Looking to strengthen the cyber security of your business? Anthony Green, CTO of cyber security firm, FoxTech, wants to demonstrate that making a big difference doesn’t always need to come at a big price tag.
“Many companies – particularly start-ups and smaller businesses – are reluctant to investigate the state of their cyber security because they are worried they don’t have the budget to fix any problems they might find,” says Anthony.
“Of course, having a budget to invest in strengthening your cyber security is the ideal scenario, but if the money simply isn’t there, it doesn’t mean a business is doomed to security chaos. There are many things that any organisation can do to strengthen their protection without spending a penny – so there’s no excuse for having terrible security!”
To help businesses take control of their cyber security, FoxTech has created a list of ten free ways to boost your business’ cyber security.
1. Software updates offer free security fixes – so install them promptly
Installing software updates is one of the easiest and best things you can do to boost your cyber security. Software updates contain fixes to bugs and security holes discovered in the previous software versions. Software companies do not fix issues on old versions of software, so if you don’t regularly install updates then you are exposed to any hackers looking to take advantage of these flaws.
Security experts create these updates for a reason – and it’s part of what you’re paying for when you purchase a device or software package, so ensure you take advantage of this.
It’s a good idea to turn on automatic updates and install fixes as soon as they become available. This goes for the operating system on your device, as well as any third-party software that you use in your business, such as the Windows suite.
2. Configure DMARC
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication, policy, and reporting protocol. It identifies email spoofing (people sending emails on behalf of your domain), spam and phishing scams, providing businesses with another layer of protection against scam emails.
It’s free to configure DMARC yourself, or businesses can get it configured by a third-party cybersecurity firm for a low cost.
3. Educate your employees about phishing
The UK Government’s Cyber Security Breaches Survey 2022 found that 83% of UK businesses experienced at least one phishing attempt in the 12 months preceding their survey, making phishing emails the most common form of attempted cyber attack. Employees are the first line of defence against phishing, so ensure that employees know how to identify and correctly report phishing emails.
The National Cyber Security Centre (NCSC) offers free cyber security training which has a module on spotting and reporting phishing scams.
4. Instil a no-blame culture
If employees are worried about being penalised for falling victim to an attack attempt, they are far less likely to report it. Actively instilling a no-blame culture means that, if an employee does click on a scam link, they should feel confident enough to report it as soon as it happens. As a result, your business will have time to investigate whether it has resulted in intruders breaching your system before the worst happens – such as the attacker locating sensitive data or launching a ransom demand.
5. Get a free CyberRisk score
FoxTech offers a free CyberRisk score for businesses. It uses your business email address to search for publicly available information about your company’s cyber security posture – essentially showing organisations what their system looks like to an attacker. The assessment identifies security weaknesses to help businesses fix them before they are exploited by hackers.
6. Practice good password hygiene
The NCSC advises disabling complexity requirements and mandatory password updates, because they encourage password re-use and the use of common passwords (like Password1234!) Instead, their official guidance is to use three random words, such as glasscattree or plantbluewheel. This strikes the balance between creating a password that’s easy to remember, but secure enough to keep cyber criminals at bay.
7. Use two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security to your online accounts, meaning that even if your account passwords are compromised, a cyber criminal won’t be able to breach an account without access to a linked device. While employees might view 2FA as a frustrating additional step to sign-in, it really is one of the most effective ways of preventing a password breach. You can enable 2FA for free on Microsoft accounts, Google accounts, and Apple products.
8. Don’t connect to insecure Wi-Fi networks
An unsecured Wi-Fi network is one you can access without a password. These networks usually have no security encryption, meaning hackers can use them to distribute malware onto any connected devices. Business owners should communicate the risks of connecting to unknown public Wi-Fi networks to their employees and put appropriate measures in place – such as discouraging practices like working while travelling.
9. Create an incident response plan
According to the UK Government’s Cyber Security Breaches Survey 2022, only 19% of businesses have a formal incident response plan – which lays out what to do in the event of an attack.
Without an incident response plan, businesses are unprepared to deal with a hack, making the potential fallout worse, and the recovery period longer. Incident response plans also ensure you are acting legally when it comes to informing customers of data theft. Read the NCSC’s guidance on creating an incident response plan.
10. Don’t overlook physical security
Whether it’s leaving server rooms unlocked, sticking post-it-notes of passwords on your devices, forgetting to shred documents containing sensitive data, or leaving company devices unattended in public spaces, attackers can, and still do, take advantage of these physical vulnerabilities. So, while the average hack might not rely on a physical element, no organisation should be complacent when it comes to traditional security advice.