Cybersecurity – 10 tips for protecting your business from cyber attack

Cyber Security 780 385 In this article

Cybersecurity is big news - no surprise when cyber-attacks cost businesses in the UK £15,300 per victim on average.

Data loss and cyber breaches leave companies needing to fix their websites, their systems and, most damaging of all, their reputations. If customer data is stolen, firms may face significant financial penalties.

Ransomware attackers can shut down operations entirely, while demanding payment from their victims. This can seriously disrupt trade, lead to customer loss and ultimately destroy your businesses.

How to protect your business from cyberattacks

Cyberattackers will take advantages of the weak points in your systems. That could be anything from devices and software to people and passwords.

Not every cyber threat is down to an anonymous hacker remotely accessing your computers. Your employees can leak information – accidentally or maliciously – or your suppliers could pass on information about you and your working practices to a competitor.

Here are some of the key steps that every small business can take to protect their data and operations from cyber criminals.

  1. Take steps to improve password security

It’s important to ensure that all your accounts have different passwords. For instance, the password you use for social media must be separate to your email password. Any financial passwords should also be unique. Otherwise, a criminal who has access to one account, will also be able to access all the others.

It's particularly important to keep email passwords secure. If a hacker gets access to your email, they can access private business information that could be used in a scam. They may also be able to change the passwords on your other accounts by using the ‘forgot my password’ option. They can email people inside and outside your organisation, including your clients.

To keep your accounts secure, you should use strong passwords made up of three random words. Hackers find it more difficult to break passwords such as ‘dogbrightsquare’ than single words. Adding symbols, capital letters, and numbers to a password can make them even more secure. For instance Fairy!Saucepan?Jogging11 would be a very strong password.

You should never use any of the following in passwords:

  • Your partner’s name
  • Child’s name
  • Family member’s name
  • Pet’s name
  • Place of birth
  • Favourite holiday destination
  • Something related to your favourite sports team

If you have employees, you should make sure that you require strong email passwords from everyone, as your security is only as good as the weakest link.

If you or your employees struggle to remember lots of different passwords, try using password-managing tools. These remember passwords for you, and you access them using a two-step verification process, like the systems used by banks. You can also consider saving your passwords to your browser.

Many password managers allow you to synchronise your passwords across different devices, help spot fake websites, let you know if you’re re-using a password across multiple accounts, and even notify you if your password is used in a breach.

  1. Use two-factor authentication

Two factor authentication is when you must have to prove your identity via a second method after entering your password. For instance, you might be sent a code, or need to login into an authenticator app that provides one. When you enter the code, it proves you’re logging in, rather than someone who’s stolen your password.

Online banking typically has two-factor authentication turned on by default, but you can usually switch it on for emails and social media accounts. Two-factor authentication only takes minutes to set up, but can protect you from password breaches.

  1. Back up your data

Backing up important data helps your company to bounce back quickly in the event of a cyber-attack. Think about what data is essential to the running of your business and make sure it is regularly backed up. This could be documents, photos, emails, contacts and calendars.

Backing up everything to the cloud, and ensuring that your cloud storage has two-factor authentication switched on, is a great way to protect yourself from cybercriminals. Switch on automatic backups wherever possible, as this protects you from human error.

  1. Make sure devices are secure

One of the most important steps to keep phones, laptops, computers and tablets safe is to immediately download software updates when they become available. When software developers find security weaknesses, they build fixes into their updates. Downloading them helps to ensure that you have most up-to-date protection against hackers and viruses.

Eventually, manufacturers will stop providing updates for older devices or operating systems. If this happens, you should consider upgrading your systems and software to make sure you’re protected.

Check the Which? guide to anti-virus software to find out more about what’s available. The most effective software is not always the most well-known.

When you get new devices you should:

  • Switch on your firewall, and enable antivirus
  • Set up PIN code, password, fingerprint or face ID to access your device
  • Set devices to auto-lock after a period of inactivity

If your business has employees, ensure that everyone has these security devices installed and working.

You must only ever download software and apps from official stores, such as Google Play or Apple App Store. They scan software for viruses before making it available, which can help keep your devices safe.

If you need to download software from elsewhere, you should ensure it is legit. Things that can help include:

  • Researching the vendor and developer
  • Making sure that your browser is up to date
  • Check reviews
  • Put measures in place to prevent employees from downloading apps and software to office equipment

For more information on applying updates, refer to the NCSC's guidance on Vulnerability Management.

  1. Check for security issues

Phishing is a tactic widely used by hackers that allows them to insert viruses on to your systems, so they can access information more easily.

Typically, scammers send fake emails to thousands of people, asking for sensitive information or with links to bad websites. These emails are getting more sophisticated and harder to spot, meaning every business is at risk.

To avoid phishing attacks, you must ensure that you and your employees:

  • Are regularly trained on cyber security
  • Have the lowest level of user rights and access possible to do their jobs
  • Never browse the web or check emails from an account with administrator privileges
  • Use two-factor authentication on all important accounts
  • Follow safe password practices
  • Do not click on any links within unfamiliar emails
  • Do not offer up any information unless sure a source is legitimate
  • Check that email requests are legitimate by ringing up a company or individual using an independently sourced number
  • Know what do with unusual requests, and feel comfortable raising suspicions
  • Report all attacks

You can also use the National Protective Security Authority’s Digital Footprint Campaign to educate your employees about the information they share online.

  1. Train your employees

If you have employees, training them around cyber security and good password hygiene is really important for keeping your business safe.

  1. Control who has access to sensitive data

Ensure bank details or company information is password protected and restricted to those who need to have access.

You should also:

  • Train staff so they understand about data handling and the importance of cyber security.
  • Make sure lost or stolen devices can be tracked, locked or wiped.
  • Control how USB drives (and memory cards) can be used
  1. Access government training

The UK government provides free online training courses to help you and your staff protect against cyber threats.

Start with the Cyber Essentials scheme, which teaches you to increase and maintain cyber security throughout your business.

Other helpful resources include:

Cyber Essentials teaches you the technical measures you need to have in place to protect your business against the most common internet threats. A Cyber Essentials certificate shows customers you take security seriously and is a must when applying for government contracts.

For more courses and education, visit the government’s cyber security training for businesses page. This has a handy list of free e-learning courses that can help.

The introduction to Cyber Security  course was developed with the Open University and FutureLearn. It gives businesses a comprehensive introduction to cyber security. Study is around three hours per week and the course is eight weeks long.

  1. Put a plan in place to cover you if the worst were to happen

Imagine your IT systems went down – how would you be able to process orders, communicate with customers, issue invoices or carry on the rest of your working processes? If you had a data breach, who would you need to inform? Who would you call to get your IT working again? Thinking about these issues in advance will provide a valuable starting point if you are faced with a cyber breach.

The government has issued specific guidance on cyber security risk management for small businesses which can help with your planning.

Data protection laws

The UK Data Protection Act requires you to protect data you hold and process about your customers, suppliers and staff. This includes all personal information – names, addresses, salaries, bank details and any other information that could be used to identify individuals.

You must:

  • collect only the information you need for a specific purpose
  • keep it secure
  • ensure it is relevant and up to date
  • hold only as much as you need, and only for as long as you need it
  • allow the subject of the information to see it on request.

Your business can be fined if you fail to comply with these basic principles. For more information, the Information Commissioner’s Office has a guide for small businesses.

The cost of cyberbreaches

UK government figures show that around a third of businesses (32%) report having experienced any kind of cyber security breach or attack in the last 12 months. This accounts for approximately 462,000 businesses.

The single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960.

However, smaller businesses are just as vulnerable as larger companies – sometimes more so, as they won’t necessarily have the same level of resources dedicated to cyber security.

Several traders have already found this out the hard way. A 47-year old builder was horrified to discover that criminals had stolen his details to set up a bogus company and steal £50,000 from the Covid bail out scheme. Read the story here.

Another Blackburn-based firm faced demands of £3,000 from cyber criminals after a virus was used to encrypt over 12,000 files. Unable to decrypt the data, the company was forced to pay.

Richard Parris, Which? head of computing comments: ‘As a customer, it's hugely important to feel confident with the online security used by the companies you deal with by email or on their websites. Ultimately, you're giving them your business, and that means all the right protections need to be in place to ensure your personal and financial details will be taken care of securely. Traders that are victims of hackers and fail to respond swiftly and communicate well with their customer may find that their reputation is severely damaged and they ultimately lose business to competitors.’

What to do if you’re the victim of a cyberattack

Even the best-prepared organisation can be the victim of a cyber breach, particularly as hackers get more sophisticated.

If you are being attacked, the first thing you need to do is identify the breach.

The NCSC says the following are signs that you are or have been attacked:

  • computers running slowly
  • users being locked out of accounts
  • users being unable to access documents
  • messages demanding a ransom for the release of your files
  • people informing you of strange emails coming out of your domain
  • redirected internet searches
  • requests for unauthorised payments
  • unusual account activity

It adds that companies should answer the following ten questions to work out exactly what has happened. This will help you give the right information to your IT team who are trying to resolve the issue, and help you put measures in place to prevent an incident from reoccurring.

These are:

  1. What problem has been reported, and by who?
  2. What services, programs and/or hardware aren’t working?
  3. Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted on the internet?
  4. What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
  5. Have your customers noticed any problems? Can they use your services?
  6. Who designed the affected system, and who maintains it?
  7. When did the problem occur or first come to your attention?
  8. What is the scope of the problem, what areas of the organisation are affected?
  9. Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
  • What is the potential business impact of the incident?

Next run your antivirus software, to try and find out more information about the attack. If the programme finds nothing, consider using an alternative.

Once you have gathered any information, look for advice online from Action Fraud, police websites, and the government. If it’s a common problem, there may be guides on how to resolve it.

If your IT is managed externally, get in touch with your providers as quickly as possible. If you manage your IT internally, activate your incident plans.

This could involve things like:

  • replacing infected hardware
  • restoring services through backups
  • patching software
  • cleaning infected machines
  • changing passwords

You may wish to consult a cybersecurity specialist.

Communication is a crucial element in responding to any cyber-attack.

Depending on the nature of the incident, you may have a legal requirement to inform the Information Commissioner’s Office You can check the ICO website to see which incidents they require you to report.

You should also report the incident to the police via Action Fraud.

You must also communicate with all internal and external stakeholders – including your staff and customers. If customer data has been compromised, they need to know. Being transparent and communicative can make the difference between recovering your reputation and losing valued customers.

You may also want to seek legal advice, particularly if there is a significant impact on your customers.

If you have a cyber insurance policy, you should get in touch with your insurers quickly, so that you can get started on a claim.

Finally, after the incident, you should review everything that’s happened, learn from any mistakes made, and put policies in place to try and prevent the same thing from happening again. This should include a review of any actions taken during the incident.

Strengthen your defences where possible, for instance with better antivirus protections, or a new and more secure password policy.