Cyber security is an issue for businesses and organisations of all sizes. It's not just large organisations and banks that are targets for cybercriminals. Small businesses are increasingly being attacked due to their lack of investment in cyber security and their relatively low levels of cyber security training.
Here are some steps that small organisations can take to be more cyber secure
1) Make sure someone is responsible for cyber security
Lack of time is a common trait for small businesses. There is more than enough work to do without adding cyber security. Assigning responsibility for cyber security will help reduce the cyber risks and impact. The person given responsibility does not need special training, although that helps. They need to be empowered to make and implement decisions relating to cyber security.
You can find a description of the cyber security manager role here.
2) Educate people in cyber security
Over 80% of cyber security incidents are caused by human error. This figure can be dramatically reduced by educating people about cyber security and good cyber habits. Education could include:
- Information sharing during staff meetings
- Phishing awareness campaigns (automated or manual)
- Targeted training for specific roles or people
Resources for cyber security training can be found here.
3) Don't use shared logins
No business wants to have an untrustworthy employee, but it happens. To help protect the innocent and find them guilty, each person should have their login credentials. Shared logins do not provide the means of tracing actions to individuals and offer a simple cover for malicious acts. Each person should have their login for all systems and applications.
4) Develop cyber policies and procedures
Policies and procedures provide guidelines for preventing, managing and recovering from cyber security incidents. Clear guidelines for staff will help them have good cyber practices and avoid some cyber risks.
5) Conduct a cyber risk assessment
Not knowing the risks you are facing is a little like skiing downhill blindfolded - eventually, you will hit something. A cyber security risk assessment will help identify the potential threats and vulnerabilities. The business risk can be determined, and appropriate mitigation activities can be placed to mitigate the risk.
Knowing what you are up against will help you protect against it.
6) Ensure software updates are installed
One of the easiest ways for a criminal to access your systems and data is a known vulnerability. Keeping software up-to-date will help make it harder for criminals. Most software allows for automatic updating, and this should be enabled.
7) Use MFA everywhere possible
Multi-factor authentication provides additional protection by using a separate device to authenticate. This protects against a criminal who has obtained your login details as they can't log in without the authentication code.
All critical systems and data should be protected using multi-factor authentication.
8) Backup, backup, backup (and test)
One of the best defences against ransomware and virus' is a recent data backup. All critical and sensitive data should be regularly backed up. These backups should also be tested periodically to check they have been successful and usable data.
9) Have a plan for responding to and recovering from a cyber security incident
When a cyber incident occurs, well-thought-through response and recovery plans will help minimise the impact and length of a cyber security incident.
10) Know and understand the sensitivity of your data
Not all data is created equal. Some data is sensitive and critical and needs to be well protected, while other data is public and does not need the same level of protection. Knowing what data is essential and sensitive will help ensure it has the proper levels of security.