Protect your business online
Cyber crime can affect anyone, from sole traders to large corporations. All businesses regardless of their size should take basic steps to protect themselves and their customers online.
This guide explains what you can do to reduce your exposure to cyber attacks. It outlines some common cyber security measures that can help strengthen your business' defences and tells you how to detect spam, malware and virus attacks.
This guide also describes the implications of business data breach and theft and looks into security concerns in particular areas of your business, including point-of-sale, remote access and cloud transactions.
Finally, it explains the types and solutions to insider threats in cyber security and offers 10 cyber security tips to protect your business online.
Common cyber security measures
Businesses should use different cyber security measures to keep their business data, their cashflow and their customers safe online. These measures should aim to prevent risks from various sources, including:
- internet-borne attacks, eg spyware or malware
- user generated weaknesses, eg easily guessed password or misplaced information
- inherent system or software flaws and vulnerabilities
- subvert system or software features
Essential cyber security measures
The following processes and tools are fairly easy to introduce, even for the smallest businesses. Combined, these will give you a basic level security against the most common IT risks.
Use strong passwords
Strong passwords are vital to good online security. Make your password difficult to guess by:
- using a combination of capital and lower-case letters, numbers and symbols
- making it between eight and 12 characters long
- avoiding the use of personal data
- changing it regularly
- never using it for multiple accounts
- using two factor authentication
Create a password policy for your business to help staff follow security best practice. Look into different technology solutions to enforce your password policy, eg scheduled password reset. Find different password strategies that could boost your business security.
Make sure that individuals can only access data and services for which they are authorised. For example, you can:
- control physical access to premises and computers network
- restrict access to unauthorised users
- limit access to data or services through application controls
- restrict what can be copied from the system and saved to storage devices
- limit sending and receiving of certain types of email attachments
Modern operating systems and network software will help you to achieve most of this, but you will need to manage the registration of users and user authentication systems - eg passwords. Read more about identity and access management controls.
Put up a firewall
Firewalls are effectively gatekeepers between your computer and the internet, and one of the major barriers to prevent the spread of cyber threats such as viruses and malware. Make sure that you set up your firewall devices properly, and check them regularly to ensure they have the latest software/firmware updates installed, or they may not be fully effective. Read more about firewalls in server security.
Use security software
You should use security software, such as anti-spyware, anti-malware and anti-virus programs, to help detect and remove malicious code if it slips into your network. Discover how to detect spam, malware and virus attacks.
Update programs and systems regularly
Updates contain vital security upgrades that help protect against known bugs and vulnerabilities. Make sure that you keep your software and devices up-to-date to avoid falling prey to criminals.
Monitor for intrusion
You can use intrusion detectors to monitor system and unusual network activity. If a detection system suspects a potential security breach, it can generate an alarm, such as an email alert, based upon the type of activity it has identified. See more on cyber security breach detection.
Your employees have a responsibility to help keep your business secure. Make sure that they understand their role and any relevant policies and procedures, and provide them with regular cyber security awareness and training. Read about insider threats in cyber security.
You should also follow best practices defined in the government's Cyber Essentials scheme.
The National Cyber Security Centre provides detailed guidance to help businesses protect themselves in cyber space. See 10 Steps to Cyber Security.
Servers are powerful computers that provide one or more services (such as email, web or file servers) to users on a particular network. Cyber criminals frequently target servers because of the nature of sensitive data they often hold.
What is server security?
Server security focuses on the protection of data and resources held on the servers. It comprises tools and techniques that help prevent intrusions, hacking and other malicious actions.
Server security measures vary and are typically implemented in layers. They cover:
- the base operating system - focusing on security of critical components and services
- hosted applications - controlling the content and services hosted on the server
- network security - protecting against online exploits, viruses and attacks
Insecure servers are a significant business risk and can cause many network security issues.
How do I secure a server?
Securing large, complex servers can require specialist skills. However, any businesses using a server should be aware of the risks and - at the very least - use basic cyber security measures.
Good management practice can help you improve your business' server and network security. If you are not using a secure data centre to host your servers, you should:
- keep them locked
- monitor and restrict access to them
- monitor server reports, such as security logs
- assess their environment for other risks, eg temperature and fire
- maintain stable power supply
As with regular desktop PCs, servers will need:
- a firewall
- regular backup and updates
- reliable security software
- reliable maintenance and support services
Network firewall security
A firewall is a piece of software or hardware that filters all incoming and outgoing traffic to your business. Firewall devices can:
- block malicious email relaying
- prevent malware being downloaded from untrusted websites
- prevent access to blacklisted websites or unsecure services
Hardware firewall is a part of broadband routers. It protects your entire local network from unauthorised external access and is usually effective even with minimal configuration.
Software firewall is an application installed on individual computers and devices. It is often part of the operating system and usually needs greater configuration of settings and applications controls.
Regardless of what server software and operating system you run, their default configuration may not be fully secure. You should take steps to increase server security - this process is known as server hardening.
Some common server hardening methods include:
- using data encryption for communication
- removing unnecessary software from servers
- regularly updating operating systems, and applying security patches
- using security extensions
- enforcing strong password complexity to protect all user accounts
- account locking after repeated login failures
- using brute force and intrusion detection systems
- backing up data and systems regularly
The National Cyber Security Centre has published guidance which will help you secure your servers.
Detect spam, malware and virus attacks
Spam, viruses and other malware can have a damaging effect on your business. It is important to understand how to detect an attack and recover your systems following the incident.
Recently, there has been an increase in malicious cyber activity - including ransomware - relating to COVID-19. You should take steps to protect yourself and your business against these threats.
Check NCSC weekly threat reports and the advisory on cyber exploitation of the coronavirus pandemic.
How to detect spam
Spam is unsolicited communication that now makes up the majority of email traffic. Your internet service provider should offer you spam filtering as a default feature of your dedicated email service.
Spam filters detect unwanted emails based on suspicious word patterns and other clues, and divert them to a separate folder or mailbox after classifying them as spam. You can buy separate spam filters or programs to reduce the spam you receive and securely manage your inbox. See also how to protect your business against phishing.
How to detect a virus or malware
Common signs of virus or malware infection include:
- system slowing down
- unexpected activity on your machine or pop-up messages
- email server becoming overloaded or intermittent
- data files becoming corrupt or going missing
- unexpected changes in the content of your files
If you notice these signs and suspect a problem, use your security software to diagnose the issue. Your software provider may be able to offer you advice. See more on cyber security breach detection.
Virus or malware recovery
If a virus has infected your system, follow these five basic recovery steps:
1. Tell everyone who needs to know - if the virus is spread through email, tell everyone with an email account on the infected system as quickly as possible. If there is a specific file attachment that contains the malicious virus program, name it.
2. Quarantine infected machines - as soon as possible, disconnect infected computers from any internal or external networks. Do not reconnect until after you remove the virus.
3. Organise a clean-up operation - use your anti-virus software to scan all computers and files to check if the virus has spread. If you can't remove the virus or malware, you may need to restore your computer files from a recent backup. In extreme cases, it may be more practical to wipe the infected computer, reinstall the operating systems and restore your files from a recent, clean backup. If necessary, contact your software supplier for specific advice.
4. Make sure there are no re-infections - carry out emergency security measures and inform the users that clean-up is underway. Ensure that additional patches are in place to prevent re-infection.
5. Manage outgoing email traffic during the crisis - use whatever facilities you have to prevent the transfer of the virus via email. Consider closing down the outgoing mail service.
Cyber attacks are almost inevitable, so the speed at which you react to an incident is critical. A cyber security incident response plan will help your business respond to security incidents quickly and efficiently.
To help you prepare for and plan your response to a cyber incident, see also the NCSC's small business guide to response and recovery.
You can also test and practise your response to a cyber attack with the help of the NCSC's Exercise in a Box online training tool.
Protect your business against phishing
Phishing is widespread in the UK. It is one of the most common types of cyber crime that targets businesses regardless of their size or sector.
Recently, there has been an increase in malicious cyber activity - including phishing - relating to COVID-19. You should take steps to protect yourself and your business against these threats.
Check NCSC weekly threat reports and the advisory on cyber exploitation of the coronavirus pandemic.
What is phishing?
Phishing is a type of cyber attack that most commonly happens through email. In a typical attack, thousands of people receive fake emails from unknown criminals asking them to:
- provide sensitive or confidential information (such as passwords and bank details)
- send money to individuals or organisations
- download something that infects your computer
The email usually contains attachments infected by malware or links to a 'spoof website' where attackers try to trick you into surrendering sensitive data.
Variations of phishing include:
- vishing- when fraud is attempted by phone
- smishing - when fraud is attempted via text messages
Targeted phishing attacks
Rather than delivering mass emails to random individuals, some forms of phishing target specific individuals or organisations. One such form is spear phishing.
As with regular phishing, spear phishing emails appear to come from a trusted or familiar source. The criminals gather personal information about the target and modify their message to make it look legitimate. This method is known as social engineering - it increases the chances of tricking the target into divulging sensitive information or downloading malware from infected attachments and links.
Whale phishing attacks use the same personalised technique but target high-profile individuals, such as celebrities, politicians or C-level executives.
Read the National Cyber Security Centre (NCSC) blog to find out more about these targeted forms of phishing.
Social media phishing
As well as email, text messages and phone calls, criminals can also use social media websites to commit financial or identity fraud.
Social media phishing usually involves:
- fake social media accounts that impersonate known or trusted people
- fake customer support accounts to impersonate brands
- click-bait posts that include malicious links
- fake surveys, promotions or contests to get personal information
See Get Safe Online tips to help you avoid social media phishing.
How to spot phishing websites
Fraudulent websites can be difficult to identify. They may closely resemble, for example:
- your social networks
- your email providers, such as Yahoo or MSN
- your banking provider
- government service, such as HM Revenue & Customs
- IT service providers and vendors such as Microsoft, Google or Apple
- online marketplaces, such as eBay or Amazon
- money transfer websites, such as PayPal
Once you enter information into the fake sites, criminals are able to steal it and use it to commit identity or financial fraud.
Common warning signs that you are on a fake website may include:
- a different URL address to that you have originally clicked on
- an element of urgency in whatever the website is asking you to do
- requests for personal information such as financial account or social security numbers
- spelling errors, unusual navigation or substandard graphics
- suspect ads or pop-ups on the website
- a mix of legitimate links with fake links
- incorrect company name
- an absence of legitimate contact details
Keep in mind that an HTTPS site (where the padlock symbol next to the URL address claims secure connection) can also be malicious.
How to prevent phishing
The key to avoiding phishing is to treat all email with caution. For example:
- Be wary of emails that begin with 'Dear Sir/Madam' or another type of generic greeting (eg 'Dear account holder', 'Dear customer', etc). Legitimate companies and individuals will generally call you by your name, eg 'Dear [FIRST NAME]'.
- Look for inconsistencies in the sender's email address and any links to webpages. Make sure that they match legitimate sources, including when you hover your cursor above them.
- Be careful with unsolicited emails carrying attachments or directing you to download document or files from unknown websites.
- Ignore emails that appear to come from a bank or similar institution, and request sensitive information. If in doubt, contact your bank directly using trusted contact details and do not use the contact details or links provided in the email.
- Ignore emails demanding urgent action or making offers that are too good to be true.
- If in doubt, do not click on any links within an email. Instead, contact the sender through a known source, such as phone or their official website. Do not use contact details supplied within the suspicious email.
A good email filter will block many of these types of messages. You should also train your employees to recognise scam emails and act appropriately. If you need help training your staff, the National Cyber Security Centre has created a free online tool to help you do just that - access the NCSC's Stay Safe Online: Top Tips for Staff tool.
See also how to detect spam, malware and virus attacks.
If you receive a potential phishing message, you can report it to the NCSC using their Suspicious Email Reporting Service: email@example.com.
Point-of-sale terminal security
Point-of-sale (PoS) security is a growing concern for many businesses, especially for those in the retail sector.
There are two main areas of PoS vulnerabilities:
- hardware - eg when criminals affix a 'skimmer' device to PoS terminal in order to intercept and capture card data
- software - eg when criminals use malware to gain access to PoS networks and steal payment card data as it transmits through the network
If you use point-of-sale networks to conduct business, it is vital that you follow security best practice and make every effort to protect your terminals and software.
How to protect your Point-of-Sale station and network
Best advice on securing your PoS environment is to use a multiple layer of protection. For example:
- Use strong passwords - replace the default user name and password after installation and change passwords on a regular basis.
- Update your PoS software - install security upgrades and patches to keep your systems protected against known bugs and vulnerabilities.
- Install firewall and anti-virus software - see more common cyber security measures.
- Set up encryption - your POS service provider will usually set up encryption of data transmission by default. If you have any concerns, talk it over with your provider and make sure processes are in place to safeguard your system from abuse.
- Control access - only allow access to customer data to authorised and relevant employees. You should also restrict PoS computers and terminals from accessing the internet; this can prevent exposure to online security threats such as viruses and malware.
- Disable remote access - remote access can expose your PoS system to more vulnerabilities and make it easier for cyber criminals to exploit. Consider disabling remote access to your PoS network as a precaution.
Even with all these measures in place, there is no guarantee that your PoS system won't be attacked. Always watch out for any signs of security breach and train your staff on the proper use of the PoS system.
Cloud security risks and solutions
Cloud security takes in a range of policies, technologies and security controls that serve to protect data, applications and the infrastructure associated with cloud computing.
Cloud security risks
Two main types of cloud security threats relate to issues faced by:
- cloud providers - who look after the infrastructure and the client's data and applications
- cloud customers - who rely on password protection and authentication measures
Key risks in the cloud include hacking, data theft, server faults and non-compliance. You can address each by deploying the same security solutions you would normally use to protect your in-house IT devices and networks.
Cloud security controls
Many of the common cyber security measures apply in a cloud-based environment as they do in conventional IT systems, including:
- firewalls and perimeter protection
- traffic monitoring and reporting
- spam filtering
- real-time alerts and analytics
Read the National Cyber Security Centre's (NCSC) guidance to find how to configure, deploy and use cloud services securely.
Your security responsibility if you use cloud services
Providers and customers share the responsibility for maintaining and protecting the security of cloud services and systems.
As a buyer, your responsibilities will vary depending on the type of service involved. Your responsibilities will be largest when using Infrastructure as a Service (IaaS). Read more about IaaS: managing your responsibilities.
Cloud security and data protection
If you are processing and storing sensitive business or personal data in the cloud, you will want to check that your provider takes security seriously. Things to consider include:
- Cloud provider vulnerabilities - are they following best security practices, patching up regularly, implementing proper security controls? Can they guarantee that your assets will be protected against physical tampering, loss, damage or seizure?
- Technology vulnerabilities - are there weaknesses in the host system or server configuration? Can you get assurances that the technology is secure? Will it be reliably accessible and available when you need it?
- Access policies - did you agree standards and responsibilities between yourself and the provider? Defining roles and responsibilities can help ensure secure coverage and prevent potential liabilities in case of cyber incidents.
- Access controls - will the provider limit access to the cloud service to only those who need it? How will they minimise the risk of accidental or malicious compromises of your data by their personnel? Service level agreements - can you establish a documented standard with your cloud provider, including their duties in relation to ongoing management, response times and support?
- Risk assessment and analysis - does your provider have an adequate incident plan in place to quickly deal with and mitigate any potential damage?
- Legal and regulatory implications - for example, if you're storing or processing personal data in the cloud, you will have to comply with the General Data Protection Regulation (GDPR).
If you're using software that interacts with cloud services, you may also want to read about managing the risk of cloud-enabled products.
Business data breach and theft
Data breach involves unauthorised access or disclosure of sensitive, confidential or otherwise protected data. This may be personal information (for example regarding health or financial accounts), trade secrets or intellectual property.
Data theft relates to stealing digital information - from an individual or an organisation with the intention to compromise privacy or obtain confidential information. See more reasons behind cyber attacks.
Impact of data breach or theft
The exact impact of data breaches or theft may vary depending on the organisation. However, common consequences you will need to consider are:
- financial loss
- reputation damage
- operational disruption
- monetary penalties (if you fail to comply with data protection laws)
See more on the impact of cyber attack on your business.
Risks to your data can come from:
- unauthorised access to your IT systems and networks
- theft of property or equipment from your premises
- transporting data externally via unsecure devices
- failure to follow data protection processes and principles, with or without intent
How to prevent data breach
To protect your business data, you should think about:
- where and how you store it
- how you secure it (physically and electronically)
- who has access to it
- how is that access facilitated (eg individual devices)
You should back up your important data regularly and store it securely off site. For added protection, you can use data loss prevention software to:
- disable USB ports
- monitor copying of files to storage media
- prevent users from transferring the data altogether
As part of your security measures, you should create an asset register - taking into account all hardware and software, including your server equipment. Determine which assets are at risk from cyber attack and record all the relevant details. Audit the register regularly to ensure that equipment is accounted for, and that the information is safe and secure. Find out more on managing assets in business.
Dealing with a data breach
If you believe that data has been stolen, or you have been exposed to scam or fraud, you will have to take action to:
- prevent the data breach continuing
- discover the extent of the damage
- clean up the results
See more on cyber security breach detection.
Your incident response will depend on the circumstances. You may need to take specific advice from the police or legal advisors, but generally speaking, you should:
- report the incident to the Police Service Northern Ireland
- inform your bank
- check bank accounts for unexplained transactions
- check your business for any unexpected changes in its credit condition
- consider hiring an IT security specialist to investigate the breach
- consider hiring a specialist to rebuild or replace parts of your IT infrastructure, if necessary
Find out how to develop a cyber security incident response plan.
The National Cyber Security Centre (NCSC) provides detailed resources to help you effectively detect, respond to and resolve cyber incidents. You should consult the following:
- small business guide to response and recovery
- incident management guidance
- 'Exercise in a Box' online tool to help you practise your response in a safe environment
Reporting a data breach
As part of managing the incident, you may need to let people or organisations know about the security breach. You may need to notify:
- the regulators, if the breach is significant or if you've failed to comply with data protection legislation
- individuals or groups whose personal data has been compromised
- relevant industry bodies, eg in the financial or telecommunications sector
Remote access security issues
Remote access is a growing need for many businesses. It allows mobile workers or remote staff to access office systems and processes via the internet from remote locations. Despite the many benefits, remote systems can expose your business to many risks.
You will have to manage these risks to keep your remote access secure at all times. Otherwise, your network may become vulnerable and your business data exposed.
Due to COVID-19 situation, many businesses are encouraging staff to work from home. This presents new cyber security challenges that must be carefully managed.
If you're introducing or scaling up home working, read the National Cyber Security Centre's new guidance on Home working: preparing your organisation and staff.
If your staff is working on personal devices rather than work issued IT, see the guide on Secure home working on personal IT.
Remote access threats
Remote working relies on the exchange of business data or services outside of the corporate infrastructure, typically over the internet. It can be achieved through a variety of client devices, including many that are outside the organisation's control.
The remote environment in which these devices are used may also pose risks. For example, security concerns may exist around:
- lack of physical security controls - creating a risk of device loss or theft
- eavesdropping - as information travels over the public internet
- unauthorised access to systems or data - perhaps overlooking the screen
- monitoring and manipulation of data - if someone gains access to the device
You can adapt most of the common cyber security measures to meet the unique challenges of remote access security.
If you're introducing remote access to your business for the first time, read the NCSC's guidance on moving your business from the physical to the digital.
Remote access risk assessment
You should assess the specific risks associated with mobile working and providing remote access to staff. The assessment will inform your mobile working policy, establishing processes for:
- authorising users to work remotely
- device provisioning and support
- the type of information or services that can be accessed or stored on devices
- the minimum procedural security controls
Examine the risks to your corporate network and systems and determine whether you need to increase monitoring on remote connections. See how to set up workplace monitoring policies.
Remote access security measures
Some specific recommended actions for securing your remote access include:
- encrypting data to prevent theft
- using strong firewall and security software
- using two-tier authentication (eg first with a password and then with a token)
- restricting access to unauthorised users
- allowing access to legitimate users but limiting to the minimum services and functions required
- reviewing server logs to monitor remote access and any unusual activity
- deleting remote access privileges once they are not needed
- testing system regularly for vulnerabilities
- keeping firewall and remote access software patched and up-to-date
You may also choose to restrict the type of data that users can access remotely.
Virtual private network (VPN) software will give you a high level of encryption to access your network remotely. Read about VPNs and advanced computer networks.
Insider threats in cyber security
Employees are a common source of cyber security breaches. In fact, most cases of insider incidents involve some type of misuse of corporate IT systems by a staff member.
This misuse may be malicious, however more commonly it happens inadvertently through employee's carelessness or negligence. Regardless of the cause, insider threats can seriously compromise your business, often leading to financial losses and reputational damage. See impact of cyber attack on your business.
Types of insider threats
Most types of insider threats fall under one of three categories: the malicious insider, the negligent/unknowledgeable employee, and the third party contractor.
Typical events that happen in the workplace, and which could pose a significant risk to your business, include things like:
- browsing unauthorised websites
- visiting social networking sites
- sharing confidential information in social network environment
- opening spam or suspicious links and email attachments
- accidentally sending sensitive information to wrong people
- accidentally transferring viruses or malware
- choosing weak passwords and never changing them
- using the same password on multiple accounts
- installing unauthorised programmes on the employee's machines
- uploading files to online file-sharing service, personal cloud or storage network
- downloading unauthorised files (eg music, films or photographs)
- misplacing or losing property (eg laptops, mobile phones, USB devices)
- providing information to a third-party, eg suppliers or vendors
- transporting company information via unsecured portable devices
- sending sensitive work documents to their personal email addresses
- using unsecured mobile devices to share work data or access company information
- accessing your business' virtual private network via public computers and public wireless hotspots
Cyber security breach detection systems can uncover risky user activity in real-time and alert relevant teams to investigate. However, education and staff training can often be the key to an effective and preventative cyber security strategy.
Cyber security measures in the workplace
Many unintentional mistakes employees make are entirely avoidable. To help keep your workplace safe, you should:
- screen new employees, contractors or anyone else who will have access to your business information - check references, qualifications, identity, etc
- implement a strict, written set of security guidelines
- set good password practices in place
- restrict access to unauthorised websites and devices
- restrict permissions to install software or access system data
- review current practices on email and internet use, remote working and bring your own device standards
- ensure staff receive IT security training and know how to use IT systems properly
- clearly outline the IT risk management policies and practices you expect your staff to follow
- increase general cyber and corporate security awareness through the workplace
- insist on confidentiality or non-disclosure agreements for people who are given access to sensitive information
- build in security controls compliance into employment contracts, including the disciplinary consequences of breaching them
It's important that you explain to your employees their roles and responsibilities in keeping data and company resources safe. Use our sample IT policies, disclaimers and notices to help you set out IT policies for your business.
Lastly, keep in mind that even if you follow all the best practices, you may still encounter security issues from time to time. Review your cyber security risk management processes and develop an incident response plan, to enable you to quickly and efficiently deal with cyber incidents.
10 cyber security tips to protect your business online
Small business owners can't assume a cyber attack won't happen to them. The 2017 Cyber Security Breaches Survey shows that just under half of all businesses were able to identify at least one cyber security breach or attack in the last 12 months.
Clearly, no business is immune to cyber risk irrespective of their size and industry. But all businesses can alleviate some of the risks by taking simple steps to protect themselves and their organisation online. Here are some of the things that you can do:
1. Make regular backups of your key systems and data. Keep copies securely off-site and check that they work.
2. Apply any new security patches for your operating system, web browser and all other software on your devices to keep them secure. In many case you can set the software to auto update its self or download the software patches manually.
3. Install and regularly update anti-virus and anti-malware software on all your devices.
4. Use strong passwords and change them regularly. Also, consider using two factor authentication for added security.
5. Use different passwords for different websites/services or consider using a reputable password management tool.
6. Encrypt any sensitive data and do not send passwords or other sensitive data via email unencrypted.
7. To protect against phishing or ransomware be cautious of clicking on links sent to you within emails, social media website/apps or unfamiliar websites.
8. Use a firewall and check that your internet router/firewall has the latest firmware installed.
9. If you operate a Wi-Fi network make sure it is encrypted (eg WPA2) and regularly change the Wi-Fi password.
10. Use a VPN (virtual private network) if you are accessing your systems over public Wi-Fi or insecure network.
You can also consider other common cyber security measures to help you increase the resilience of your business.
Best practices for cyber security in business can help you devise a strategy on cyber risk management, including breach detection and planning incident response.