Nic Sarginson, senior solutions engineer for UKI and RSA at Yubico details the ways small businesses can protect themselves from cyber threats and attacks…
Every aspect of our business lives is now more connected than ever. From online banking and digital tax to online shopping, even ‘basic’ communication tools like email – the list goes on.
That’s why it’s important for small businesses to secure the applications and devices they depend on for these activities, and that doesn’t mean just computers and laptops – it extends to the mobile phones that employees use as well.
Whether yours is an e-commerce business that relies on a whole range of digital tools, or an organisation that’s mostly offline but uses email and social media, all small businesses need to think about cybersecurity.
The endgame is the protection of the business’ assets – its data and devices – and the prevention of online fraud and cybercrime. To make sure that is the result, good cybersecurity measures and effective online security practices and behaviours need to be in place.
With that in mind, here are four online security measures that all businesses can take:
1. Strengthen password practices
Passwords are still the most widely used form of authentication, but they are only as secure as the diligence that sits behind them. When employees use common passwords such as consecutive numbers or the word ‘password’, they run the risk of these being easily guessed. Should that happen, it can leave applications vulnerable to hackers.
Another common mistake is reusing the same password across a range of applications. In this situation, if the log-in credentials for one application become compromised, cybercriminals could gain access to multiple others simply by trying the same password.
Shortcuts and workarounds can undermine the security of passwords and unfortunately, such practices do go on. In fact, in recent Yubico research, 43% of UK IT professionals admitted their organisation uses sticky notes to manage passwords.
Strengthening security in this area involves using only complex passwords made up of letters, numbers and symbols, avoiding obvious dates and names. Better still, use a password manager like 1Password, Dashlane or LastPass which stores and generates unique, complex passwords.
Ideally, passwords form just one line of defence as there are further measures businesses can take to protect themselves and their data.
2. Additional authentication tools
Two-factor authentication (2FA) provides a higher level of security than a username and password combination alone. It works by using two separate ways to confirm a user’s claimed identity. Typically, the first check is still a password but the other can be a physical device such as an authenticator or a biometric identifier, such as a fingerprint or iris scan.
An authenticator can be an application or hardware device, such as a security key. Employees register their key with the applications and devices they use and are then asked for the key each subsequent time they log-in, for a higher level of protection for networks, applications and data.
Authentication devices can help address the problem of mobile phone security. This is an often neglected area – worryingly, 55% of UK organisations responding to research said they didn’t believe necessary steps were taken to protect information on mobile phones.
3. Diligence online
A common entry point for cybercriminals targeting organisations is through links, often contained within emails, and infected content. If employees click on such links, download or open such content, they risk exposing the company’s systems to malware.
Phishing is also prevalent. These attacks trick people into providing information, often log-in credentials, by entering fake websites. Cybercriminals with the details can then use them on real websites. Security keys provide an additional layer of security to prevent stolen details enabling access to sites as without the key, the data thieves cannot login.
Diligence in all online activity is essential and this means not clicking on links from unvalidated sources or those that look like they may have been compromised. If in doubt, don’t, is the simplest guidance.
4. Security training for all staff
Security measures need to be convenient and easy to implement if staff are to take them on board. However, no measures, no matter how strong, replace the need to train staff. Regular communication on cybersecurity topics are essential to ensure staff stay up-to-date and to develop a cyber-safe culture.
The IT security policy should provide clear guidance on device and application use and the behaviours and actions that are expected. It’s generally much easier to get people onboard if they understand not just what they’re being asked to do, but also why.
Online security is a ‘must do’ for every business. Without taking steps to protect themselves, companies can fall victim to damaging cyberattacks.
To mitigate the risk of password hacking and data breaches, companies should ensure they have a clear IT security policy in place, that staff have access to – and use – the right security tools, and that procedures set the right foundations for a cybersecurity conscious culture to develop.
No business can afford to be complacent and for this reason, it’s important that staff receive regular communications and training on protecting company assets and staying cyber-safe.
Sign up to our newsletter to get the latest from Business Advice.