. Remember too that informal training can be very effective as a refresher – for example, pointing staff to blogs on key security topics, or asking them to take an online security quiz.
- Implement layered security
Unfortunately, there is no silver bullet solution that can cover all cybersecurity problems. Cyber risks are complex, and they are constantly evolving, so it’s important to take a multi-pronged approach to defending the company’s network, applications, devices and data.
There are some must-have security solutions every business should have in place: anti-virus software, virtual private network technologies, a network firewall, and business continuity and disaster recovery (BCDR) tools. However, these are only the essential starting blocks. Think about processes, too. Security patches to software must be installed as soon as they become available, otherwise known vulnerabilities may expose the organisation to the risk of an attack. Automated patch management can help with this.
Additionally, as threats change, SMEs will need to adjust their defences regularly. They should continually be checking their systems for vulnerabilities, learn about new threats, and try to think like attackers to understand where their weak spots are.
- Be password savvy
How securely passwords are handled is partly down to technology, and partly down to user education, but since weak passwords cause a large proportion of data breaches, businesses should consider adopting password management solutions for all employees. There are many password management applications available today that allow users to safely keep track of their passwords and change them quickly in case of a data breach.
In addition, any default passwords on devices should always be changed to a more complex password and changed regularly – for example, every 90 days. For those business areas needing a higher level of protection, multi-factor authentication is a good idea. Tighten access control, too: administrative privileges should only ever be given to trusted IT staff.
- Encrypt your data
Encryption is an important consideration. Encrypting hard drives, for example, ensures that data will become completely inaccessible to outsiders if or when a laptop is stolen. Ideally, data should be encrypted both when it’s saved (at rest) or being processed and sent somewhere (in transit), and on all devices that employees may use to carry business data – from mobile phones to USB sticks.
Know where your data resides, too – keeping track of where business data goes and where it is saved is an important piece of the security puzzle and a key part of meeting GDPR requirements.
- Be prepared for ransomware
As already mentioned, business continuity and disaster recovery solutions are an important layer in any organisation’s cyber defence strategy. Why? With ransomware on the rise, companies need data protection solutions in place that enable them to recover the affected data and return to operations quickly if they do suffer a cyber-attack.
Taking frequent backups of all data considered critical to the business is key. The exact frequency of backups will vary based on your business’ specific needs, but typically, today’s backup products are designed to make incremental copies of data throughout the day to minimise data loss. This allows you to restore data to a point in time before the breach occurred without losing all of the data created since the previous backup.
Some solutions also have an instant recovery function, with image-based backups that are stored in a virtual machine format—essentially a snapshot of the data, applications, and the operating system. This allows users to run applications from the backup copy while the primary server is restored following an outage, which minimises downtime. For small businesses, being out of operation for any length of time can mean substantial losses, so this is a feature well worth having.
For any business looking to upgrade its security, a cybersecurity risk assessment is a good starting point. It will help you to understand potential cyber threats to your organisation, the impact they may have on your business, and identify weak spots in your defences. From there, it’s easier to shape a security strategy that meets your specific needs.