We are committed to keeping secure the personal information you provide to us.
What you need to know
SECURING YOUR DEVICES
Writers of malicious software (malware) including ransomware and keyloggers rely on users of a system to make simple errors in order to infect a device or gain unauthorised access.
Aside from educating your company's computer users, your best defence as a small business is to 'harden' your devices against these risks. This can be achieved by taking some simple actions.
- Turn on automatic updates
Modern desktop operating systems such as Microsoft Windows or Apple OS X offer regular software updates. These updates often include patches (fixes) for newly discovered security flaws. It is important to install these updates quickly so devices are secure against malware.
The most convenient and secure way to ensure computers are protected is by enabling automatic updates.
Tip! On Windows 10 machines, you can switch this feature on by choosing the 'Settings' menu, selecting 'Updates and security' and then clicking on 'Advanced Options'.
Tip! On an Apple Mac, open 'System Preferences' and make sure the 'Automatically check for updates', 'Install OS X updates' and 'Install system data files and security updates' options are all enabled.
It's also important to enable automatic updates for your web browsers. The latest versions of Apple's Safari and Microsoft's Edge browsers are updated automatically when you update your operating system. Other popular web browsers like Google Chrome and Mozilla Firefox automatically download their own updates, but you'll need to restart the browser for the changes to take effect.
- Install security software and keep it up to date
Security software is a good first line of defence against malicious software (malware).
Modern versions of Windows include free security software called Windows Defender. Microsoft also allows the installation of third-party security software for users looking for a higher standard of protection.
Apple Mac computers don't include security software by default, so it's important to install reputable third-party software.
Good security software can help protect your business from phishing attacks, ransomware and other threats. In selecting security software (such as anti-virus or anti-malware), be sure to first read reviews to assess its reputation.
- Only install software from reputable publishers
Cyber criminals are known to embed malicious code into software that appears legitimate as a way to infect their targets with malware. Often, this software is pirated or available via unauthorised or unofficial sources.
The safest way to avoid downloading malicious code is to only download software from official stores.
The Microsoft Windows Store is the official online marketplace for purchasing and downloading software for Windows. For Macs and Apple iOS devices, it is Apple's App Store.
Google Play is the official online marketplaces for Android devices.
- Limit administrative access to your computers
Each user account has rights to perform specific functions. In small businesses, it's often the case that all users are given full administrative rights by default. That means they have the right to install new programs, change security settings and choose personalised colour schemes and wallpapers.
Larger organisations have learned that restricting administrative access greatly reduces the number of infections and security breaches. Most users simply don't need administrative access, even if they want it.
By limiting users to the access they need, you can prevent them from disabling important settings such as security updates and require them to obtain permission before installing unapproved software.
You can usually configure these user options under the 'Settings' or 'System Preferences' menus of your devices.
- Encrypt your hard drives
Disk encryption ensures that if a computer is stolen, the thief is unable to access the data.
The only way disk encrypted-data can be accessed is if the drive is powered on and the thief has user's account login details.
Microsoft Windows' disk encryption is called Bitlocker. Microsoft provides step by step instructions for using Bitlocker on its website.
For an Apple Mac, a program called FileVault is used to protect hard drive content. Apple's instructions for using FileVault are available from Apple's support website.
SECURING YOUR NETWORK
Many small businesses don't have dedicated technology staff to install, configure and update their networks and the job is often left to somebody who may not have had formal training.
While networks make it easy to share information within the office and with others, an improperly configured network risks allowing outsiders to disrupt your business activities or steal data.
Here are six essential steps for protecting your business network.
- Change the defaults
An important first step when setting up a network is to change the default password for your router. A router's default password is usually published on the manufacturer's website, making it easily discoverable by would-be attackers. Choose a new, strong password that is at least eight characters long, difficult for others to guess, and isn't re-used for any other service your business uses.
It's also wise to disable 'remote configuration' of your router. Disabling this feature ensures your router can only be managed from a computer within your network rather than from a person logging in from the internet.
- Hide your network
Your office network has a name, known as an SSID. These are the network names you typically see when you're travelling, or are in a public place, and looking for a Wi-Fi network to connect to.
Limit the ability for unauthorised users to find or access your network by disabling the SSID broadcast. You'll need another way to communicate the name of your wireless network to new users - perhaps you can simply tell them.
Find the 'disable the SSID broadcast' option in your router's settings.
- Protect your data
To prevent unauthorised access to your networked files, wireless communications between the computers on your network should be encrypted. Encryption scrambles your data so only the devices that are authorised to use the network can read it.
Setting up encryption on your network is usually done through the 'Wireless Security' settings on your router. It typically involves selecting the type of encryption for your network, and creating a network password or key.
WPA2 is currently the most secure type of encryption for small business and home routers, provided it is combined with a strong password. Users are asked for a password when connecting to the network for the first time, but won't be asked on future occasions.
Less secure encryption options such as WEP should only be used on older routers where WPA2 (or WPA) is unavailable.
It's a good idea to regularly change your network password. Doing so will prevent staff members that have left the business from having ongoing access to the network.
- Create a guest mode for visitors
When guests pop in to the office - be they temporary staff, contractors or friends - it's common to offer them network access so they can use the internet.
Look for options on your router that offer visitors access without granting access to other network resources such as servers or printers. Most routers call this 'Guest Access'.
Modern routers can usually create a separate network that gives connected devices access to the public internet but nothing else. You'll find these options within your router's wireless security settings.
- Turn off features you don't use
Modern routers come with a range of features. Services like FTP, UPnP and WebDAV are useful for specific applications. But if you don't need these services, don't turn them on.
Each enabled service is a potential opportunity for unauthorised users. It's what security experts call the "threat surface" and the best approach to data defence is to make that surface as small as possible.
- Keep an inventory of approved network devices
It's good practice to maintain an inventory of approved devices and update this list any time a device is added or removed from the network. Regularly comparing your network against this list and removing access to devices that are unknown or not approved will improve the security of your business.
A cloud service can offer small businesses improved productivity, flexibility and reduced costs by delivering data storage services or applications such as accounting packages over the internet. While using these services can create new opportunities for your business, cloud also introduces some security and privacy risks.
If you're using cloud, the security and privacy of your data is largely in somebody else's direct control. Listed below are six key considerations to help you make smarter decisions about the cloud services you choose and how your staff use them.
- Read the Terms and Conditions
When you choose a cloud provider to deliver a service - be it managing your payroll or storing your data - you're effectively outsourcing a business activity. It's your responsibility to ensure that service provider is acting in your business's interest.
Take note of the legal jurisdictions your cloud service operates in, including country and region or state. Laws relating to data and intellectual property vary globally, so you'll need to know to which jurisdiction the terms and conditions of your cloud service apply in order to understand where legal disputes may arise and be heard.
Also consider whether and what data may be shared with third parties, when and how your business is notified of any service outages and what processes are in place, should a security breach occur.
- What are the access controls?
If more than one person in the business needs to access the cloud service, you need to make sure you can manage access appropriately for each individual or role type.
For example, with a cloud accounting service it may be important to segregate the access of your accounts payable and receivable staff. It's also unlikely all of your users need administrative rights to create and delete user accounts - this should be limited to those who genuinely need it.
It's important to revoke access of staff when they leave your business, given cloud services are accessible by anyone with an active user account and an internet connection. Make this part of the exit process for departing staff.
- Secure your data
Your business data is one of your most important assets.
Ensure that your cloud provider encrypts all your data, both when it's at rest (i.e. held in storage) and in transit (i.e. being sent or received).
In-transit data is usually protected using HTTPS, a common communications protocol used across the internet. Cloud providers will list the use of HTTPS in the list of features on their website and in the Terms and Conditions.
Similarly, you should read about specific information pertaining to the type of encryption used when data is at rest (stored on the cloud provider's servers).
Using a cloud provider doesn't relieve you of your responsibility to protect business data.
Before committing to a cloud provider, make sure you can also create a local backup of your data. This helps protect your business data against the failings of your cloud service provider, whether caused by a security incident, a system failure or any other failure of their business.
- Security starts at the keyboard
Even the most secure systems in the world become vulnerable if not used correctly.
Remind your staff to use strong passwords and to log out when they've finished working. Ensure they can't disable the security software on their workstation.
- Keep tabs on your provider's practices
When you trust a cloud service provider with your data, you make assumptions that the provider is following solid processes for ensuring cloud systems are well maintained.
Confirm that your cloud service provider keeps its underlying IT infrastructure up-to-date with the latest security and reliability patches.
As your business grows, you will likely need to re-evaluate the risks associated with using a cloud service. You might, for example, negotiate access to system logs maintained by the cloud service provider so that you can monitor user access to your data, or investigate security incidents and service outages.