In the last of our small business guide to cyber security with the NCSC, we outline the top actions you can take to protect your business.
From policies you can implement across the business, to technical solutions and staff training, carrying out these actions (and staying aware) can be a good way of making sure your business is robust against cyber threats.
For other guides and tips head to www.ncsc.gov.uk
How to improve your cyber security;
Policy actions
These actions should be carried out by staff responsible for determining the overall cyber security policy.
Identify and record essential data for regular backups.
Create a password policy.
Decide what access controls your users need so they can access only the information and systems required for their job role.
Decide what staff need access to USB drives Sign up to threat alerts and read cyber local advice e.g. briefing sheets/threat reports from www.actionfraud.police.uk/signup.
Create an inventory of approved USB drives and their issued owners, and review whether the ownership is necessary periodically.
Technical actions
These actions should be carried out by technical staff responsible for the setup and configuration of devices, networks and software
Switch on your Firewall.
Install and turn on Antivirus software.
Block access to physical ports for staff who do not need them.
Consider making a password manager available to your staff to secure their passwords. Review the star ratings before choosing one from an app store.
Ensure data is being backed up to a backup platform e.g. portable hard drive and/or the cloud.
Set automated back-up periods relevant to the needs of the business.
Switch on password protection for all available devices. Change default passwords on all internet-enabled devices as per password policy.
Install and turn on tracking applications for all available devices e.g. Find my iPhone.
Enable two-factor authentication for all important accounts (e.g email).
Apply restrictions to prevent users downloading 3rd party apps.
Install the latest software updates on all devices and switch on automatic updates with periodic checks.
Ensure all applications on devices are up to date and automatic updates have been set to download as soon as they are released. Schedule regular manual checks on updates.
Set up encryption on all office equipment. Use products such as Bitlocker for Windows using a Trusted Platform Module (TPM) with a PIN, or FileVault (on mac OS).
Training and awareness actions
These actions should be carried out by staff responsible for implementing staff training and awareness. Every member of the team (including board members) needs enough knowledge to understand how cyber security impacts on their area of focus.
Provide secure physical storage (e.g a locked cupboard) for your staff to write down and store passwords.
Create a Cyber Security training plan that you can use for all staff.
Include details of your ‘Password’ policy explaining how to create a non-predictable.
Include how to spot the obvious signs of phishing.
Include details of your reporting process if staff suspect phishing.
Include details on how your business operates and how they deal with requests via email.
Include details of Wi-Fi hotspot vulnerabilities and how to use alternative options (e.g VPN/ Mobile network).
