How to Protect Against Key Threats
Update your operating system, browsers and plugins
Enable click-to-play plugins
Remove redundant or outdated software
Watch out for fake tech support numbers
Use strong passwords
Ensure you’re using trusted websites
Log out of websites and accounts when you’ve finished
Use firewall, anti-malware, anti-ransom ware and anti-exploit technology
Install anti-virus software and keep it up to date
Install a popup blocker
Never click on, open or download anything unless you know the sender, are expecting something from them or trust the website
Know the signs of a virus on your computer (e.g., slow performance, unexpected shutdowns and changes to your homepage)
Know the signs (unknown senders, strange email addresses and spelling and grammar mistakes)
Only open attachments, click on links or download files if you’re expecting them
Never give out personal or financial information
Use different passwords for each online account or website login
Enable two-factor authentication
Two-factor authentication (2FA) is a multi-factor authentication or two-step verification where a user must provide two authentication factors to prove identity and gain access to an online network or user account.
Make sure employees are trained on how to spot the signs of a fake email
Have procedures in place to report suspicious emails
Back up your equipment regularly and keep software up to date
Use robust security software
Disable macros and Java and Flash Player
DDoS ( Distributed Denial of Service) attacks
Know the amount of bandwidth your site typically uses
Add more bandwidth if needed
Ensure updates are installed on all computers and devices
Secure your network infrastructure
Practice basic network security
Have a cloud-based DDoS mitigation system in place
Use strong passwords and have different passwords for all websites and logins
Use two-factor authentication
Choose an Internet Service Provider (ISP) that offers built-in security features
Keep anti-virus and anti-spyware software up to date
Install a network firewall
Encrypt customer data and sensitive information
Limit access to certain online information
Block high-risk sites from being viewed by employees
As well as protecting your organisation, customers and employees, personal data protection is a legal requirement under GDPR and The Data Protection Act 2018. This checklist does not cover your legal obligations in controlling or processing personal data, although we have included links to valuable websites in the Helpful Resources section. The guidance below is aimed at the practical steps you can take to minimise the risk of loss of personal data.
Secure wireless networks
Manage your Preferred Network List (PNL), use a Virtual Private Network (VPN), disable auto-connection and Wireless Session Protocol (WPS) functionality and run regular wireless network penetration tests.
Keep your computer and software up to date
Install updates as soon as they’re available to fix security flaws.
Control access to personal data
Only allow employees access if they really need it to do their job.
Regularly back up data
Cloud solutions can be a popular choice.
Make sure your staff know how to identify potential threats when it comes to data breaches.
Regular and educational staff training is vital to your cyber security.
Implement a cyber security policy to set the standard for all your online activities
Hold regular training sessions to help employees stay alert and safe when browsing online, recognise the signs of cyber-attacks and know how to report them
Implement stricter controls and levels of access to online tools and data including removing access when an employee leaves the business.
Make sure your staff know how to identify potential personal data breaches and the steps to take. If you are obliged to report a personal data breach to the ICO, strict timelines apply.
Avoid using obvious and common passwords that are based on personal information
Create long passwords with a mix of upper- and lower-case characters, numbers and symbols
Don’t use memorable keyboard paths, such as qwerty
Implement two-factor authentication on key accounts where you can
Use a password manager to store your passwords, generate secure ones and share login credentials safely
Browsing safely online
Ensure your Wi-Fi is password protected, change your default router login information to something more secure and turn off Wi-Fi Protected Setup (WPS) on your router
Think about using a Virtual Private Network (VPN) to mask your IP address and add an extra layer of security to your online activities
Ensure your third-party suppliers are GDPR compliant and you research their security measures to ensure data is stored and transferred securely
Run regular computer and software updates
Monitoring your small business cyber security
Monitor your logs for signs of unauthorised activities
Create a monitoring policy to help manage risk
Conduct a ‘lessons learned review’ by looking back at past successes and failures and identifying which security measures are working (and which aren’t working so well)
Working from home and mobile devices
Implement cyber security practices for remote working including setting policies around using public Wi-Fi, implementing two-factor authentication and ensuring mobile devices are also secured
Encrypt data on smartphones, ensure all mobile devices are set up with password, fingerprint or face verification and install software that allows you to wipe data remotely
Ensure all USB devices and portable hard drives are password protected, data is encrypted and backed up and they are securely stored
Responding to a cyber-attack or breach
Contain the breach (disconnect your internet, disable remote access, review firewall settings, isolate devices from the internet and neighbouring devices/ networks, install any pending security updates and change passwords)
When you’re sure your systems are safe again, use your backups to restore any data which was lost
Conduct an investigation to learn how the attack happened
Consider whether any personal data was included in the breach to identify any obligation to report the breach to the necessary regulators (e.g., the ICO)
Identify and, where required, notify employees, customers and third-parties who have been impacted by the breach
Manage announcements to the public and be ready to respond to feedback, comments and questions from customers
Adjust and communicate your internal security protocols to reduce the risk of the same type of incident occurring again
The information in this guide is for general guidance about cyber security good practice only and is not legal advice. We have tried to ensure that this guidance is accurate and relevant as at October 2020. However, Acorn HR Services does not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or failure to use any information contained in this guidance.