UK Small business cyber security in 2021Phil Picton
Many small businesses nowadays rely heavily on their IT, particularly as working from home is so prevalent. Email, conferencing, chat, business websites, social media, online banking, office and bookkeeping software and so on are all vital services that our businesses need to operate. Losing access, or having them hacked could be devastating to any business.
So here’s a checklist of things you can do to beef up your security. Bear in mind it’s not exhaustive, and a determined and skillful hacker will always be able to find a chink in your armour. It’s just wise to make things difficult, so it’s hopefully not worth their effort. This list is aimed at the very small business, or sole trader, larger firms need to implement staff training, network security and other things beyond the scope of this article. Obviously we don’t take any responsibility for any problems you encounter when taking any of this advice! For further reading: https://www.cyberaware.gov.uk/ .
1. Privacy and Security
Obviously keeping your business assets and contacts safe from hackers and malware is vital, but also important is preventing third parties from collecting data without the permission of your clients or contacts. Large tech companies such as Apple, Google, and Facebook collect as much data as they are able to in order to better target marketing efforts or even to influence political opinion. So while this article is focused on security, it is necessary to discuss privacy as well.
2. Your mobile devices
- Make sure you turn encryption on, and set a long (6 digits at least) pass code which is not easy to guess. Avoid using a child’s birthday, for example.
- Don’t install dodgy apps. Get your games etc. from the app store /play store, and have a look at what permissions the app asks for during installation. Have a look at the reviews to see if it looks safe. If in doubt, don’t install.
- Always keep your mobile’s operating system (iOS, Android) up to date, install updates as soon as you can.
- If you ever get out of the house, be careful about using 'free' public WiFi, which often asks for your email address and even social media access, not to mention logging everything you do and exposing you to other users who may hack your device. A VPN can be a defence against this, see below.
- Don't click links in emails without being sure that the sender is trustworthy and they themselves haven't been compromised.
- As a rule of thumb, avoid using the browser which came with your phone, and consider using one which will alert you if you visit a website that contains malware.
- Install a security app if you are worried you might accidentally click on a dodgy link or install a compromised application
- There is a list of secure mobile browsers here: https://restoreprivacy.com/browser/secure/ tldr; Use Firefox Mobile browser
- Be aware that if you use social media apps like Facebook, Instagram, Facebook Messenger and so on on your mobile that these apps have access to everything on your phone including your calls, texts, photos, location, fitness and activity data, contacts, and so on and on. In fact mobiles in general have huge amounts of tracking and telemetry built in, it's very hard to avoid without moving to a secure phone such as the Librem 5
3. Your computers
- Keep your operating system up to date. I know updates can be a pain, but do them as soon as you can because they patch vulnerabilities which can be used to gain access. Don’t use an old computer running an expired operating system such as Windows XP! If you can't get the latest version of an operating system because your device is older, consider moving to a lightweight Linux distribution, in most cases you will be able to install a cutting edge operating system which will give a new lease of life to an older device.
- Turn on full-disk encryption (Bitlocker on Windows Pro, Filevault on a Mac, Linux offers full disk encryption during installation) and set a long, hard to guess password. See below for advice on passwords.
- Enable your firewall and use an antivirus package. There are free antivirus packages which will do the job adequately. Avast for example.
- Backups. Keep regular backups of everything, especially your important data. Always encrypted and stored in a separate location. If you use a cloud service like Dropbox, ensure you use a strong password and enable Two-factor Authentication. Backing up properly will enable you to recover quicky if the worst happens. Take this to the next level by actually testing whether you can easily re-install and recover in the event of hard drive failure or a ransomware attack.
- If you use a web based email service such as Gmail or iCloud, make sure you set a secure password (see below) and enable Two factor authentication (see below).
- If your email account is part of your website hosting package, check that you have it set up to use a secure connection, and that it has a strong password. Talk to your hosting company or web developer. Better yet, talk to us!
- Consider using a cloud based email service with good anti spam capabilities, to reduce the risks posed by phishing emails. Office 365, Google workspace for example
- Don’t open email attachments that you aren’t expecting, even from someone you know. It’s easy to message that person and check that they actually sent it before you expose your business computer to a potential virus or other malware. Ransomware is a particularly nasty thing, where an attacker sends you a convincing email which you open, and then it encrypts all your data on your computer and charges you a steep fee to release it. Ouch!
- Write a list of all the online accounts that you have for your business. Email, social media, banking, website memberships, cloud services, your website, Paypal etc etc. You should do this for personal accounts too. Everything.
- Download a secure password manager such as Bitwarden, KeePassX, Lastpass, Dashlane or others and get it set up on your devices. Bitwarden is my first choice.
- Go to each one of those online accounts, and change your password to a unique and secure one, around 20 characters is good, although some websites have particular criteria for their passwords. Store those passwords in your password manager, and set the password for your password manager to something unguessable but you can remember. A good strategy for this is to use a couple of lines from a poem or song that you already know, make sure it’s long enough, say 50 characters or more, but add in some special characters, to make it un-guessable.
- Then when you need to log in to a website, you can copy and paste in the password from your password manager, or have it automatically insert it for you. I know this is a pain, but it’s the only way to keep your online accounts secure nowadays.
- Be aware that if you use a non cloud-based password manager, you may not be able to open its database until you’ve unlocked your hard drive encryption (or backup encryption), so don’t use that to store your hard drive password unless you have also got the password manager installed elsewhere... Otherwise that is the computer equivalent of locking your keys in the car!
6. Two-factor authentication
This is an extra level of protection for your important accounts. Basically when you want to log in to a website, you need your password and also your mobile or another device. The website sends you a message with a security code which you need to enter in order to log in. Or you can use an app such as Authy or Bitwarden to generate one-time pass codes. Another second factor which we recommend if the service supports it is a physical security key. This is a key which you must plug into a USB port in order to generate a one-time pass code. Yubico is our favourite provider.
You should enable some kind of two factor authentication on as many of your online accounts as you can, it will make things very difficult for an attacker.
7. Enhanced Privacy
Some businesses need to keep certain information secret for competitive reasons, and some professionals such as Doctors, Lawyers, Activists and Journalists have to keep information secret for legal or other reasons. A good resource for such people is at the Electronic Frontier Foundation
- Consider using a secure operating system such as Tails or QubesOS
- Use encryption on your emails, try Protonmail
- Use Signal for messaging.
- Use Tor browser.
- Use a VPN. See below.
- Keep confidential data encrypted and on a device which does not connect to the internet.
- Delete old WiFi logins on your mobile.
- Disable fingerprint security on your mobile and have an 11 digit pass code.
- Don’t carry sensitive data when crossing borders, especially to the US or UK.
- Implement all the other recommendations on this list.
- Do threat modelling, think about who might wish to obtain your data and how much time or resources they can spend.
- Be aware that it is impossible to be fully secure on or off the internet.
8. Physical Security
Another weak point for some businesses is the possibility of accessing your data by gaining access to your devices, during opening hours or during a break in. A so called ‘evil maid’ attack could involve installing malware onto your machine from a USB key, adding hardware designed to track your activity, or theft of data. Keep your computers in a locked location where possible, protected by alarms and CCTV. Enable full-disk encryption with a secure password, and don’t leave your computer switched on when unattended. If you suspect your machine has been tampered with, don’t use it until you’ve investigated.
A VPN or Virtual Private Network is a way of accessing the internet by using an encrypted connection to a server which then connects to the internet. This ensures that all of your communication is protected by the encryption, making it much more secure when on public or shared wifi. Also the VPN will hide your internet tracks because your IP address will be kept private from the destination website. Good VPNs will also block malware, tracking and even internet ads. Bear in mind that a VPN (or the Tor Browser) will only provide basic privacy protection and you should not assume that your actions cannot be traced back to you.
10. Business Websites
All websites are constantly being scanned and attacked by automated scanners and bots. A huge amount of internet traffic is taken up by people trying to compromise websites. The more legitimate traffic a website has, the bigger a target it becomes. Talk to your web developer about security. Mitigating such things is a subject beyond the scope of this article, but there are some recommendations you should consider at the very least.
- ALWAYS use long secure random passwords for your website's admin logins
- Use two factor authentication where possible
- Install an SSL certificate
- If you use a Content Management System (CMS) like WordPress, keep the core, theme and plugins up to date regularly
- For front end web apps, make sure you update dependencies regularly where security issues crop up
- Make sure your hosting provider keeps the server updated and secure
- Use anti spam services like Recaptcha on contact forms
- place your website behind a CDN like Cloudflare to protect it from bot traffic and to obscure the server's IP address from scanners
11. Don't worry!
It is possible (and obligatory) for a small business to create a security regime which will comply with data protection laws and protect from the most common cyber threats such as malware, phishing and having online accounts accessed due to (for example) insecure password practices.
It is not possible to be completely secure, but you should not worry, it is unlikely that a sophisticated attacker would target your small business. By making a small effort and implementing these recommendations you will make it far more difficult to compromise your business, and an attacker would likely move on to a 'lower hanging fruit'.