The work environment has changed a lot over the last 10 -20 years and most businesses will now conduct some, if not all of their work, online. To do this, businesses are likely to require access to the internet and they will have some kind of network, even if it’s a home wi-fi router. In order to protect your business, its finances and its data, it’s really important to think about the security of your network and the devices that you use, whether that is a desktop computer, a laptop or a mobile device.

Below we take a look at a few areas businesses should consider.

Most cyber security incidents take place due to vulnerabilities within a network or system. Often, these vulnerabilities are publicly known and cybercriminals will search for these online, as soon they become known, so they can exploit them. They don’t often target specific businesses and it’s therefore massively important for businesses of all sizes to install updates/patches as soon as practically possible, especially for any internet facing systems. Having a good vulnerability management policy is essential.

For lots of businesses, enabling Automatic Updates for systems, software and apps, is a great starting point.

Network Monitoring

Quite often, cyber criminals can have access to a network long before they disrupt a business. They use this time to scout for information and determine the best way to have the maximum impact. Spotting unusual activity on your network can help to prevent cyber-attacks and reduce the impact if one does take place. To be able to do this, it’s important that network activity is monitored, logged and actively reviewed in a timely manner.

Identity and Access Management

It’s essential that your business is able to identify anyone accessing your network and systems, ensuring that each user account only has permissions to information they need for their role. Every business should have well documented access management policies and multi factor authentication should be consider for all users.

If you only have own computer/system, it's a good idea to still set up a user account that is not an administrator, restricting its system privileges and then use this for your regular business. If anyone does then gain access to it whilst you are logged in, they will not be able to run administrator tasks such as installing software.

Physical Security

Physical security is often overlooked when it comes to protecting your network and devices but it can be just as important as the other areas discussed above. If you have physical infrastructure, you should think about how it is secured and how has access to it. Installing Physical barriers (e.g. access cards) and CCTV.

Router/Wi-Fi Security

Many businesses will use a router in order to access the internet and its therefore really important that the default password associated with the admin account is updated with a strong, unique password.

Downloading & File Sharing

Businesses should think about the types of files that the employees need access to and where these files will be obtained from. Cybercriminals often use file sharing sites to circumvent

Antivirus (AV) software is used to detect and treat threats to your systems such as malicious software (Malware). AV should be seen as just one part of your businesses protection and, just like your systems, AV software should also be updated on a regular basis with the latest virus definition. There are many different AV products on the market and you will need to review which one is right for your business, taking in to account the types of devices you use and the operating systems they run on.

Device Management

It’s important that your business has a clear view of what devices are in use, what operating systems they run on, the software/apps installed and, whether they require updating. As with everything else on this page, keeping everything updated is key to protecting your business from vulnerabilities and a device management policy should be in place to detail things like how devices should be configured, monitored and erased should they become lost, stolen or infected with malware. A good policy should also cover how software will be managed and also how devices will be disposed of at the end of their life cycle.

Virtual Private Networks

Virtual Private Networks (VPNs) encrypt information when it’s transferred from A to B. Having all staff log in to a VPN when connecting to your network, not only protects your business data, but it also provides another layer of protection and can be used to monitor and filter network traffic.

VPNs are particularly important when staff are remote working and working on the move as it can protect against insecure public wi-fi.

Staff education and strong passwords

Staff education is one of the most cost-effective ways of protecting your business. Ensuring your staff know how to use their devices securely and the risks involved is essential. Some of the key thing’s staff should be aware of when using devices for work purposes are:

• Using a strong, unique passwords and PINs for all devices and online accounts
• Keep passwords and PINs secure by not writing them down or storing them within unsecure notes on the device. There is Password Manager software available which can help with this.
• Making sure devices are locked when not in use and switched off completely if they are not going to be used shortly
• To only use software from verified sources and genuine app stores. Third party stores, websites and software downloaded through email links should be avoided as there is an increased risk of malicious applications being downloaded.
• How to report lost or stolen devices - all employees should be clear on how to do this and that they should do this immediately.

Bring your own device (BYOD) is where businesses allow their employees to use their own personal devices for work purposes. It’s an attractive option for businesses as it can reduce some costs and allows flexibility however, there are several risks. If your business has a BYOD policy, you need to make sure the devices used by employees meet your company’s device policy, are compatible with your existing infrastructure and that you have technical controls in place to protect your businesses data and prevent data leakage.

In addition to the devices, other risks are increased when remote working particularly around data leakage. It’s recommended that all devices/business information is encrypted when it is not in use and that staff know how to report problems. Businesses will also need to trust their staff and an employee vetting programme should be in place if the business does not already have one.

All companies should have an incident management policy, ensuring everyone in the business knows how to report incidents both internally and externally.

NCSC – National Cyber Security Centre is a great resource and more detailed guidance to the above can be found on their dedicated pages

• All cyber security related topics
• Device Security Guidance
• 10 steps to cyber security

Get Safe Online – A leading UK internet safety website covering both business and personal use.