This guide aims to walk you through the main rules and 15 key steps to achieving basic cyber security. It is intended for home users and small business owners and will help you to protect yourself, your family, your business, and your customers.
The rules of basic cyber security
The 15 steps to basic cyber security
To protect your assets, you must know what data you have and where it is. Think before you share it with other people in your business. Do they need access to it?
Audit the information in your business and prioritise its importance to your business, your staff and your customers and what the impact would be on them if it was lost.
If you have a computer at home, make sure you set each member of the household up with separate accounts and don’t let them have access to any work-related files.
Only when you know your data, can you effectively assess the risks to your business and your customers, and put appropriate defensive and preventative measures in place. You must balance up convenience versus security, and cost versus risk.
Draw a simple picture of your data, which devices it is on, who has access to it, how it is available over the network or the internet, and how data get into or out of your business.
Each place and each connection represent a vulnerability, and combined with your data audit, you can then see where you need to put your security efforts.
This refers to business continuity, disaster recovery, incident response and cyber insurance.
Always plan for the worst but hope for the best. Create a recovery plan for all your devices and data making it as comprehensive as possible. Once you’ve covered the devices, do the same for your business and then work out how you will handle your staff, customers and suppliers when it goes wrong. This will prevent much unnecessary stress should a breach occur.
When you know what you’ve got, where it is and how you’ll recover it, you can then implement appropriate backup plans to make sure there are no gaps.
Use multiple backup devices including those that are offline. Use DVDs/CDs to archive documents as they cannot be overwritten. Don’t leave backup devices plugged in.
Test plans before you need them. A good backup strategy will save your business when disaster strikes.
Consider how old some of your applications, documents and data are. Do you really need to keep them on your devices? If you don’t need documents or data, archive them to CD/DVD or if necessary, the Cloud, but make sure they are secure.
Ensure the backup is read-only. Uninstall any old applications you don’t need.
If you look after your data, make sure your suppliers and subcontractors look after anything you send them. If you are accredited, make sure they are too and encourage them to be if they are not. If they refuse be prepared to change suppliers – your business is at risk. After all, if your supplier gets breached, chances are that you will too.
People are the best possible defence, so ensure regular training for you and your staff to make sure they understand the risks and increase their awareness especiallyon phishing.
Don’t use or allow business email addresses to be used for personal use.
Your business is like a walled garden protected from the outside internet by firewalls, content filters and email filters while you nurture business growth. The more things you let in, the greater the risk.
Block everything except what you really need and scrutinise everything going in or out. Use secure products for remote access which do not require you to ‘let them in’ from the internet.
Keep your computers, phones, tablets and anything else up to date with current versions and fixes.
Always use the latest operating system and always isolate anything you can’t upgrade. Old systems represent a huge risk.
Anti-virus, anti-malware, anti-spyware. Protection matters but this is the last line of defence. Anything that gets through here means trouble.
Ideally you should use more than one product and from different vendors. Run regular scans of everything, especially anything you allow to be connected to your network or device.
Don’t install anything which is unnecessary. Uninstall everything you don’t need. Make it secure. Keep users to a minimum, disable all non-essential services.
Enable the computer firewall – set it to the most restrictive setting.
Be paranoid. They are out to get you and you don’t know who is carrying what.
Don’t let anyone connect anything unauthorised to your computers or networks. You don’t know what may be on it.
Don’t run anything off someone else’s disk without scanning it thoroughly first. Only go with things you trust.
Make your normal computer account as basic and unprivileged as possible. If you are an administrator on your computer, create a separate administrator account with a long password and just become a user. Otherwise anything which you run can be as destructive as it likes.
While we still rely on passwords keep them long and unique – use a phrase, line from a song, poem, book or anything motivational.
Use built-in password storage or a cross-platform synchronised password manager to manage them.
Ensure every document containing sensitive information you send out or copy onto portable storage is encrypted. Send or store the password separately.
There are more actions you can take, but the aim of this guide is to outline the key steps you need for basic Cyber Security. If you follow these rules and steps, you will protect yourself against featuring on the top of the list for the bad guys to exploit, and ensure you, your family, your customers and your business all remain as safe as possible.
But whatever you choose to do, please do something. And remember - always use sunscreen.