True North Networks Blog
5 tips for businesses on Safer Internet Day
Safer Internet Day is here!
Note that it’s more than just One Safe Internet Day, where you spend 24 hours taking security seriously, only to fall back on bad habits the day after.
As the old saying goes, “Cybersecurity is a journey, not a destination,” and that’s why we have SAFER internet day – it’s all about getting BETTER at cybersecurity, no matter how safe you think you are already.
So here are five things you can do in your business, regardless of its size, to help you and your colleagues keep ahead of the cybercrooks.
1. Patch early, patch often
We’ve won part of this battle already, because most businesses these days do install security patches.
At least, they install updates eventually. But there are still many organisations out there that take their time about it, putting off updates for weeks or even months “in case something goes wrong”.
The problem is that once crooks know about new security holes, they don’t put off using them – so the longer you lag behind, the more vulnerable your business becomes. Learn how to test updates quickly – you can start with one computer and make notes from there – and have a plan for rolling back in the rare event that something does go wrong.
2. Know what you've got
Whether you call it an asset register, an IT inventory, or just a plain old list of computers and software you’re using, make an effort to know what’s on your network – even if you’re a small company where everyone works remotely from home.
It’s good to be able to say, “We have 10 laptops and I’ve upgraded them all from Windows 7 to Windows 10.” But it’s much better also to be able to say, “And I found an old XP computer down in the storeroom that everyone had forgotten about, and I’ve upgraded that one, too.”
Cybercrooks go looking for old, unloved, unpatched computers, because they know that they could be easy stepping stones to bigger things.
3. Set up a security hotline
Even the tiniest business can do this: make it easy for your users to report things that don’t look right. You don’t need a dedicated phone number or a call centre – an easy-to-remember email address might be all you need.
If your users don’t have anywhere to report common cybercrime precursors such as dodgy emails, suspicious phone calls or unsolicited attachments, then the only thing you can be sure of is that you are never going to get an early warning that could protect your business.
Remember that cybercrooks often fail at their first attempt, which is why they typically send phishing emails to many different recipients, or call round every company phone number they can find until someone makes a mistake and says or does something they shouldn’t. Make it easy for the first person to raise the alarm and thereby protect everyone else.
4. Revisit your backup strategy
As with patching, this is a battle that we’ve won in part: many companies do know that backups are important, and make at least some effort to keep secondary copies of vital data. But be very careful that you aren’t wasting time making backups that won’t be much use.
It’s easy to rely entirely on real-time backups where files automatically get copied “live” onto network shares or into the cloud whenever they’re changed. But today’s cybercriminals often take the time to search-and-destroy your online backups before unleashing their attacks.
Make sure your strategy also includes backups that you keep offline and offsite, even if that’s as simple as an encrypted, removable drive kept at home. Backups aren’t just there to protect against ransomware attacks – they’re also about disaster recovery if you can’t get into your business premises at all, for example because of fire or flood.
5. Pick proper passwords
We left this advice until last, because lots of people seem to take offence if we lead with it – mainly because it sounds so old and obvious that they’re tired of hearing it.
But we’re saying it anyway.
Remember that “proper passwords” don’t just mean not using your cat’s name every time. In a business, it also means knowing who’s supposed to have access to what; it means promptly cancelling accounts when employees leave; and it means encouraging your staff to let you know (see point 3!) if their password lets them see data they shouldn’t, so you can reduce the risk of a data breach.