A cyber attack can be devastating for a business, with loss of data and finances, disruption to services and damage to reputation.
Cyber criminals will look for gaps in your business’ IT security to gain access to sensitive data - like customer email addresses or bank details - for their own personal gain. They will try and exploit you and your employees through 'phishing' emails and fake 'smishing' text messages. They could try and get access to business devices that store and transmit sensitive information like laptops and mobile phones through hacking, theft or 'insider' attacks.
There are ways you can make your business more secure, using stronger passwords, providing training for employees and checking the security settings of your Internet connection.
Pocket Guide to A Cyber Secure Business
Read our collection of practical steps to help you secure your business devices and networks from being hacked and accessed by unauthorised individuals.
Below we have detailed some additional information you can use with the Pocket Guide.
The physical security of your business’ IT hardware and devices is important - anything that isn't stored securely can attract cyber criminals who could steal data or install dangerous software to gain further access into your business network.
Think about who visits or uses your building - contractors, maintenance workers, members of the public and your employees - any of those individuals could get access to key areas of the workplace where you store devices or network equipment (like cables, routers etc.).
Protect your business from loss, theft, and tampering with these steps:
- Secure hardware assets from theft. Use something like a device lock, which is a physical cable like a bicycle lock, that keeps computers, laptops etc. secured to a desk.
- Separate public spaces from office areas or server rooms by using access control systems such as key fobs on security doors to prevent unauthorised access.
- Ensure network cabling and business devices are secure and cannot be accessed by unauthorised users. Make it difficult for unknown devices to be plugged into a connected network socket.
- Record what hardware assets your business owns and carry out regular checks on this.
- Use device encryption technology especially on mobile devices, e.g. Windows Bitlocker or FileVault for Mac OS. If a device is lost or stolen, the data contained on them is protected.
- Turn on device location services so that a missing device can be located. Instructions for the most popular Operating Systems can be found here: Android / Apple / Windows
- Ensure devices and hardware are disposed of securely ensuring data is securely wiped. The National Cyber Security Centre (NCSC) have published guidance on the acquiring, managing and disposing of network equipment, as well as secure sanitisation of storage media.
IT hardware such as firewalls, routers, servers, network switches etc need to be securely set up and connected to help defend against cyber attacks – here are some ways you can do this:
- Changing the default username and password on the Internet Service Provider’s modem and other network devices, such as routers and switches is highly recommended. Cyber-criminals will try a list of known default usernames and passwords, such as “Admin” and “Password”, to try and gain access to your network.
- The following are a sample of Internet Service Providers’ help articles on how to change the default login account details for common devices: BT / Vodafone / Sky / Talk Talk / Virgin Media
- Be aware of what is connected to your wired network and Wi-Fi access points. It is a good idea to restrict what devices can connect to your network so that unapproved devices will not be able to connect. Think about using MAC 'address allow or deny' lists so that only specific devices can join the network. If a cyber criminal attempts to access their device will not be permitted to connect.
- Consider the use of an IDS or IPS. Intrusion Detection Systems (IDS) analyse network traffic for signs that match known cyberattacks. Intrusion Prevention Systems (IPS) can also stop active attacks. Some business and enterprise grade routers will have these features built in and when enabled will generate alerts if it detects malicious activity on the network, and in the case of an IPS, will automatically take steps to protect the network.
- Monitor your systems and networks through “logging”. Logging software allows you to store and review logs for unusual activity that could indicate an attack. This information can also be used by an incident investigation team should you ever need to. Take a look at the NCSC’s Introduction to logging article, and their free software called Logging Made Easy.
Wi-Fi needs to be set up securely to protect the data that is transmitted across it from being accessed by someone who shouldn’t be able to see it.
- Use 'WPA2' or later as your network encryption. Never set your Wi-Fi network to 'Open' as this would give anyone in range access to your network.
- Change your network name (SSID) so that it does not contain your Internet Service Provider’s name in it - otherwise cyber criminals can guess what hardware you have and can look for known vulnerabilities to gain access.
- Change the default Wi-Fi password to a strong one and only share it with employees. Changing the password on a regular basis will help ensure that only authorised users have access to it.
- If your business offers free Public Wi-Fi, this needs to be separated from your corporate Wi-Fi network. Check if your wireless access point might offer a pre-configured guest account that can be used.
- Set up smart devices on a separate VLAN or Guest account on the network so that they are kept separate from devices (like PCs and laptops) that store private data. This means cyber criminals can't access the main network where sensitive data is held and transmitted.
Anti-Virus and Firewalls
A firewall acts as a buffer zone between your network and the Internet, and will help ensure that your network is protected from any external threats. Any devices used by employees (these are also called 'end user devices') should also be running firewall software which may be included as part of an anti-virus package or with the Operating System as standard such as MacOS and Windows. You should also protect devices from malware (malicious software including viruses) by installing anti-virus software.
- Install an anti-virus package to secure all devices in your organisation.
- Choose an anti-virus package with built-in firewall.
- Using the firewall included on your ISP’s router is a good start and will provide a basic level of protection if you turn it on. You could install a dedicated network firewall for more advanced protection and to give you more options.
- Enable automatic updates on your anti-virus software so you are protected against the latest threats.
- Only download software made by reputable companies from trusted sources.
Using strong, secure passwords is the most basic method to secure online user accounts. Strong passwords will make it much harder for any hacker to guess or attempt to crack your password to gain access to accounts and services.
- Set up a password policy and make sure everyone in your organisation is aware of it.
- Encourage the use of strong passwords to prevent users from selecting easily guessed passwords, and lock accounts after a low number of failed attempts.
- Turn on the requirement for employees to press “Control/Alt/Delete” to log into a PC. This guarantees that the authentic Windows sign-in screen is in use.
- Encourage employees not to reuse passwords on multiple accounts - if one password is compromised, all others will be too.
- Store passwords on a web browser or on a password manager app.
- Use Two Factor Authentication (2FA) where possible. This adds a second layer of protection which will prevent unauthorised access even if a cyber criminal managed to obtain someone's password.
- There are many ways to secure mobile devices - e.g with passwords, PIN locks, pattern locks, and fingerprint and facial recognition.
- For more information on secure passwords, see the NCSC’s guidance on password administration.
Hardware and Software
Hardware and software must be kept up to date so that it's not vulnerable to attack. Maintaining a hardware and software asset list will make it easier to know what needs to be reviewed, updated or replaced.
- Enable automatic updating of operating systems, apps, and anti-virus software packages. This means you will be better protected against newly discovered vulnerabilities.
- Only purchase and download software from reputable and trusted sources such as official app stores. This will remove the risk of downloading software that contains malware.
- Networking hardware and equipment also use software called 'firmware' to make it run. Keep firmware up to date for all connected devices by enabling automatic updates.
The following links have guidance on how to update the software on the most popular operating systems:
Secure Set Up
Many of your employees will have login details to access devices such as PCs, laptops, printers, tablets and mobile phones. It’s important that these are set up to prevent accidental or intentional misuse, such as installing dangerous software or stealing confidential data.
- Disable 'auto-run' on removable media (, e.g. USB flash drives) and ensure anti-virus software automatically scans media when connected by an authorised user. This will prevent automatic running of potentially harmful software from these devices.
- Disable USB ports for all users unless required for business purposes. This will prevent users from plugging in and using unauthorised devices such as flash memory sticks.
- Set up inactivity time-outs on user accounts so the device goes back to the login screen (10 mins or less). This will reduce the risk of a device being used by an unauthorised person.
- Limit the authority users have to install software as this will help prevent the installation of malware.
- Employ web content filtering so that insecure or malicious websites cannot be visited.
Controlling and limiting what employees can and can’t do on your devices is an important step to reduce the risks associated with your organisations data and who it can be accessed by.
The following tips can be used to better secure access to your systems and devices:
- User Identity and Access management of users via Active Directory controls for example. This will help to limit damage that can be caused by an attacker should an account be compromised or abused.
- Restrict system functionality to the minimum needed for business operation (principle of least privilege). Staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role.
- Limit the number of administrator accounts and ensure that these are not used for daily work such as Internet and email access etc. Administrators should have a separate account for daily use.
- Have processes in place to manage user accounts from creation, through to deletion when a member of staff leaves for example. Temporary accounts should be removed or suspended when no longer required.
- Audit logs can be kept in order to monitor and record system accesses for later review. These should only be accessed by an approved system administrator and stored offline to preserve their integrity. These logs could show things like access of an account outside of business hours for example.
- Users should be aware of an acceptable use policy, and also be aware of procedures to report lost or stolen devices.
Social engineering techniques are often used to target businesses to install malware, steal money or extract data. Any individual or team within your business that has a high profile or processes confidential personal or financial data regularly are more likely to be targeted. Phishing emails and smishing text messages are two common examples cyber criminals use.
All employees and senior managers should be aware of how these attacks work, and what phishing emails and smishing text messages look like.
- Be aware of scam emails and text messages that appear to be from reputable sources. Reputable organisations and the government will not ask for personal information in an email or text message.
- Avoid clicking on unknown or suspicious website links - they could direct you to a malicious website. Don't download unknown attachments - these could contain malware.
- Your suppliers or contractors could have fallen victim to a cyber attack and could be being used in order to target you. Be vigilant if you're being asked to change payment processes, for example, or being urged to send payment quickly.
- Encourage employees to report suspicious emails or texts by setting up a formal internal process for doing so.
- Consider training and awareness for employees - e.g by using the free NCSC User awareness and employee training.
Working from home
When employees are working away from the office they may be less aware of security risks - the following advice is useful to prevent cyber attacks:
- Ensure employees are aware of your organisation’s policies and procedures, and their obligations around device and data security - e.g not leaving laptops unattended, or not using social media on business devices.
- Encourage the reporting of IT incidents by setting up a process that everyone is aware of.
- Enable device encryption such as Windows Bitlocker to protect the data on devices.
- Turn on “Find My Device” so that lost or stolen devices can be located, and data can be wiped remotely if necessary.
- Consider the use of a Virtual Private Network (VPN) service for extra security. A VPN will allow remote workers secure access to core systems in a safe way because the data being transmitted is encrypted.
- Discourage the use of public Wi-Fi hotspots as these could be used by cyber criminals to steal data or access your network.
Further guidance on this topic can be found on the National Cyber Security website, as well as advice for businesses who operate a “Bring Your Own Device” (BYOD) model:
- Home working: preparing your organisation and staff - NCSC.GOV.UK
- Secure home working on personal IT - NCSC.GOV.UK
- Bring your own device home working during COVID-19 - NCSC.GOV.UK
- Video conferencing services: using them securely - NCSC.GOV.UK
Governance and Compliance
The management of IT security must be clearly defined in your policies and procedures to ensure everyone is aware of their obligations. Every organisation is responsible for securely dealing with information and should document how it intends to keep data protected. Part of this process should also include cyber incident planning so everyone in the organisation knows what to do should something go wrong.
- Be aware of your organisation’s responsibilities with regulations such as GDPR, Data Protection Act, and the Payment Card Industry Data Security Standard (PCIDSS) for example.
- Have policies and procedures in place that cover all aspects of data control.
- Ensure data is protected at all points, whether at rest (stored), in transit (being transferred), or being processed. This includes backups. Only the people who need to have access to information should have access, and encryption methods should be used to protect the confidentiality of data.
- Consult with suppliers and contractors over security measures to ensure data security on shared software or websites.
- Ensure that your organisation has a business continuity plan that sets out what should be done in the event of a cyber incident. Board members should be well versed with what assets the organisation has, have carried out a risk assessment, have an incident response plan in place and know what to do. Regular testing of these plans, and regular penetration testing of systems will help provide assurance.
- Make secure backups of data on a regular basis. Follow the ’3-2-1’ rule: at least 3 copies, on 2 devices, and 1 off-line. Consider automatic cloud encrypted backup solutions to protect sensitive customer, employee and financial information, as well as intellectual property information.
Software that you install on your devices to help protect against malware (malicious software) and cybercriminals. It looks at the data like web pages, files, software and applications moving around over the network to your devices. It searches for known threats and monitors the behaviour of all programs, fagging suspicious behaviour. It seeks to block or remove malware as quickly as possible.
Where shared computer and storage resources are accessed as a service (usually online), instead of hosted locally on physical services. Resources can include infrastructure, platform or software services.
Encryption is where plain text, like a text message or email, is scrambled into an unreadable format called cipher text. Encryption helps protect the confidentiality of digital data that is stored on computer systems or transmitted through a network like the Internet.
End User Device (EUD)
Collective term to describe modern smartphones, laptops and tablets that connect to an organisation’s network.
Firewalls, both hardware and software, protect computers from hackers and other online threats by blocking dangerous pieces of data from reaching the system.
Software that enables a device to run, e.g on a smart watch or a network switch.
General Data Protection Regulation (GDPR)
Rules and regulations around the use, storage and processing of data. Find out more on the GDPR website.
The physical components of the computer, such as the central processing unit (CPU), hard disk , monitor , keyboard and mouse. Also describes devices such as laptops and printers.
Any software, hardware, data or administrative resources – can include PC’s, laptops, smartphones, and customer data.
When someone makes you change a direct debit, standing order or bank transfer mandate, by purporting to be an organisation you make regular payments to – e.g a subscription or membership organisation or your business supplier.
Sometimes abbreviated to OS, this is software that communicates with the hardware and allows other programs to run. Desktop computers, tablets, and smartphones include an operating system that provides basic functionality for the device. Common desktop operating systems include Windows, OS X, and Linux.
Payment Card Industry Data Security Standard (PCIDSS)
The PCI Security Standards Council works to enhance global payment account data security. Find out more on the PCI SSC website.
These are storage devices that can be inserted into and removed from a PC or laptop. They can include DVDs, CD-ROMs, USB cards or memory sticks.
Manipulating people into carrying out specific actions, or divulging information that’s of use to an attacker. Often used in fraudulent emails (phishing), text messages (smishing) and phone calls (vishing).
Programmes that run on a computer or other device. Examples of software include Microsoft products like Excel and Word, as well as Internet browsers like Firefox and Chrome.
Two Factor Authentication (2FA)
2FA requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method. This could be a code that’s sent to your smartphone (or a code that’s generated from a bank’s card reader) that you must enter in addition to your password
VPN (Virtual Private Network)
A virtual private network protects your identity and browsing activity from hackers, other businesses and government agencies. When connecting to the Internet, your data and IP address are hidden by a type of ‘virtual tunnel’. This keeps others from being able to monitor your online activity.
A wireless networking technology that allows devices like computers (laptops and desktops), mobile devices (smart phones and wearables like smartwatches), and other equipment (printers and video cameras) to connect with the Internet. It allows these devices to exchange information with one another, creating a network. When you access Wi-Fi, you are connecting to a wireless router that allows your Wi-Fi-compatible devices to interface with the Internet.