Numerous online businesses faced huge disruption this week as a major internet outage sent them offline. The cause of the outage was traced to Fastly, a cloud computing provider, who reported that a service configuration had led to the disruption. Whilst not itself caused by a malicious cyber attack, the outage serves as a reminder to businesses of the disruption that can be caused if their systems are compromised.
Cyber attacks that compromise your business’s systems could ultimately lead to the loss of sensitive information, fraudulent activity or even personal data branches, which could have serious financial and legal implications for your business. According to the Government, 38% of small businesses were the victims of a cyber breach or attack over the last year, with those leading to the loss of data or assets costing small businesses on average £8,170. What’s more, if a cyber attack leads to a personal data breach and you fail to comply with your UK GDPR obligations when that breach occurs, you could receive fines of up to £8.7 million or 2% of your annual turnover, whichever is highest.
The National Cyber Security Centre (NCSC) recently updated its guidance for small businesses and we’ve highlighted below some key steps and resources to help your business build its cyber resilience.
Steps to take to protect your business from cyber attacks
1. Secure your devices
It’s important to protect your devices from malware (malicious software or web content that can infect your software and harm your business). Steps to take include:
- ensuring that you have suitable, up-to-date antivirus software downloaded and turned on across all business devices
- keeping all equipment, software, mobile phones and apps maintained and updated
- preventing staff from downloading apps or other products from unknown sources, and switching on internal gateways to prevent staff from accessing unsecure websites or other online services
- switching on your boundary firewalls
- controlling the use of USB drives and memory cards
- only using administrator accounts where strictly necessary as attacks such as phishing can be far more damaging if access is gained to an administrator account
2. Don’t forget about remote working devices and systems!
There’s a greater threat posed when devices are taken out of the workplace, or when your systems are accessed remotely, so make sure you’ve taken steps to secure them. This includes ensuring that remote devices have encryption and password protection turned on, and that you know how to remotely lock access to and/or erase or retrieve data stored on them. Remote working systems should also be updated with the most recent security patches and firewalls. For more guidance about steps to take when your staff are working remotely, see our Q&A on Staff working from home.
3. Make regular backups
This is crucial. If your important data is backed up, you won’t lose it if your devices are lost or stolen, or if your business is the victim of a ransomware attack (which makes your data or systems unavailable until you pay a ransom). Any back-ups should have strict security measures in place (eg you should consider restricting access to certain members of staff) and should be kept separately from the original copy. Cloud services can be a cost-effective and efficient way to automatically backup your files, making it part of your day-to-day operations.
4. Put in place robust internal policies
Individuals are a key target of cyber crime, so it’s important that you’ve put in place robust internal policies so that your staff members understand your internal procedures and what their responsibilities are when it comes to cyber security. Whilst you’re not under a strict legal requirement to have specific policies in place, it is best practice and can help you to reinforce cyber security within your business. Consider the following as a starting point (you can also access templates for all of these policies and more in our Remote working and cybersecurity toolkit):
This will typically set out what your business’s general rules are to ensure the security of IT equipment used by your staff, including requirements as to passwords and the physical security of devices.
This will help to ensure that appropriate security measures are taken by your staff when they are using their personal devices for work purposes, such as ensuring that any third party data is kept securely and confidentially at all times.
c) A Working from home policy
This typically sets out what your expectations are on staff when they are working from home, including in relation to data security and confidentiality.
d) A Data protection policy
This sets out what duties your staff are under to ensure that personal data is handled securely at all times.
e) A Personal data breach policy
This will set out your business’s response plan in the event that a personal data breach occurs (eg following a cyber attack) as well as steps your business plans on taking to prevent such breaches occurring.
5. Train your staff
When it comes to cyber security, it’s a good idea to provide training to your staff. Not only will this remind them of your policies and procedures, but you can also help them to understand what they should be looking out for (eg how to spot a phishing email) and what they should do if they think your business has been the victim of a cyber attack. This is particularly important if the attack may have led to a personal data breach, because in some circumstances you may need to notify the ICO (Information Commissioner’s Office) within 72 hours. See our Q&A for further guidance about data breaches.
It’s important to remember that if your business handles any personal data, you are under a legal obligation to process it securely at all times. For further guidance about what steps you should take to ensure the security of your data, see our Q&A on Secure data storage.