Over the last couple of weeks we’ve been releasing a weekly blog that breaks down a section of the National Cyber Security Centre’s (NCSC) Small Business Guide. The guide has been split into five key areas and contain easy steps that could save time, money and even your business’ reputation if followed. The guide can’t guarantee protection from all types of cyber-attack, but the steps outlined below can significantly reduce the chances of your business becoming a victim of cybercrime.
So far, we have looked at the importance of backing up your data and how to protect your organisation from malware and keeping your smartphones and tablets safe. Next up is using passwords to protect your data, the NCSC’s 5 steps on this topic can be found below:
Your laptops, computers, tablets and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access. It is essential that this data is available to you, but not available to unauthorised users.
Passwords - when implemented correctly - are a free, easy and effective way to prevent unauthorised users accessing your devices. This section outlines 5 things to keep in mind when using passwords.
1 - Make sure you switch on password protection
Set a screenlock password, PIN, or other authentication method (such as fingerprint or face unlock). The NCSC blog has some good advice on passwords. If you’re mostly using fingerprint or face unlock, you’ll be entering a password less often, so consider setting up a long password that’s difficult to guess.
Having said this, password protection is not just for smartphones and tablets. Make sure that your office equipment (so laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but encryption may still need to be turned on and configured, so check you have set it up.
2 - Use 2-step verification for your accounts
If you’re given the option to use 2-step verification (also known as 2SV) for any of your accounts, you should do; it adds a large amount of security for not much extra effort.
2SV requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method. This could be a code that's sent to your smartphone (or a code that's generated from a bank's card reader) that you must enter in addition to your password.
3 – Avoid using predictable passwords
If you are in charge of IT policies within your organisation, make sure staff are given actionable information on setting passwords that is easy for them to understand.
Passwords should be easy to remember, but hard for somebody else to guess. A good rule is 'make sure that somebody who knows you well, couldn't guess your password in 20 attempts'. Staff should also avoid using the most common passwords, which criminals can easily guess. The NCSC has some useful advice on how to choose a non-predictable password.
Remember that your IT systems should not require staff to share accounts or passwords to get their job done. Make sure that every user has personal access to the right systems, and that the level of access given is always the lowest needed to do their job, whilst minimising unnecessary exposure to systems they don't need access to.
4 - Help your staff cope with 'password overload'
If you're in charge of how passwords are used in your organisation, there's a number of things you can do that will improve security. Most importantly, your staff will have dozens of non-work related passwords to remember as well, so only enforce password access to a service if you really need to. Where you do use passwords to access a service, do not enforce regular password changes. Passwords really only need to be changed when you suspect a compromise of the login credentials.
You should also provide secure storage so staff can write down passwords for important accounts (such as email and banking), and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily.
Consider using password managers, which are tools that can create and store passwords for you that you access via a 'master' password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.
5 - Change all default passwords
One of the most common mistakes is not changing the manufacturers' default passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.
How does The South East Cyber Resilience Centre work with SME's to tackle the threat posed by cybercrime?
We provide many free resources designed to improve your #online security, from checklists to Incident Response templates, there's something for everyone. Get yours today and receive our FREE welcome pack here https://www.secrc.police.uk/free-information-pack
We hope this will be useful for you but if you have any further questions or would like to know how we can help your business, please get in touch.