Welcome to data protection tips for SMEs. This post clarifies some of the essential steps you can be taking, even as a sole trader, to ensure you and your data (as well as the information you hold on others) is kept as safe as possible.
Out of the Box
Most of your devises will have bog standard passwords and administration profiles, useful apps (applications) and other set up processes already preinstalled.
Whilst that is fine if all you’ll be using the device for is homework and texting your friends, the chances are you’ll want to use your shiny new laptop, tablet or smartphone for something, well, smarter.
Therefore, it is important not to just go rolling out into the big bad world without at least resetting passwords and factory settings to something unique to you.
It’s also a good idea to check the settings for remote wipe and remote anti theft security – most smartphones will have this type of feature in the settings – resist the urge to upload all your favourite apps and start surfing until you have read the manual and enabled these settings!
Data Protection Tips … Our advice: use the antivirus software! Accept the regular updates that pop up on your screen, install them – or better still, enable the automatic update function. Obviously, set it for a time or day when this will cause you least disruption. Write it in your diary or schedule, and when it happens, use the excuse to stretch your legs.
These updates contain vital patches to try to keep up with the latest nasties that could slip through your defences. Let your device reset or shut down regularly, and don’t let the software lapse. You might not notice any difference after the patches install, but that’s usually the point – the protection runs in the background, along with all the other processes.
There are free antivirus software versions that will likely come with most laptops, such as Windows Defender, and you can upgrade the likes of AVG, Norton and McAfee for not very much money.
Alternatively, if you store a lot of sensitive information, or if you have multiple devices in your business, consider additional steps and look at a higher priced cyber security solution on an enterprise plan. Often (like everything in life) you will get what you pay for, but there are some very good providers out there if you can be bothered to do a bit of homework.
Weigh up the risks to your business and the potential loss of revenue against security. Better to be safe than sorry, and most cyber security incidents are preventable.
Firewalls and Secure Connections
A firewall or secure internet gateway is your first line of defence. Don’t ever connect to the internet without one – that goes for all your devices. If you spend time mobile and using free wi-fi in coffee shops and other public locations, even the standard firewalls may not be enough.
SSL certificates, which are cryptographic keys in the web address software, enable a secure connection to a website address. You can spot these in the URL address bar to check that the website you are visiting has a security certificate. This is usually denoted by an ‘s’ after the ‘http’ in the web address and a padlock sign.
You could add to your security by installing a VPN (Virtual Private Network), which creates a secure gate between your device and the network you are connecting to. This is also useful if you use your devices to log into corporate or client wi-fi, as it protects both ways.
Again, there are free versions and paid versions – check the credentials, ask for recommendations, and don’t be afraid to switch if you find something better.
Think of passwords like underpants – don’t use skimpy ones. Don’t be lazy and go without them (despite your personal wardrobe preferences).
Don’t share them. Don’t ask your employees to share them, and make sure you update and change them regularly. How often you do that is up to you, but remember if you make IT security something onerous that people don’t see the point in, they get lazy and bypass the rules.
Don’t use the same ones in different places – keep them fresh and unique for each use. Don’t leave them out where people can see them, on screens, under keyboards or in drawers… Ok, enough with the underwear analogy, but you get the point.
Passwords Manager Software
It’s really important not to use the same password across multiple sites, logins, applications and accounts. We cannot stress this enough. It’s like using the same key to get into your house, your garage, your car, your ATM and your office.
Imagine if you lost that key? Or how secure is it if you share it with someone, or give them a copy? You wouldn’t do it – so don’t do it with your passwords.
You could try using a password manager, which is a software application that generates and retrieves passwords that are complex and constantly changing, on demand. This software manages access to all sorts of applications that you might log into, so can be a useful way of freeing up brain cells that strain when trying to remember multiple different logins.
Passcodes Are Safer
Data Protection Tips … Alternatively, you can use passcodes, and make them unique to the different logins. For example, for your bank account you could use ‘RonnieBiggs1963, for your grocery account you can use ‘MyCupb0ardsAreBare’, for your email you could use ‘RandomChattering!’ and so on.
Using something that is memorable and unique makes it far more secure, and by adding numbers and special characters you can up this security. At a recent cyber security event hosted we learned some amazing facts about how quickly computer systems can crack passwords. And we’ve all seen how quickly Google searches return our search strings.
Another area where SMEs (and big businesses too) are vulnerable is Administrator profiles. We all have them – in sole trader businesses you probably don’t even realise that you set up as a default system administrator when you first took the laptop out of the box.
The same goes for micro businesses upwards, you are most likely using the default administrator login for each of your devices. Only when your business is large enough for its own IT team do you find that system administrator profiles and access become more restricted.
To use the key analogy from our earlier section, this is like using a master key for everything all the time – the only reason you’d do that is convenience (or laziness), not security!
Take a leaf out of the books of larger companies – use separate profiles for everyday use of your laptops and desktop machines, and save the system administrator profiles for use only when you need to make essential changes. Any added hassle created by this is more than outweighed by the added level of security.
Take Your Security Seriously
If you take your security seriously, so will your employees, and others who you do business with. Your partners and suppliers will respect you for it, your customers will trust you more (and trust is a key concept on which all SMEs trade).
Most importantly, you need to understand that security for your systems and the information you hold is not a static thing. The world of technology moves forward in leaps and bounds, and cyber threats are always moving at the same pace.
Make time to regularly review your processes and procedures and (after GDPR) your policies. Make sure your staff and trading partners are aware that security is on your priorities list. Do this religiously, the same as you (hopefully) do your annual taxes!
Talk about it, involve people, explain it, and constantly assess your business with security in mind, for both seen and unseen threats.
Lastly, once you have put all your security in place, make sure you add cyber insurance to your budget. Many brokers and providers have specialist packages available even for sole traders and small businesses. We have said it before, and we will say it again – with security, it is always better safe than sorry!
Sphere Data Protection can support SMEs with their data protection needs, providing relevant and practical guidance.