UK Small business cyber security in 2017

Many small businesses nowadays rely heavily on their IT. Email, business websites, social media, online banking, office and bookkeeping software and so on are all vital services that our businesses need to operate. Losing access, or having them hacked could be devastating to any business.

As a business, you also have a duty to your clients to keep their personal details confidential and secure. Not to mention that it’s the law. You should be registered with the ICO here: https://ico.org.uk/for-organisations/register/ and have a data protection policy.

So here’s a checklist of things you can do to beef up your security. Bear in mind it’s probably not exhaustive, and a determined and skilful hacker will always be able to find a chink in your armour. It’s just wise to make things difficult, so it’s hopefully not worth their effort. This list is aimed at the very small business, or sole trader, larger firms need to implement staff training, network security and other things beyond the scope of this article.

For further reading: https://www.cyberaware.gov.uk/

1. Your mobile

  • Make sure you turn encryption on, and set a long (6 digits at least) passcode which is not easy to guess. Avoid using a child’s birthday, for example.
  • Don’t install dodgy apps. Get your games etc. from the app store (play store) , and have a look at what permissions the app asks for during installation. If in doubt, don’t install.
  • Keep your operating system (iOS, Android) up to date.
  • Be careful about using public WiFi, which often asks for your email address and even social media access, not to mention logging everything you do and exposing you to other users who may hack your device. A VPN can be a defence against this, see below.

2. Your computers

  • Keep your operating system up to date. I know updates can be a pain, but do them as soon as you can because they patch vulnerabilities which can be used to gain access. Don’t use an old computer running Windows XP!
  • Turn on full-disk encryption (Bitlocker on Windows Pro, Filevault on a Mac, Linux offers full disk encryption during installation) and set a long, hard to guess password. See below for advice on passwords.
  • Enable your firewall and use an antivirus package. There are free antivirus packages which will do the job adequately. Avast for example.
  • Backups. Keep regular backups of your important data. Always encrypted and stored in a separate location. If you use a cloud service like Dropbox, ensure you use a strong password and enable Two-factor Authentication.

3. Email

  • If you use a web based email service such as Gmail or iCloud, make sure you set a secure password (see below) and enable Two factor authentication (see below).
  • If your email account is part of your website hosting package, check that you have it set up to use a secure connection, and that it has a strong password. Talk to your hosting company or web designer. Better yet, talk to us!
  • Don’t open email attachments that you aren’t expecting, even from someone you know. It’s easy to message that person and check that they actually sent it before you expose your business computer to a potential virus or other malware. Ransomware is a particularly nasty thing, where an attacker sends you a convincing email which you open, and then it encrypts all your data on your computer and charges you a steep fee to release it. Ouch!

4. Passwords

  • Write a list of all the online accounts that you have for your business. Email, social media, banking, website memberships, cloud services, your website, Paypal etc etc. You should do this for personal accounts too.
  • Download a secure password manager such as KeePassX, Lastpass, or another from this list: http://lifehacker.com/5529133/five-best-password-managers and get it set up on your devices.
  • Go to each one of those online accounts, and change your password to a unique and secure one, around 20 characters is good, although some websites have particular criteria for their passwords. Store those passwords in your password manager, and set the password for your password manager to something unguessable but you can remember. A good strategy for this is to use a couple of lines from a poem or song that you already know, make sure it’s long enough, say 50 characters or more, but add in some special characters, to make it unguessable.
  • Then when you need to log in to a website, you can copy and paste in the password from your password manager.I know this is a pain, but it’s the only way to keep your online accounts secure nowadays.
  • Be aware that if you use a password manager, you may not be able to open its database until you’ve unlocked your hard drive encryption, so don’t use that to store your hard drive password unless you have also got the password manager installed elsewhere… Otherwise that is the computer equivalent of locking your keys in the car!

5. Two-factor authentication

This is an extra level of protection for your important accounts. Basically when you want to log in to a website, you need your password and also your mobile or another device. The website sends you a message with a security code which you need to enter in order to log in.

  • You should enable this on as many of your online accounts as you can, it will make things very difficult for an attacker.

6. Privacy

Some businesses need to keep certain information secret for competitive reasons, and some professionals such as Doctors, Lawyers and Journalists have to keep information secret for legal reasons. A good resource for such people is at the Electronic Frontier Foundation: https://ssd.eff.org/

In short,

  • Consider using a secure operating system such as Tails or QubesOS.
  • Use encryption on your emails.
  • Use Signal for messaging.
  • Use Tor browser.
  • Use a VPN.
  • Keep confidential data encrypted and on a device which does not connect to the internet.
  • Delete old WiFi logins on your mobile. Disable fingerprint security on your mobile and have an 11 digit passcode. Don’t carry sensitive data when crossing borders, especially to the US or UK.
  • Implement all the other recommendations on this list.

7. Physical Security

Another weak point for most businesses is the possibility of accessing your data by gaining access to your devices, during opening hours or during a break in. A so called ‘evil maid’ attack can involve installing malware onto your machine from a usb key, adding hardware designed to track your activity, or theft of data.

Keep your computers in a locked location where possible, protected by alarms and cctv. Enable full-disk encryption with a secure password, and don’t leave your computer switched on when unattended. If you suspect your machine has been tampered with, don’t use it until you’ve investigated.

8. VPN

A VPN is a service which can hide your internet tracks, mainly for privacy reasons. Other benefits include protection from malware and trackers encountered on websites, protection of your secure data when using public or Hotel WiFi, protection of sensitive online communication.

Use a VPN. Install it on your mobile as well.

For ease of use, try FreeDome VPN: https://www.f-secure.com/en_GB/web/home_gb/freedome

For more information on evaluating a VPN read this: https://www.reddit.com/r/VPN/comments/4iho8e/that_one_privacy_guys_guide_to_choosing_the_best/

9. Your website

  • Your business website’s logins should always be secure and unique passwords.
  • Use a CDN like CloudFlare to protect your site from downtime, and DDoS attacks.
  • Install security plugins on WordPress.
  • Get a SSL certificate, and use HTTPS.
  • Hide your email and phone number from bots.
  • Use anti-spam or a captcha on your blog comments and contact form.
  • We can help you with all of this, and much more, get in touch today.

10. Don’t open attachments! Malware

  • The most common way for your computer or mobile to be attacked is via an attachment in an email, which tricks you into running a malicious piece of code. Don’t fall for it, check with the sender before opening any attachment you are not sure about.
  • Another way is via a malicious web link. Known as a ‘drive-by download’ your device can be infected just by visiting a web page. If a link prompts you to install software, DON’T. If your browser or search engine warns you a site is malicious, hit the back button! A VPN can also protect you from this sort of attack.
  • Malware can also find it’s way onto your computer from a CD, DVD, or USB drive. Be careful what you put into your computer.

11. WiFi Router