Cybersecurity is something most organisations want to get right. But where do you start? What are the basics that every business should be using to protect their IT and data?
One of the most basic things you must do for every machine is to keep the operating system on every machine up to date. It doesn’t matter if you are a one-person business or a large company with multiple staff and machines; you are at risk if this isn’t done. It is tempting to put it off, especially if you are busy, but these updates include security protection because hackers are constantly finding new ways of getting around the in-built security in Windows.
Although Windows has some in-built protection, as mentioned above, it cannot protect you from everything in a world where we need to be connected to do business. Having specialist software to protect you from viruses is essential. It is not expensive (especially when you consider the cost of being hit with a virus), and some are better than others. Speak to your IT service company to find out which one they recommend.
Secure passwords are another area you need to think about. There are the obvious things you shouldn’t do, such as using “Passw0rd” or “1234”, etc., but many people also use the same password for everything. While this does make it easier to remember, if one password is accessed by hackers, that leaves everything else vulnerable. For example, LinkedIn was hacked, and many users’ passwords are still traded on the dark web. Information on LinkedIn makes someone identifiable, so even if their LinkedIn password was changed, hackers could use that same password in other systems if they didn’t change those too.
You can also set windows up so that users need to update their login passwords regularly. This will help make sure that employees are updating passwords regularly. Many systems also allow you to enable two-factor authentication via SMS or an app on a phone, meaning that a hacker gaining a password will not be enough for them to access your systems.
There are many email security issues that can catch businesses out. For example, there are phishing scams where an email appears to be from a genuine contact such as a colleague, supplier or customer and asks for payments or other data. Spam and junk filters are not enough to protect you from these; extra protection to help identify the sender should be put in place. We know of one company that made a large payment to a scammer at what appeared to be at the behest of a manager. Phishing protection would have immediately flagged that the email originated in Russia and was not genuine.
Employee cybersecurity awareness
The weakest point in any security system is always people. Make sure your employees know not to click on links in emails they are not expecting, to be careful about who they share data with, to use best practice password creation etc. Human error is impossible to prevent, but you can minimise it through awareness.
Finally, make sure that you have adequate backups should the worst happen. Nothing is 100% perfect protection against ransomware or other attacks, and you need to be able to get back up and running as soon as possible. Relying on OneDrive alone is not enough. Cloud to cloud backup and other offsite options should be considered.