Nine out of 10 businesses are working in a digitally way, and more and more are working virtually. We live online.
But we need to ensure that we are working safely online. The risk of a digital attack is high, and 39% of UK businesses have experienced a cyber security breach. This is according to a report published in March 2022 by the Department for Digital, Culture, Media and Sport.
There are several areas that a business needs to look at to ensure online (cyber) security.
Risk assessments can sometimes be seen negatively or be viewed with fear/disdain. They are a positive tool that can identify strengths and weaknesses in a particular area. Once you know an area that is not so great, an action plan can be created to improve it. Risk assessing raises A LOT of questions, and you will never get to risk-free. However, you can put things in place to reduce the risk.
Have a Bring Your Own Device Policy and Working from Home Policy
On average, 45% of businesses have staff that use their own devices. 84% of workers who had worked from home during the pandemic have said they plan to carry out a mix of home and office working in the future, according to an Office of National Statistics report published in May 2022.
This can raise risks around how secure the equipment or network is.
Having staff use their own devices can save costs, but it can mean less control over IT security.
Have IT support
Having an (external) IT support which provides a portfolio of IT services that are underpinned by a service level agreement. From a cyber security perspective, having someone there to help keep things safe, that can do back-ups and support when things go wrong, is a great unseen benefit to a business.
Having systems in place that can help detect incidents.
Awareness and training
Oh, I mentioned the T word – sorry.
Everyone needs to understand and know where the online risk can come from. Whether it be from phishing, vishing, smishing or pharming, can staff identify the risks, not act on the attack AND report it?
Ensuring there is a plan in place and it is actioned, staff are aware of online threats – not only for the business but also for their personal data.
Ensure you have access to up-to-date information
Cyber security is forever changing. How do we keep up to date with all the information? And how do we ensure it is accurate?
Something has gone wrong; what do you do?
An excellent place to start would be the NCSC or ICO or find an external cyber security consultant. If you have an external IT provider, they could also be a good source of information. Also, remember to check your business insurance.
Keep software updated
Whether it be the operating system or the actual software, updates are pushed out for a reason – they have security patches in them and update glitches or vulnerabilities. Yes, it can be a pain that they are updating, stopping you from working. But do you want your computer to be held captive and not work?
Record and Report
Recording when you have a cyber security attempt, even when they don’t get through, is a great way to assess the effectiveness of online safety.
Have a plan to respond to a cyber incident in advance and check to see if it would work.
Have records of possible attacks, and investigate actual incidents.
Remember that a cyber attack, phishing etc., should be reported to the NCSC. If personal data is lost, risk assess to see if it must also be reported to the ICO.
Secure that data
Securing that data comes in different ways
- Ensure that where the data is stored is secure – and data protection compliant.
- Only allowing people who need access to the data to access it.
- Securing access by using 2-factor authentication.
- Have secure passwords
Digital Due diligence
This comes back to risk assessing in a way – doing those checks to ensure everything is ok, but this time of prospective (and current) suppliers to establish any liabilities and evaluate potential.
Check suppliers – where are they, and what is their compliance like?
Check out the National Cyber Security Centre for more information about online security.
Or, if you would like support to implement better data protection and online security, why not book a power hour?