Take stock of the data you routinely gather and accumulate – both analogue and digital. Retain only the information you actually use or are required to hold by law. Shred old paper files, physically destroy old hard drives, wipe portable devices, remove and destroy memory and SIM cards.

• With more of our communication and transactions stored online, access has serious security risks, so a strong password policy is essential. Some best practise policy guidelines include:
  • Passwords must be at least 8 characters long
  • Should not contain any personal information (real name, username, company name)
  • Must be very different from previous passwords
  • Do not use any complete, correctly spelled words
  • Use uppercase and lowercase letters, numbers and characters.
• It is essential to communicate this to your teams, check it regularly and support members who may need further guidance.
• Click here for our password protection FAQ.

Only give administrator privileges to those who need them to reduce the risk of cybercriminals getting access to your systems. It’s tempting to allow access to systems and software to anyone in your business who requests it, allowing them to do their job. But each new person in the loop brings additional security risks as any compromised device they have may now give access to any other system or software they log into. By limiting access and making a finite number of administrators responsible for certain systems you limit this risk – especially as there is also a risk of internal espionage/sabotage if employees become disgruntled and seek revenge later in their careers. Another way to tackle this is by regular changing of passwords

Even with limited access, you should still train every employee in safe computing practices.

• Many companies encourage the use of personal devices, especially so the business does not have to spend on and support devices. But this has its own set of dangers as individuals’ devices and behaviours are harder to monitor and control. This is an issue if they are accessing sensitive data as well as downloading suspicious apps and attachments without protection.
• Here are some basic steps to building a BYOD policy:
  • Define:
    • which web browsers should employees use
    • which security tools you recommend
    • what level of support your IT team provides
  • All employees should sign up to your BYOD policy explaining their rights and responsibilities, and allowing you to remotely wipe and monitor the device if needed.
  • Find a good Mobile Device Management solution to help you manage the data and devices.
  • Offer BYOD to the employees who will get the most benefit and return out of it. It doesn’t have to be company-wide if you don’t need it to be.
  • Build a secure network. If your network is secure to begin with, it becomes much harder to hack. Limit remote access to your network and data: give permission on a need-to-know basis and only to relevant data, at the appropriate time.
  • Include and implement your password policy [see above].
  • Encrypt your data using cloud-based services to store data and back it up.
• Click here for more information on BYOD policies for SMBs.

It is important to know what your legal obligations, especially when to notify customers about a breach.

• Consult with a specialist law firm to ensure your internal policies and procedures are compliant, as regulations change and case law evolves.
• Budget for a yearly review of your policies.
• Educate employees on data security policies and procedures.
• If your country/state/region has regulations (e.g. GDPR for businesses operating in Europe), comply with required training and education.

• Many companies don’t have official guidelines on what employees and business owners should do in case of cyberattacks or data loss.
• In addition to a Data Breach Notification Policy, create an internal incident response plan for dealing with breaches and post-breach notification. Identify what staff should do if they suspect they are subject to an attack or breach. Define who will be responsible for liaising with customers, communicating with employees as well as ensuring that the breach has been fixed.
• Consider including the following content in your response plan:
  • If you detect a breach, fight the urge to panic and, whatever else you do, do not even think of ignoring the incident.
  • Gather all the facts of the incident – is a breach confirmed, suspected, or potential?
  • Notify relevant financial institutions, starting with the bank or company that manages your credit card or other online payment processing.
  • Notify your data breach insurance carrier.
  • If your insurance carrier does not furnish legal counsel, secure outside qualified legal assistance to help identify what laws may be involved and whether the incident warrants or requires consumer and/or government notification.
  • Notify affected customers in accordance with the terms of your Data Breach Notification Policy.
  • Ensure that you have fully addressed the breach itself so that no more data is being lost and no more data is at risk. If necessary, consult with a cyber security expert.

• Many businesses hold vast amounts of sensitive, private and personal data suppliers, employees, customers and other groups. As such, theft or unauthorised disclosure of even non-confidential this data can cause real damage to individuals and companies alike. It is therefore important to create a Data Breach Notification policy and issue it to all your customers, telling them how your business will notify them should a data breach occur.
• In it you should address:
  • The scope of the policy – what does the policy cover?
  • Define the data – what data does it cover?
  • Define your reconciling goals – what are your goals as relating to compliance and risk management? And what work are you doing to achieve these?
  • Statutory reporting obligations – explain what you are obligated to report and when.

• This is a much-overlooked area of cyber security and risk reduction. Many organisations with poor security put their partners at risk. This can happen through shared systems that become breached or weak third-party email systems that allow phishing/social engineering emails. While your partners may put you at risk, if you are found to have been the source/cause of a data breach at another company, you can be held responsible and liable for damages. Vendors, in particular, have been implicated in at least a third of serious data security incidents.
• It is therefore essential to work closely with all third parties to ensure proper security procedures are employed after data leaves your immediate control.

• You are only as strong as your weakest link, so it is essential to educate employees on the risks to small business, data security policies and procedures and the need for strong passwords.
• Do not just instruct your staff, inspire and empower them. Educating employees about security is an opportunity to make everyone feel like a member of a team on which the welfare of one is the welfare of all. By educating your employees, equipping them with the knowledge and tools to stay protected, and communicating that they have an important role in protecting themselves and the company, they are more likely to act responsibly and with the care, caution and attention needed to avoid cyberattacks.

Determine which member(s) of staff should be trusted with administrator privileges (the level of access that allows the installation of new software and the changing of configuration settings). By limiting such privileges to the smallest number possible, businesses can reduce the risk of individuals who might – accidentally or purposely – upload malicious software, configure a system to reduce its security or compromise the security of the system itself.

As part of your training programme, inform employees about the dangers of accessing cloud-stored data through unsecured wireless networks in public places such as airports and cafes.

• Create crystal-clear policies on the use of laptops, tablets and mobile devices outside of the office.
• Restrict the use of flash drives and other portable storage devices. Stolen portable devices are a leading cause of critical data breaches. For employees who travel, provide laptops or tablets loaded with the bare minimum of data-if any at all. Employees can access needed data files in the cloud, without having to download or retain anything.

Ensure your staff accept all software updates when prompted. Many staff see software updates as an irritation, especially when the reasons for updates aren’t known. Many software updates – especially endpoint protection – will include security patches that help keep your machines protected against new and emerging threats. By denying updates, your employees may be opening up the business to the latest cyberattack methods.

It may sound obvious, but it is essential to ensure that every device in your business is running the latest available operating system versions. A key vulnerability to 2017’s WannaCry ransomware attack was old versions of Windows. As app and software developers react to emerging and existing cyberthreats, devices running old versions of software may not be included in essential updates and become vulnerable to attack.

Install firewalls, antivirus, and anti-spyware programs on all devices in your business and configure them to automatically update. Antivirus software is the best defence against cybercrime and data breaches as software developers such as AVG Business have large teams of threat trackers who spend their lives detecting new threats, creating solutions and rolling them out to their customers’ devices t keep them protected. In buying antivirus, businesses not only buy software, but they are also buying a team of experts to continually keep them and their data secure.

Though mentioned in two of the above points, it is essential to configure any software to update automatically, where possible. This is to ensure that security patches are up to date and all aspects of your business remain protected as new threats emerge. All it takes is a cybercriminal to find one weakness in one piece of out-of-date software on an employee’s computer to compromise the whole network.

Ensure your provider offers virus and phishing scans of your emails. Email remains a key point of entry for cybercriminals – especially ever-complex social engineering scams that can involve criminals pretending to be trusted sources and attaching viruses that look like PDFs or other files.

Make sure that all your servers, hard drives and data storage devices are encrypted. As well as encrypting certain critical hardware encrypt key folders and files on devices. Use strong passwords to support encryption protection – your encryption isn’t worth much if access to the password is readily available!