It is easy to follow the mistaken belief that beefing up security at your business involves buying expensive hardware and software or hiring a top-rated security consultant to step in and make major changes. In fact, it is possible to make solid security progress by simply following good practice, and by tightening protection where needed.
Making these essential improvements is important for businesses of all sizes. In 2016, the Federation of Small Businesses found that the UK’s small businesses are collectively attacked over 7 million times a year, costing up to £5.26 billion. In this article, we cover some of the most effective ways to improve resilience against these attacks without spending an arm and a leg.
Passwords and 2FA (2 Factor Authentication)
You’ve heard it mentioned over and over, but we need to highlight it again: password discipline is vital for resilient IT security. Complex passwords, passwords that regularly change and different passwords for each account are all key factors. Wherever possible, both security leaders and staff need to ensure that they practice password discipline.
Password discipline is hard to maintain consistently, however, as many users refuse to part with common passwords. This is where two-factor authentication (2FA) can prove a real boost. 2FA is far harder to circumvent and is worth implementing, especially for key online accounts whose security is particularly important. The second authentication step can feel tedious, but it is free of charge for most services and will greatly improve your company’s resilience against intrusion attempts.
Double-check encryption
Encrypted communication is increasingly the standard modus operandi for everything from websites to chat apps, but you should never assume that encryption is enabled by default. It is worth auditing the networks, services and web applications your business uses to ensure encryption is enabled wherever possible.
Your organisation should ensure that encryption is in place for all online login areas, that your local Wi-Fi is encrypted and that you are using encryption across email. Even if there is a small cost involved in, say, switching from a legacy email provider to a more modern one, the security advantage of encryption is undeniable.
Physically secure equipment
Not all attacks are executed across the internet. Physical device and network security is still important and can often be boosted with relative ease. Storing network equipment in a locked cabinet is a good start, though a separate room with key card access and a solid door would be a better choice.
It is also worth remembering that Wi-Fi routers and access points present tampering risks. Securing Wi-Fi equipment out of easy reach is a good start. Blocking off exposed network ports that are unused is also a good idea.
Run updates and firmware patches
As with password practice, the patch and update routine is a well-published priority that is frequently overlooked. Managing this routine requires minimal time, but usually does not involve any hard expenses. Getting organised is the key factor, as a systematic approach to patches and updates can greatly boost your company’s resilience against cyberattacks.
Consider keeping a list of devices in use, and the applications in use on these devices. Schedule regular reviews with frequency, based on the security risk the device or application poses. This organised approach will ensure your IT equipment is consistently protected against the latest threats.
Keep employees trained and informed
Many security risks originate from user behaviour, and hackers are extremely good at manipulating users into taking actions that expose your business. Clearly, your users need to be educated, but because users rarely see IT security as a priority, education does not necessarily create permanent habits.
Regular refreshers on topics such as password security and how to avoid falling victim to phishing emails can help ensure that employees follow good security practice. It helps to find an engaging way to carry security concerns across to users and to juggle up the content ever so often. Keeping security training fresh will greatly assist your efforts to get users to mitigate your organisation’s exposure to cyberattacks.
Develop a cyber-security response plan
Finally, it is worth understanding that it is almost impossible to fully protect your organisation against a determined intruder, nor is it always possible to prevent a random, large-scale attack from adversely affecting your business. However, victims of an attack can largely mitigate the damage by implementing a response plan. Nonetheless, an IBM security report concluded that 77% of companies do not have a consistent response plan.
Security is not just about prevention, but also about limiting the fallout of a breach. An attack response plan is an essential mechanism that can limit this fallout, ensuring backups can be brought online quickly and that affected customers are notified in a timely manner. A response plan can limit the financial and reputational costs of a successful cyber-attack.