So you’re a small or micro business and worried about cyber security
We see examples of failures in cyber security every day, frequently from organisations that should know better, such as this failure at the US Department of Defense:
They should be doing a lot better. So what can a small or micro business do?
Secure the cloud! Secure the endpoints!
- use reputable cloud services rather than anything on premise, and ensure two factor authentication is mandatory for everyone.
- Have every one use a password manager.
- Ensure all laptops and other devices run modern operating systems (iOS devices and Chromebooks are notably hard to hack) and are kept up-to-date, and run antivirus.
- Make sure you know who has access to which services, and that you can easily remove said access if necessary.
- Review all of this periodically to ensure your standards don’t slip.
Luckily, a lot. It’s actually easier for a small business to do a good job of cyber security, especially with a such a proliferation of excellent ‘cloud’ services available for you to use.
So let’s start with that point – even large organisations with lots of resource do a poor job of implementing architectures securely on premise. Office 365 (Microsoft’s online version of its Office suite) is now hugely popular amongst small and large business. And there are a myriad of other online services to choose from whatever your requirement: Google (for email, storage and a host of other things), Dropbox, Amazon, Slack, Github etc.
The good news is that these reputable companies that provide online services take security very seriously, and likely have much more money to spend on implementing robust services than you do in-house. So if you need an office suite you really can’t go far wrong with O365 or Google.
So what should you look for in any kind of online service provider? All of the large players take security seriously but a few things to check for:
- Do they have a security policy or FAQ published?
- Are they compliant with a security standards regime? (e.g. ISO27001)
- Do they offer two factor authentication? (I would advise against using a service that doesn’t unless you have no other options).
In short, if you can avoid doing it on premise, do so.
So if your infrastructure is all in the cloud, that leaves endpoints (security speak for laptops and smartphones and so forth). If you want to be really really hard to hack, outfit everyone with iPads (expensive) or Chromebooks (less expensive). Both families of devices are notably hard to hack, and a company with Chromebooks/iPads using O365 with two factor authentication turned on is going to be a pretty tough nut to crack for any hacking group. The downside is that these devices might not provide the functionality and services that your staff need or are used to, although I suspect that both Google and Apple would insist they are pretty close.
Realistic alternatives are MacBooks or Windows devices. Both have their pros and cons, and it is not true that MacBooks are impenetrable fortresses of security. Whichever you choose keep them up-to-date, and that includes the operating system version, Don’t languish on Windows 7 or 9. Windows 10 is robust with lots of security features. Antivirus is a good idea for both Windows and Macs (while there is generally less malicious software around targeting Macs they are not magically immune). Macs and Windows provide full disk encryption as a built in service – make sure it is turned on, and do the same with the built in software firewall. Hold mobile devices to similar standards – they must be up-to-date and protected by a password, passcode or biometrics.
If you allow staff to use their own devices for work purposes, ensure they meet the same standards. I would also strongly recommend you require everyone to use a password manager such as 1Password or LastPass. These generate and securely store passwords, taking away the problem of remembering hundreds of random words. Whatever clever scheme you have thought up to create passwords, it will not be as good as the random passwords a password manager generates for you. Additionally unique passwords for every account are really important – password managers make this easy too.
Finally, you need to keep track of staff joining and leaving and make sure you know which of all your fancy, secure cloud services they have access to. Now if you’re very small, that is pretty easy, but I would still recommend having a process. It embeds good practice early on, and even with small companies it’s possible to forget you shared a folder for a particular project with Contractor X or Company Y, and hence never rescind access. If you’re a very small business, a spreadsheet and leg work is fine for this. As you get larger you should look at a technology solution. Azure (part of the Microsoft cloud service) can do this for you, and will integrate with lots of other online services, giving you centralised user management, and there are other players in this space too, such as Okta (okta.com).
Finally finally, have a review process to ensure that once you have done all of this, it stays done. Check periodically that all devices are up-to-date, and have AV installed and firewall turned on.
In terms of proving you’re secure if asked, having processes to manage all the above, and being able to provide evidence of them, will go along way. If you’re a UK company you can look at getting “Cyber Essentials” certification (https://www.cyberessentials.ncsc.gov.uk), a not-onerous standard from the UK government aimed primarily at small organisations. The baseline certification requirements are easy to meet (following the recommendations here will cover it), and inexpensive to obtain.
Thanks for reading