Having the right policies and procedures in place is essential in this connected world.  

While organisations differ according to the work that they do, this page provides some practical guidance, focused mainly on the smaller business, but with principles applicable to all.

1. Back up your data

The loss of business critical data will have a major impact on any organisation.  This need not necessarily be from a cyber-attack, but can also be from hardware or software failure.  Mitigating the risk by maintaining back-ups of critical data is an essential first step.  

You should:

  • Identify the data that you need to back-up
  • Keep your back-ups separate from your IT systems
  • Consider the use of cloud services to store back-ups; having understood the security measures of your cloud provider
  • Make back-ups a regular part of your daily procedures.

2. Malware protection

Malicious software (also known as 'malware') is software that can harm your organisation through infecting legitimate software.  Recovery from a malware attack can be a tortuous process.

You should:

  • Install (and turn on) anti-virus software
  • Ensure that your IT procedures restrict the installation of software, by using Administrator rights, for example
  • Keep your IT systems up to date by applying patches issued by software developers and hardware suppliers as they become available
  • Plan to replace software and hardware that is no longer supported by manufacturers
  • Switch on your firewall – most popular operating systems include firewalls; make sure that they are switched on.

3. Protect smartphones and tablets

We increasingly rely on mobile technology in business.  Here are a few steps to protect your mobile assets.

You should:

  • Switch on password protection
  • Make sure lost or stolen devices can be tracked, locked and wiped
  • Keep your device up to date by updating operating systems
  • Keep your apps up to date
  • Don’t use unknown Wi-Fi hotspots.

4. Use passwords

Passwords, when used correctly, are an effective way to prevent authorised access to devices and networks.  

You should:

  • Make sure that you switch on password protection
  • Use two-factor authentication for ‘important’ accounts
  • Avoid using predictable passwords
  • Change default passwords – these are easily attacked.  Regularly review that no devices have default passwords.

5. Prepare for phishing attacks

Phishing emails, fake e-mails sent to thousands of individuals, are becoming more sophisticated.  Every organisation will receive these but you should be aware that you cannot expect your users to do everything to protect your organisation.

You should:

  • Configure accounts to reduce the impact of successful attacks by using users the lowest level of privilege in the application to perform their jobs
  • Educate your staff to spot requests that are out of the ordinary and, should they receive one, what to do about it
  • Check for the obvious signs of phishing – whilst the e-mails are becoming more sophisticated there are still pointers such as incorrect or inappropriate email addresses, poorly structured mails.  If it is too good to be true, it probably is
  • Encourage staff to report all attacks.  Attacks are unavoidable and nobody’s fault.  Knowing that you have been attacked enables you to manage the recovery

If you are uncertain about any element of cyber security and how it impacts your organisation then consult an expert.  Do not leave it to chance.