There’s a lot of nasty stuff out there in the world of cyberspace, and when you’ve got a business it’s super important to protect against it. Here’s your ten-step plan of action for setting up decent internet security for your SME.
1. Know what you're up against
First rule of combat: know thy enemy. Here are the kinds of things that cybersecurity is there to battle:
- Malware - 'malicious software' that can harm your computer or monitor your usage without your consent, such as viruses, worms, spyware, keyloggers, or ransomware
- Hacking - for instance through long-term APT (advanced persistent threat) attacks that gradually gain access to your system, or password attacks
- Phishing - in which a program, email, or web page looks legit and tricks you into handing over sensitive info, like bank details or passwords
- Inside attack - when a current or former employee purposely leaks data
- DDoS - a Distributed Denial of Service attack, in which bots ping your server too much and cause it to shut down
Yep, even small businesses need to protect against all of these. Smaller organisations are often low-hanging fruit for attackers, since they're not expected to have security as strong as larger ones. Plus, some of these threats - such as viruses - can literally happen to anyone, business or otherwise.
So, set up a formal security policy for your business, and make everyone adhere to it, whether they're the CEO or an intern. Cybersecurity breaches can come from anywhere, after all.
It’s also worth noting that fibre business broadband will tend to get you more business-focused internet security - something vital to make sure you don’t get bothered by malware, phishing, or hackers.
2. Install business-grade PC security
…and keep it updated.
PC and device security is your first-line defence against malware, viruses, phishing, and what-have-you that you might accidentally download from the internet or emails. Splash out and install proper business-grade software on every single computer, tablet, and smartphone that your company uses, and don't ever let it get out of date.
Beefed-up security is particularly important if you have a static IP address as part of your business broadband - static IPs are more vulnerable to hacking.
3. Network security
Of course, that's not the only way your system can be compromised. You need full security at a network level, too. You can:
- Set up a beefy firewall
- Create a separate LAN for guests' Wi-Fi
- Connect your computers by ethernet cable - it's more secure than Wi-Fi
Basic network security is often included with business broadband packages - or at least available from your provider. Contact them to see what they can offer you.
*This is the maximum possible speed. Broadband speed may be lower at peak times and can be affected by a range of technical and environmental factors. The speed you receive where you live may be lower than that listed above. Fibre/cable services at your postcode are subject to availability. You can confirm availability on the provider's website. Providers may increase charges. You should have the right to exit your contract without penalty if this happens.
4. Secure all your hardware
ALL OF IT. Literally anything that connects to your network needs to be sufficiently secure, with measures like security software and firewalls. Laptops, servers, storage drives, mobiles, tablets, the lot.
If employees ever work remotely and access files and servers from outside the office, the equipment they use needs to be safe. Take steps to ensure they have adequate protection, or provide them with a laptop or phone that they can use.
5. Use strong passwords - for everything
Every single time you set up a password for an account, you need a brand new, ultra-strong password that hasn't been used for any other account before.
A strong password is at least 12 characters long; uses a combo of upper case letters, lower case letters, numbers, and symbols; and doesn't consist of just common dictionary words or keyboard patterns (like QWERTY). And yes, you really do need to use a different password for everything - if a hacker or phisher gets access to one password, you don't want them to be able to log on to anything else too.
To create a strong password, you could:
- Use an online password generator
- Keyboard mash, remembering to press the shift key every now and then
- Make one up based on a sentence - 'To be or not to be, that is the question' could turn into the password '2B/n2B,titQ'
If they're all going to be difficult to remember, use a (secure!) password managing app such as LastPass. Or, work out a system that uses the same base password but has slight variations depending on where you're logging into - '2B/n2B,titQ' might become '2B/n2B,titQFB' when you're logging into Facebook, for instance.
And if multiple people use the same account, remember to change the password when anyone leaves the company or no longer requires access.
6. Manage user privileges
Remember those inside attacks? One of the key ways you can protect against them is by managing who exactly can access your computers, files, hardware, servers, website back-end, and internet connection, and monitoring usage so you can keep track of exactly what they're doing on there.
When someone leaves the company or no longer works with you, switch off their accounts and revoke their access to your systems as a matter of basic policy.
7. Encrypt sensitive data
Every business has sensitive data - like employee records, bank details, passwords, and personal info - and it's very, very important to keep it protected. Files that contain this kind of data need to be encrypted with special encryption software, and strictly only accessible by the people who need to use them.
Preferably, you should also have extra security software for the internal programs you use, and enable two-step authentication wherever possible.
8. Put together an emergency plan of action
Despite all your best efforts at cybersecurity, the worst can still happen. Put together a plan of action for what you'll do in the event of a virus, cyber attack, or security breach - think about how you'll plug the breach or thwart the attack, which systems you'll need to shut down, how you'll recover data you might lose, and so on.
Hopefully you'll never need to use it, but at least you know that even if things go wrong it won't be the end of the world for your company.
9. Backup, and backup your backup
Backing up your system and files is good business practice anyway, and vital for a good security policy. Set up an automatic data backup to another server, drive, or cloud system - if there's a security compromise, you know that all won't be lost.
Cloud-based data backups are often available from business broadband providers such as BT Business, if you want to keep your systems nice and integrated together.
10. Train your staff
This is possibly the most important thing you can do for your business' cybersecurity - all it takes is one mistake from one person for something to go seriously wrong. Teach all your staff about your security policy and best practices, and about what they should be doing to keep things secure.
And while you're at it - be nice to them. Remember that a lot of inside leaks come from disgruntled employees…