23 March 2021
Staying Safe: TechPath’s Cyber Security Guide and Tips for Australian Businesses
For small businesses, the effect of cyber breaches can be especially catastrophic. While no organisation wants to feel the pain of losing information, compromising customer information, or losing access to essential IT systems, smaller organisations typically lack the PR muscle to rebuild their reputation, or the finances to cover the high costs that are involved. Many never recover from getting hacked, but it doesn’t have to be that way.
Managing security can be overwhelming, but we’ve put together some simple guidelines that will reduce cyber-security threats – and these measures can be implemented with little or no support.
1. Password management
A good password policy is one of the best ways that small businesses can reduce cyber security threats. Passwords must be complex, ideally using password phrases, as these are longer, and far harder to guess, yet still easy to remember. Cyber-criminals can use brute force and the power of technology to break through weak passwords remarkably quickly. Most apps now support multi factor authentication, which greatly strengthens security with minimal effort. It is important that staff never use the same password for multiple systems, as this makes it easy for hackers to move around your environment. A good password manager, such as Microsoft Authenticator, will help to create strong passwords, and autofill them on trusted devices when needed, so you never need to worry about remembering the access details to dozens of systems.
2. Manually verify changes to banking details
Cyber criminals are sneakier than ever. One scam that is currently popular is to impersonate a colleague or customer, and email new bank account details for an acquisition or invoice. By the time the subterfuge is discovered, the money is overseas. Whether it is an employee changing how they are paid, a customer changing banks, or a new vendor, new details must be manually verified via a phone call to a trusteed number, not via email – this extra step is an important protective measure.
3. Email protection
Emails are a key point of entry for cyber-criminals, so if small businesses are to stay secure, two factor authentication with a strong email password is a must. The business should also use a good spam protection service – we recommend Microsoft Defender Advanced Threat Protection (ATP), which can be bundled with your Microsoft 365 package, and typically works out less costly than buying a separate product.
4. Device control
Every small business depends on many devices, such as computers, phones, printers, even connected security cameras and entry systems. It is vital to know what devices you have where, with policies in place to set up and control them. This should include regularly patching all devices, and using endpoint protection such as Microsoft Defender for Endpoint. Given the increased number of employees now working from home or remotely, you should implement clear rules for BYOD, in particular relating to synchronising data when working on a computer that doesn’t belong to the company. Helping staff to understand their responsibilities, and supporting them to implement strong endpoint protection on their own devices is a win-win, where everybody reduces risk. Needs here will vary, so find the right balance for your business.
In the event something goes wrong, your efforts at backup determine if and when you can recover. We can’t stress enough that making sure you have a solid backup system in place, and testing it often, is invaluable in an emergency. Even cloud services are not always safely backed up, so those now mainly dependent on SaaS apps should not become complacent. There are many great backup options, and they often include a high level of automation, so it doesn’t have to be time-consuming. Given the critical nature of a robust backup process, if you are not confident or have lost data before, a quick call to your IT partner may save you a lot of stress later on.
6. Know your data
Humans create a lot of data. By 2020, it was estimated that every second, 1.7 MB of data would be created for every person on earth. For a small business, it can be hard to have visibility of where that data is – and if you can’t see it, how can you control and secure it? The situation has become worse since Covid, with more people using more devices beyond easy reach of the IT department. It is oh-so-simple for people to install apps through the app store when signed into personal devices and mail, out of sight. It is worth undertaking a review to ensure you understand how data is used, and where it is created.
7. App control
It is important to know what apps are in use in your business, who has access to them, and what level of access they have. While some apps may be automatically kept up to date, others are not – and this creates security vulnerabilities if not addressed. Our security experts recommend that businesses conduct a survey of staff to determine what apps they use. Some Microsoft 365 plans include technology that reports on what apps your staff are using – if you don’t already have this in your plan, you could always sign up for a trial licence of the relevant features to see if they suit your needs
8. Create company security standards
When you have clear security principles, it makes it much easier to train employees on what is expected of them. Your security standards should form part of new staff induction, and ongoing training should be provided, as the threat landscape changes constantly. With a proper onboarding and offboarding policy, your people will be equipped to act as your small business’s frontline cyber-security defence.
Each of these eight security measures can be implemented in-house, or with minimal help from your IT partner, and together they will make you a far less attractive target for hackers.
Need more advice on increasing cyber security in your small business? Check out the ACSC Small Business Cyber Security Guide and the Essential Eight mitigation strategies, or contact TechPath’s friendly IT security experts.