Ultimate IT Security guide for small business
In our ultimate IT security guide for small business we go through all the things you will need to know about, questions you will need to ask your IT provider, and questions your IT provider will ask you.
It doesn’t matter if you own a small accountancy firm, or if you manage a wedding supplies business. Security is the base for a strong business platform, where you can implement trust and a solid relationship with your clients.
We have created this IT security guide from our experiences with clients around the UK over the years. Along with a range of other IT solutions, making sure that you have safe and secure networks is vital.
Our IT Security guide has advice from our IT team on how to select and purchase the best IT security products and solutions for your business needs and budget.
Guide Contents:
Let’s begin!
Make a cup of tea and get comfortable. This IT security guide includes everything. You may even want to bookmark it for future reference!
UK BUSINESS FACTS AND STATS
Some of the latest stats about UK SME's
Why would hackers target a estate agent in Manchester or an accountancy business in Hampshire?
Unfortunately, it is because hackers know that small business owners usually have less cyber security procedures in place.
When it comes to IT security for small business, the common myth is that only large businesses are affected. But it simply is just not true.Small businesses are targeted by cyber criminals just as much. In fact, small businesses are often a viewed as an easy target, with generally less data protection and cyber awareness than larger companies.
As well as setting up your website, server and data management and communications, IT security and compliance need to be at the core of your plan.
UK companies lose thousands of pounds due to cyber security breaches each year. In addition to the financial cost, there is time and staff resources as well as loss of trust, with existing and potential clients.
We are aware of the damage that IT security issues can bring to small businesses, especially with the remarkable progress that hacking technology witnesses nowadays. That’s why the HelpDesk Heroes team created this IT security guide for small and medium size businesses based in the UK.
Start-ups and Small Businesses
Running a start-up or small business can be an overwhelming task, especially at times with so much going on. With the daily responsibilities and unexpected issues that may confront you, IT and data security can find their way to the bottom of the to do list. Small businesses usually put IT security on the back burner as there may not be enough resources or budget available. If your business experiences an attack, the fall out can be worse. Hiring an expert, to deploy strong firewalls, update your security patches, and monitor your network is the best solution. Many start-ups and small businesses will have remote staff as well as freelancers who will have access to their business network. They may be working from home or in their local coffee shop or co-working offices. If the Wi-Fi connection isn't secure, it makes it much easier for hackers to steal your data. Most small organisations know that they should be doing more to protect themselves, but it can be difficult to know where to begin. There are many elements to successful IT Security.
Small business simply can’t ignore cyber security
It all seems fine until it's not! The threat of cyber-attacks is increasing at a rapid rate and constant speculation over how hackers will attack next, so it is more important than ever to be vigilant against cyber-crime. When there is an IT disaster the repercussions can be both costly and disruptive. The problems that small organisations face if they don’t properly address cyber security include:
Business downtime
Business downtime is something that you really want to avoid. If you do get an attack on your systems your business will be offline and operations suspended. Investigating the cause of the breach and to getting your systems back online can take time while everything comes to a standstill. A DoS (Denial of Service) attack is designed to cause downtime, and the recovery process can take hours, days, or even weeks. In some instances, data recovery is impossible and all the important information is lost permanently.
Remedial costs and penalties
Getting up and running again is only your first priority. If the attack was serious enough, you will need to contact customers who were affected, as well as the UK data protection supervisory authority, the ICO (Information Commissioner’s Office). Notifying customers alone can be an expensive and time-consuming endeavour. You may have to set up helpdesks so that those affected can get in contact to learn more, or offer complimentary security checks.
Reputational damage
The incident might result in long-term reputation damage. It can be hard for organisations to retain customers’ trust – and that’s particularly true for small organisations – so you may experience significant customer churn. In fact, any cyber attack on your system may cause an inconvenient user experience for your customers and it could even cost you some clients. The bad performance of your business platform pushes your customers to find other alternative service providers. For instance, with a slow e-shop website or a visibly hacked web page, your clients may not trust the confidentiality of their data (such as credit card credentials) or their money under your governance.
Determining your small business cyber security needs is the first step in your plan
When it comes to cyber security for small business, a comprehensive IT security solution is essential in preventing a cyber attack and minimizing the potential damage if one does occur. But there are so many different solutions out there, each promising to be the best. So how do you know which one is right for your business? Mitigating a cyber attack requires a deep prior knowledge of all the steps that should be undertaken to confront this issue properly, starting from response through to recovery. This will help with streamlining the process and procedures your business will use to confront the possible threats to your IT systems Pre-COVID, most businesses would take measures to secure their IT equipment and systems based around an office IT setup only. Today, home IT setups are installed by people with limited IT expertise.
Carrying out a risk assessment
Risk assessment is a procedure done by specialists to identify possible dangers and to analyse what could happen if a potential hazard emerges. A cyber risk assessment will help you understand all the important areas of your business and what measures you need to take in order to protect them Start off by auditing your business data and information that is most sensitive. This will give you a good idea of where you need protection. In fact, hackers always penetrate IT systems for one ultimate reason, to look for your precious prize, your data! During the risk assessment, you have to look at how you store this data on the network, who has access to it among internal users and Internet users and how it's protected, to understand where you could be most at risk. If you're not able to carry out a risk assessment by yourself, then you will need to contact an IT expert to do this for you.
Important questions you will be asked by your IT Security provider
- What type of service do you provide?
- How many users do you have?
- What are the sites that you would like to protect including cloud?
- Do you utilise Virtual Machines (VMs)?
- How many servers do you have currently?
- Will you need your own server?
- How many firewalls do you have in total?
- What applications do you use?
- Which vendors are you interested in?
IT security investment must be a key part of any business budget
Many small businesses turn their full attention to IT when there is a problem. Inevitably it will happen, so it is better to be fully prepared. This is why you have to make accurate plans and allocate your IT security budget from the start. Not enough SMEs invest in comprehensive backup strategies. So we will say it again: It is really important to allocate a budget for this. How much should a small business spend on IT security? Assessing the financial costs of potential cyber-attacks and threats is a process that can take some time. Being prepared means, that in the long run, it will be more cost-effective in terms of money and time and less disruptive thanks to the preventive measures. "What we are seeing unsurprisingly more of these days is, that small and medium size businesses are increasing their data fortification budgets as they realise they are facing essentially the same cybersecurity challenges as large organisations." When it comes to IT security costs, IT providers generally charge based on the number of devices (computers/Laptops) that they need. Other equipment includes IT peripherals
If you are researching costs and looking for quotes you will find yourself having to fill out request forms, for an IT provider to get a better idea of exactly what it is you will need. Each business is different, so the average cost can vary (depending on how many workstations and devices you need secured, if there are any servers and what kind), but you can expect to pay between £35 to £150 per workstation or alternatively £15 to £90 per user.
Jackye Govaerts
A strong IT Security platform starts with you
Small business owners must devote more attention to data these days. Your data is the cornerstone of your business. It is of the utmost importance that it is safe and secure. Getting to grips with exactly what you need to do and how to treat your business information, can feel like a huge mountain to climb.
The 3 main things to consider when it comes to data are access, security and storage.
Data access
Accessing your business data needs to be easy and secure. Not all of your staff members need to have access to all of it. When they do, they need to have secure access to the relevant data. Sensitive data should only be allowed to be accessed by users with legitimate rights following company wide permission policies. Database security is critical and should always be secured with a strong password. It's recommended to use 2FA (2 Factor Authentication) for all remote access. An administrator can set restrictions to perform file operations: Create, Read, Update, Delete. For critical data and for datasets, you can add another layer of security by enabling a multi-authentication method (fingerprint, dongle, etc).
Data security
We can divide data security into two important categories that need to be applied in every business:
- Data Security In-transit
- Data Security At Rest,
This is about the security of your data while it is being transferred from one device to another. The data transferred between two entities should be encrypted and should never be in saved as plain text to prevent a Man In The Middle attack. This kind of attack consists of an attacker sitting between the sender and the receiver. The attacker tries to capture the data in all moving traffic especially login details and passwords.
It is always recommended to encrypt the data at rest as well. Data that is stored for a long period of time on one unique device is 'at rest'.
Data storage
Where and how you store your data, is a top priority. It needs to be secure. Whether you have large amounts that need to be stored in the cloud or it's business data on workstations, laptops and devices.
So much so that we have dedicated a full guide exclusively to it.
Staying safe in the cloud
Whether your small business takes advantage of the cloud resources or not, cloud backups can be a great option, in addition to physical backups You can back up your important files away from your computer, in the cloud, where your data is kept safe on a secure infrastructure.
Cloud backup is fantastic for small businesses as it can be more cost-effective than investing in hard-drives and physical storage. Most of these are affordable and offer flexibility to every kind of business.
IT Security professionals usually plan 3 steps: threat detection, immediate action and long-term defense.
24/7 Monitoring
A 24/7 monitoring refers to a continuous scan over your IT platform to detect any issue or problem. These kind of services constantly monitor your system, 24 hours, 7 days a week. Here are some aspects for monitoring services to consider. These monitoring services may vary according to a business needs, but they can help business performance. When you outsource your security tasks to an IT company they will take care of things like 24/7 monitoring, threat detection and prevention. Leaving you with peace of mind and to able to focus on your important business.
Threat Hunting
Threat hunting practice compliments 24/7 monitoring, trying to spot weaknesses in your IT platform. This approach monitors the daily activity to find anomalies or find possible malicious activities that can lead into a breach. Automated monitoring apps can spot most of attacks, nevertheless, some attacks can pass without noticing. Threat hunting is an important practice because it can spot those sophisticated attacks and eliminate them before they turn into a bigger problem. This is usually performed by an experienced security analyst using a combination of automated tools and manual methods with very fine grained attention to detail.
Managed Detention and Response
Managed detection and response refers to an outsourced service that protects your IT platform beyond a surface threat on top of the regular protection layers. It includes fundamental security activities such as general cloud security management or firewall fortification, yet it also includes threat intelligence and human expertise to investigate the attack. This is advanced monitoring security and usually offers different services depending on the business needs.
Implement strong network and workstation controls
Having strong controls will help in mitigating any issues. Make sure your networks are robust and can stand up to any unwanted intrusion and attacks. Securing your workstations by following best practices and making use of the recommended software and technology.
Controls that will make a big difference to your cyber security
Inspect possible vulnerabilities in your web application, for example by looking for the OWASP (Open Web Application Security Project) list of Top 10 security risks to web applications.
Have a properly configured firewall through a dedicated resource
Apply up-to-date patches on everything, including staff devices
Whitelist only the IPs and the devices who should have legitimate access
Take advantage of SaaS-based security services, which are usually more cost-effective
Use secure cloud-based applications
Get a bespoke VPN (virtual private network) so any remote access is secure
Implement a disaster recovery framework that can take over in case of any possible attack
Define Policies and Permission for all the users on all the resources and the equipment.
Access controls, so that employees only have access to information they need
If you don't have any dedicated IT resource in house, it's probably best to consult a cyber security expert.
Be Aware of Malware
Cyberattacks, email phishing, and data breaches are happening all the time. It's important to stay vigilant to new threats. There are always threats and unwanted entities trying to access and attack your systems in different ways. They're constantly evolving, so constant maintenance is vital. Being knowledgeable about the types of threats you may face is always recommended. Know your worms and SSD’s from your phishing and ghostware.
You might be thinking, "well this is a total nightmare! I don't have time to get my head around this". Thankfully, there are basic measures you can take to protect your business, as well as outsourcing your IT security to an IT company.
Protect against malware
Malware is a type of software that can harm your network. They cause all kinds of problems for people. The most common malware, or malicious software, are viruses, which are created to infect programs and files on your computer. Malware can be enormously destructive and once it infects a file, it could be lost forever. We have helped clients over the years, who have lost data and suffered severe downtime, which could have been prevented with some staff training and tighter procedures. We can't stress it enough, but following even the most basic security precautions can be a game changer.
Steps to protect your network against malware
Install a firewall
A firewall acts as a shield between your network and other networks. This is a strong way to prevent spreading of malware in your business. Most computers come with a preinstalled firewall solution, but you can always bring an extra secure layer by adding a hardware firewall or a specialist paid software solution.
Read our ultimate Firewall guide for your business for an in depth look at firewall security.
Encryption
Encryption keeps your data safe if you experience a data breach or if a computer or hard drive is lost or stolen. It scrambles your data so the information cannot be read without an encryption key.
You may already have some level of encryption already, depending on which operating system you use. For example Windows has a built-in encryption tool, so users have basic protection. You can add additional encryption software options, if you need something stronger and more robust. If you have specific industry compliance requirements, you will also need to get encryption for email.
When choosing an email solution for your business, in addition to the pro features like unlimited email addresses, email forwarders, auto-responders, and webmail software; you should pay attention to the spam protection options and spam filters. The security features will help to protect your communications and also against phishing attacks. Tips to prevent phishing attacks
Keeping up with your vendors
Most small businesses work with third-party vendors and don't realize the amount of information that they can access. This is an additional security risk, so checking your vendor's security controls is vital. If you are getting quotes from new vendors, make sure you check the following:
Businesses across the board are now also under closer scrutiny than ever before. Clients rely on these firms and their technology and will likely conduct increased due diligence to ensure tightening of their own security processes.
Working from home is the new normal
Whether you are a microbusiness, or working remotely within a large company, keeping an eye on your data security and device access is a must. Most small businesses we have worked with here at HelpDesk Heroes, have either part-time staff or permanent staff working from home. This means that they are often working on their personal devices and are accessing your important business data. Not only do you want to make sure that your data is secure but you also need stay in line with the cybersecurity guidelines and best practices to avoid any GDPR fines (The General Data Protection Regulation). Laptops, computers, smartphones and tablets are some of the devices that may contain vital information for your business. So it is necessary to use strong passwords to keep this information away from unauthorised users.
Over the years we have seen the disastrous consequences of overlooking the simplest procedures. Yes we have had a client who had both 123456 and 'password' as their password! Having a comprehensive BYOD policy in place will make such a difference. Taking a 'Zero-Trust' approach is a good idea. Zero-Trust is when you trust nothing and always verify everything related to users and devices. This strategy is becoming more common across the board. This is because attacks on individuals are becoming as common as attacks on businesses. Protecting individual employees against attacks via mobile devices is essential.
While it may seem obvious, it is always best practice to follow these tips
Activate passwords and encryption software
You should set passwords on all the devices in your business, and strengthen it by using an encryption software, such as Bitlocker for Windows, for example. By doing this you’ll add an extra layer of protection to your network to avoid unwanted users.
Enable 2FA when possible
If you have some important and vital access that you want to protect, an excellent way to do so is by activating the Two Factor Authentication (2FA). This will require another way to prove your identity, and you can set your phone number or email to check it. This doesn’t have to be added to all of the accounts, but the important ones with admin priveleges must be protected correctly.
Don’t use default passwords
This is a common mistake that several people may do, and it is keeping the default password for their devices. The problem is that most of these passwords are available in the manual by the manufacturer, or they are shared on the internet. We recommend changing all the default passwords to a more complex one before sharing the access with your staff. And also run regular scans to check if there is a default password missed.
Use passwords managers
It is not easy for you or your staff to remember all the passwords, not just their personal ones, but also the business ones. That’s why we recommend to use password managers. Password managers are an excellent option to keep your passwords at hand and secure. LastPass is an excellent free option we approve, as well as 1Password with great features and reasonable pricing.
Don’t use predictable passwords
Encourage your staff to stop using simple passwords, and ask them to use more complex ones that no one will be able to guess. IT professionals recommend a short story or situation as a password instead of some random numbers or words. In a short story like “TheCaTstronautLoves3Pizzasaday” We recommend you to avoid stuff related to you or your business, the idea is that no one guesses it, not even someone who knows you.
Avoid having unsecured internet connections
With staff working from home or on the go making sure everyone is using secure internet connections is important. Especially when handling sensitive business data.
Enable the tracker device on your company devices
This doesn’t happen a lot, but it is a situation you may face. What happens if someone steals your phone or tablet? In most cases we can leave it like that and buy a new one, but what if the device had important information?
Staying compliant
The first step toward GDPR compliance is to assess your situation and confirm whether GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it is stored. GDPR (The General Data Protection Regulation) regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. This includes, staff and customer databases, emails, forms and correspondence. For full details on GDPR visit the ICO (Information Commissioner’s Office) website.
UK Cyber Security Schemes
There are a number of small business cyber schemes and support available in the UK. Government schemes including Cyber Essentials the UK Government standards helps firms reduce the risk of cyber threats, .
However, even with all the right practices and certifications in place, it’s almost impossible for businesses that don’t specialise in IT to keep pace with cyber security developments. So, it’s well worth outsourcing this to an external service provider.
Choosing the right solution
We think your business needs a solution that meets your specific requirements, not one size fits all. Get protection from outside attacks and proactive defense against security breaches.
If you run a small business, let’s say you own a small accountancy firm with 5 employees, your main priority would be restricting the access to vital data to a few staff and create a backup of it. This way less people will manage critical information.
Then you can focus on other tasks as implementing encryption and setting up antivirus, which are equially important. With a small budget of £350 you can start running this kind of plan.
What happens if you’re hit by a cyber-attack?
Even if you have the latest technology and robust security measures in place, a data breach can still happen. This is why you need to have a well-planned response strategy. It will allow you to take control of the situation, and act as soon as possible. Hopefully minimizing as much negative impact on your business and customers as possible. We have all seen the regular headlines about data breaches in global companies and the NHS having to pay ransoms to hackers. This is a problem that is only getting bigger. Too few businesses and organisations have an up-to-date response plan in place, leaving them less able to mitigate disaster in the event of an attack.
How can cyber insurance help?
Taking out a cyber insurance policy can help by covering you for a data breach and liability. Policies will include cover for a range of situations from ransom payments to system recovery to lost income and any other costs for recovery. With cyber-crime and data leaks on the rise, it's not a case of 'if' your business will be hit, but more a case of 'when'. Getting up to speed on the scale of the threat and how best to protect your systems, will put you into "prepared mode" and keep your business out of the cyber spotlight.
Make a detailed record of all your IT systems
Preparing your information for insurance purposes will help to determine the level of protection you will need. Create a map of all your IT networks, the types, the location of data, access controls, and any additional security practices you have in place.
Communication and training
If your small business has staff in the office or working remotely, keeping everyone trained and updated with the latest tools and security procedures is key. The security and BYOD policies you adopt for your business, need to be effectively communicated to all your staff and team. Review employee access and what they should and shouldn't be doing, as well as the potential repercussions if the security guidelines are not followed correctly. It is a good idea to make your company cyber policy available to all your employees.
Schedule Your Risk assessment
Finally, regular testing should be carried out to identify any new security risks to your network. Once your policy is in place, schedule it for review periodically and provide staff training. Depending on your business, network vulnerability scans can be performed on a weekly, monthly, quarterly, or annual basis. Perform regular stress tests to help identify any issues on your network.
Ready to implement a successful IT security plan in your business?
As you can see from this guide, effective IT security is a complex and multi-faceted issue that requires the right technology and the right policies and processes in place. IT security is formed of several layers of protection, but the principal layer is you and your staff. Train them and yourself well and you will get a rock solid business. Cyber security starts with you and then continues to your staff. This is not a task for one person, it's teamwork. If you are a small business and you are looking to protect your data, you should consider following these guide steps to reduce the risk to minimum. On the other hand, if you need guidance to create a strong IT security plan, HelpDesk Heroes team can show you the best options for your business. Our team can create an IT security plan perfected for your business, where you can use resources as you want in a secure environment. Protect your business continuity and get comprehensive support, 24/7 monitoring across networks in your cloud and in your office We work with leading vendors to deliver advanced cybersecurity software and managed services fit for modern data challenges.
IT Security Solutions
IT services for small business. Have questions or need help? Use the form to reach out and we will be in touch with you as quickly as possible.
Our Happy Clients
We work hard to make sure all our clients are happy.
They don't have to think about their IT, because we do.
"We have been very impressed by the professionalism of HelpDesk Heroes and their dedication to our company. Upon purchasing their services, we were presented with a plan tailored to our structure and needs which includes an overseas office. To this day, HelpDesk Heroes has never let us down and, despite our constantly changing needs, we feel supported and cared for by our dedicated HelpDesk Heroes team, especially Josh and Jackye."
Cindy Richards
Rylan Peters & Small Publishing
"Having been happily looked after by one of HelpDesk Heroes’ founders Jackye for over ten years, it only made sense to follow when we heard the news of their new company – we wouldn’t go anywhere else! I would gladly recommend their IT support services. They are extremely flexible with our team, our enquiries and always respond in no time if we do have an urgent problem. They understand our core needs almost as if they are a part of the team itself so continue to improve and enhance the way we work and function. It has been refreshing to have the IT support and solutions thought about overall and not just ‘patched’ when things have gone wrong."
Gulsen Yanik
Big Al’s Creative Emporium Advertising Agency