It’s a not-so-fun fact for business owners that it’s a matter of “when”, not “if” a cyber security incident will hit their business. While a lot of business owners I talk to understand that shoring up their operations against digital criminals is important, it’s often in the too hard basket.
Let’s change that.
Here are our top tips for improving your security hygiene that you can get done in an afternoon (well almost), letting you go home tonight knowing you haven’t left the virtual front door open.
Know your starting point
Microsoft 365 users can access a handy tool called Microsoft Secure Score that puts the spotlight on the suitability of your current security set up. The lower your score, the more issues you’ll need to tackle to improve your security posture. The tool compares your business to others that are similar, and offers recommendations for improving the security set up of your Microsoft identities, apps and devices, and KPIs to track your improvement.
Bonus tip: Microsoft Secure Score is free for Microsoft 365 accounts.
Know if you’ve already been compromised
You might not spend time on the dark web, but cyber criminals do. It’s accessed via a private encrypted network (an example is Tor), and it gives users anonymity. It’s a breeding ground for illegal activity of all kinds and is where hacked data & information is traded and shared amongst criminals.
The most obvious indicator your data has been breached will be unusual activity with your email accounts, company finances, website, social accounts, or even intellectual property. Always keep a close eye on them.
Then conduct an audit to identify the business information that’s readily available from outside your organization. Things like IP addresses, Domain Name Servers (DNS), technologies and apps your team use, key contacts, and other types of technical and business information that keep your business operational. There are tools you can use to do the audit yourself or ask a third-party expert to run it for you. (BTW – we can help you with this.)
Once you’ve done the audit and identified any gaps, you should create a plan to close the gaps and reduce your exposed data. (Something else we can help you with.)
Implement simple data security hygiene
Employees are your best and worst first line of defense.
“The human factor is assumed to be the ultimate attack target in 99% of breaches. In a five-year study, researchers successfully penetrated 96% of the security systems across 1,000 banks using human psychology alone.”
- Harvard Business Review, 30 August 2021
To make sure your people are well set up to prevent cyber incidents, the trinity of good data hygiene for any business is:
Good practice is to use passwords that are difficult to guess, include a mix of characters, symbols (e.g., *, !, # etc.) and numbers, and are different for every app you log into. (Check out our post on password management for more advice.)
Remembering lots of different passwords is a massive headache, so we recommend using an encrypted password management platform like LastPass that allows your team to generate, store and autofill passwords.
Bonus tip: LastPass offers a freemium version so you can trial it for free yourself before deciding if you want to roll it out more broadly. It’s also handy for families to protect joint accounts, unlock the kids’ iPad when they’ve forgotten the code etc.
Multi-factor authentication (MFA)
An additional layer on top of your username & password, where a code available on your mobile device via SMS or an authenticator app is required before you’re granted access. Authenticator apps are more secure than SMS, so we recommend the Microsoft & Google Authenticator apps which are free in the Apple App or Google Play stores.
MFA is very common now, so you should activate it for as many of your business software applications as you can. If you'd like more information, this post explains in detail, plus our guide can walk you through how to get started.
Criminals are wily creatures that understand human psychology well. To the uninitiated, it can be difficult to discern a phishing email from an authentic one. Giving your staff the where-with-all to spot the difference as well as tips on MFA and passwords could save you a lot of pain.
If you implement all these recommendations, then congratulations - you've now dramatically reduced your chance of being one of the 60% of businesses that stop operating within 6 months after a cyber-attack. Go ahead, give yourself an early mark!