According to some experts cyber crime now costs the global economy around $400 billion annually. From traditional crimes committed online to wholly electronic crime the Internet is an effective tool to exploit the weak and unprepared.
Yet, many organisations still do not take seriously the threat of attacks upon their business networks and information systems.
E RADAR's Will Roebuck sets out a 50-point check list of essential digital security tips to help small and medium-sized businesses prevent a cyber attacker from destroying them.
Taking cyber security seriously
You would think by now that we are all much smarter in knowing how to deal with the risks of a cyber attack. The news is regularly full of doom and gloom as another high-profile company has its online systems hacked into and personal data stolen. Just last week the WannaCry ransomware attacked several high-profile organisations, including the UK's NHS. With regulatory fines now increasing to 20 million euros with the new EU data protection rules coming into force in May 2018, small and medium-sized businesses urgently need to check their network and data security, and carry out control measures across the enterprise, where necessary.
Fact is, cyber criminals are becoming increasingly cleverer and more advanced. New threats, different ways of attacking network and information systems, and more advanced malware all need us to stay constantly alert. Ongoing training in digital security for all members of staff is your first line of defence. Keep them informed about the latest threats and what they can and cannot do when performing their duties. This means having proper communications policies and procedures in place, and linked to their contract of employment. Any breach of the rules should become a disciplinary offence which can lead to dismissal.
Sounds harsh? It is, but then this can only be expected if you have spent years building up your business and invested hard-earned profits back into the organisation
Remember, even the office cleaner could be the cyber attacker who brings down your business. The 'inside job' still remains an effective way to get to your business if you haven't taken the necessary steps to protect yourself..
Digital security for your business
I've set out below E RADAR's 50 essential digital security tips to help you and your business deal with the threats from cyber attackers. The key to a successful risk mitigation strategy is making sure you stay one step ahead.
Threat - virus and other software attacks
- Tip 1 - Introduce properly configured firewall from a reputable provider. There are several free versions available. Premium is best.
- Tip 2 - Use a properly configured firewall between your computers, business systems and the Internet.
- Tip 3 - Do not open suspect emails or attachments.
- Tip 4 - Only enable preview panes once you have removed all suspect emails.
Threat - theft of laptops, personal devices and other hardware
- Tip 5 - Maintain a list of your equipment (including serial numbers) and check your physical security.
- Tip 6 - Control access to business premises and computer systems.
- Tip 7 - Encrypt sensitive data, such as personal information about trade union membership, religious beliefs and sexual orientation.
- Tip 8 - Password protect your hard drive and data.
- Tip 9 - Mark your postcode on all hardware with an ultra-violet pen.
- Tip 10 - Regularly back-up essential files and store copies in a secure place, away from the premises where you are using computers.
Threat - theft of Intellectual Property / copying of information
- Tip 11 - Make sure your customer or prospect lists, ideas and designs, and correspondence are safe.
- Tip 12 - Check who has access to your systems and log usage.
- Tip 13 - Check physical security of computers and back-up files.
- Tip 14 - Make sure all your staff are adequately vetted. This even includes contract staff!
Threat - mishandling of personal information
- Tip 15 - Notify the Information Commissioner that you process personal information.
- Tip 16 - Ensure you understand the 8 Data Protection Principles.
- Tip 17 - Never allow passersby to view your computer screens from the street.
Threat - financial fraud and theft on-line
- Tip 18 - Understand the risks associated with different types of ‘card not present’ transactions, including card holder not receiving goods, or goods sent to another address.
- Tip 19 - Validate new customers and suppliers using published information from trusted sources.
- Tip 20 - Obtain an online credit status report and electronic identity check.
- Tip 21 - Report fraud or attempted fraud to your local Police.
Threat - unauthorised email access/misuse/abuse
- Tip 22 - Protect email systems against accidental misuse.
- Tip 23 - Ensure workers know about policies on sending or publishing illegal or offensive materials via email or on a website.
- Tip 24 - Check that the policies are lawful and enforceable.
- Tip 25 - Always ‘inform’ users that you may monitor their communications.
Threat - unauthorised Internet browsing
- Tip 26 - Protect your corporate website against accidental misuse or deliberate abuse.
- Tip 27 - Ensure workers know about policies on viewing non-work related websites or visiting offensive or illegal websites.
- Tip 28 - Check that the policies are lawful and enforceable.
- Tip 29 - Always ‘inform’ users that you may monitor their communications.
Threat - sabotage of data
- Tip 30 - Protect against unauthorised amendment or deletion of records to disrupt the business or for financial gain.
- Tip 31 - Ensure that regular back-up copies are securely stored.
- Tip 32 - Check data regularly for changes in nature or size.
- Tip 33 - Adopt vetting procedures for workers doing tasks deemed higher risk.
Threat - identity theft
- Tip 34 - Protect against impersonation and developed identities.
- Tip 35 - Do not give personal information without validating the organisation making the request.
- Tip 36 - Implement security measures to prevent theft of business records for use in identity theft.
- Tip 37 - Use identity authentication and credit status checking services.
Threat - spoofing attacks/passing off
- Tip 38 - Protect against impersonation of the business.
- Tip 39 - Forward email to sender’s ISP for action and adjust your filters to block unwanted email.
Threat - denial of service attack
- Tip 40 - Protect against attempts to prevent legitimate users of a service from accessing or using the service, including ‘flooding’ a network with mass e-mail and disrupting connections between machines.
- Tip 41 - Contact your Internet Service Provider (ISP) immediately if you suspect an attack.
Regularly practice restoring your files
- Tip 42 - Draw up a set of comprehensive computer/information security policies for yourself and your staff.
- Tip 43 - Maintain a list of your equipment (including serial numbers) and check your physical security.
- Tip 44 - Introduce virus-checking software.
- Tip 45 - Use a properly configured firewall between your systems and the internet.
- Tip 46 - Do not open suspect emails or attachments.
- Tip 47 - Only enable preview panes once you have removed all suspected emails.
- Tip 48 - Control access to business premises and computer systems.
- Tip 49 - Password protect your hard drive and data.
- Tip 50 - Mark your postcode on all hardware with an ultra-violet pen.
Want us to help you?
Check out E RADAR's new e Learning Module on the General Data Protection Regulation for business owners, managers and employees.