Practical steps to protect your business from cyber-attack
As cyber-attacks against well-known organisations are becoming increasingly common, today we are placing a focus on how smaller businesses can increase their cyber resilience to protect themselves from a potentially devastating attack. Read on to find out what steps you should be taking to avoid serious disruption from a cyber-attack.
Building cyber resilience: Preparing for Recovery as Well As Defence
Cyber incidents continue to feature in the news headlines, with airports now joining large UK retailers and manufacturers in experiencing serious disruption to supply chains and services.
While small businesses are unlikely to grab the same headlines, the risks are just as real. For many, a serious cyber-attack could stop their business from trading altogether. That is why it is important not only to think about preventing attacks, but also how your business would recover if the worst happened.
Start with the basics
The National Cyber Security Centre (NCSC) encourages all businesses to adopt the Cyber Essentials programme. This focuses on five straightforward measures that block the majority of common attacks. They cover areas such as keeping software up to date, controlling access to your systems, and protecting your internet connection with firewalls.
These are practical steps that any small business can put in place without needing a large IT team. Some insurers and customers also now look out for Cyber Essentials certification as a reassurance that you take cyber security seriously.
Know what matters most
If your business were hit by an attack, what would you need to keep running at all costs? For some, it might be your customer database. For others, it could be your booking system, your payment processing, or even email.
By thinking this through in advance, you can:
- Identify your most important systems and data
- Decide how you would keep the business going if they were unavailable
- Put in place simple backup and recovery processes so you are not left starting from scratch.
Plan and practice
NCSC advise that the businesses that recover best from disruption are those that have rehearsed their response. This doesn’t need to be complicated. It could mean, for instance:
- Making sure you know who to call – is it your IT support provider, your bank, or the police’s cyber-crime unit?
- Keeping offline copies of important contact details and documents
- Agreeing who in the business will speak to customers or suppliers if systems are down
- Running through “what if” scenarios with your team so everyone knows their role
Leadership matters
Cyber risk is often left to whoever looks after the IT. However, a cyber-attack poses a risk to the whole business. Just as you would take a threat to your cash flow or business operations seriously, cyber risk needs to be considered in the same way. This includes staying informed about and interested in the steps you’re taking as a business to minimise problems.
Next steps
If you want to build the resilience of your business, consider:
- Reviewing NCSC’s advice for sole traders and small organisations to respond to cyber attacks
- Working towards Cyber Essentials certification
- Making a simple recovery plan covering your critical systems and contacts.
No business can guarantee it won’t be targeted, but by preparing now, you can reduce the damage, recover faster, and keep your customers’ trust.
See: https://www.ncsc.gov.uk/cyberessentials/overview
ICO Reminds Businesses to Strengthen Cyber Security
The increasing prevalence of cyber-attacks has also led the Information Commissioner’s Office (ICO) to remind businesses to review their security measures and protect any personal information they hold.
According to government figures, UK businesses experienced an estimated 7.7 million cyber-crimes over the past year. Most small businesses store personal information and rely on digital systems.
Ian Hulme, Executive Director for Regulatory Supervision at the ICO, said: “When people share their personal information with your company, they need to feel confident you’ll do as much as possible to keep that information secure. While cyber-attacks can be very sophisticated, we find that many organisations are still neglecting the very foundations of cyber security.”
Practical steps for businesses
The ICO recommends a number of straightforward actions to strengthen data security:
- Back up data regularly, test the backups and ensure the backup is kept separate from your live data source.
- Use strong passwords (three random words is a good approach) and enable multi-factor authentication where possible.
- Be careful about what you say and what documents you have on your screen that others could see, particularly if you work in a public place.
- Be alert to phishing emails, especially those demanding urgent action or payment.
- Install and update anti-virus protection on all devices, including those used at home or remotely.
- Secure your devices by locking screens when unattended and keeping equipment out of sight.
- Avoid public Wi-Fi or use a secure VPN when working away from the office.
- Limit access to data so that staff only see what they need for their role.
- Take care when sharing information, whether via email or by screen-sharing in meetings.
- Only keep data as long as necessary, and ensure old IT equipment is securely wiped before disposal.
Reporting breaches
If a business suffers a data breach as a result of a cyber-attack, it must be reported to the ICO within 72 hours of becoming aware of it.
Further guidance is available on the ICO’s website.