Small Business Guide

This guideline is provided to help small businesses protect themselves from the most common cyber attacks.

Take regular backups of your important data and test they can be restored. This will reduce the inconvenience of any data loss from theft, fire, other physical damage, or ransomware.

  • Identify what needs to be backed up such as documents and emails. Make backing up part of your everyday business.
  • Ensure the device containing your backup is not permanently connected to the device holding the original copy.
  • Consider backing up to the cloud. i.e. your data is stored in a separate location which you can access quickly from anywhere remotely.

Smartphones and tablets (used outside the safety of the office and home) need even more protection than ‘desktop’ equipment.

  • Switch on PIN/Password protection for mobile devices.
  • Configure devices so that when lost or stolen they can be tracked, remotely wiped or remotely locked.
  • Keep your devices (and all installed apps) up to date, using the
    ‘automatically update’ option if available.
  • When sending sensitive data, don’t connect to public Wi-Fi hotspots. Use 3G or 4G connections (including tethering and wireless dongles) or use VPNs.
  • Replace devices that are no longer supported by manufacturers with up- to-date alternatives.

Protect your organization from the damage caused by ‘malware’ (malicious software, including viruses) by adopting some simple and low-cost techniques.

  • Use antivirus software on all computers and laptops. Only install approved software on devices and prevent users from downloading third party apps from unknown sources.
  • Patch/update all software and firmware by promptly applying the latest software updates provided by manufacturers and vendors.
  • Control access to removable media such as SD cards and USB sticks. Encourage staff to transfer files via email or cloud storage instead.
  • Switch on your firewall to create a buffer zone between your network and the Internet.

In phishing attacks, scammers send fake emails asking for sensitive information (such as bank details) or containing links to bad websites.

  • Ensure staff don’t browse the web or check emails from an account with
    Administrator privileges. This will reduce the impact of successful phishing attacks.
  • Scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
  • Check for obvious signs of phishing, like poor spelling, grammar or low quality versions of recognizable logos.

Passwords — when implemented correctly—are a free, easy and effective way to prevent unauthorized people from accessing your devices and data.

  • Make sure all laptops, Macs and PCs use encryption products that require a password to boot. Switch on password/PIN protection or fingerprint recognition for mobile devices.
  • Use two factor authentication (2FA)  for important websites like banking and email, if you’re given the option.
  • Avoid using predictable passwords (such as family and pet names). Avoid the most common passwords that criminals can guess (like passw0rd).
  • Do not enforce regular password changes; they only need to be changed when you suspect a compromise.
  • Change the manufacturers default passwords that devices are used with, before they are distributed to staff.
  • Ensure staff can reset their own passwords easily.
  • Consider using a password manager. If you do use one, make sure the ‘master’ password is a strong one.

Set up logs to alert you when to any unusual events such as multiple failed login attempts, Password changes, changes to your log configuration, and/or network connections going in and out of your network.