Cyber-security checklist

With cyber attacks on the rise, firms are advised to be extra vigilant by taking these straightforward steps.

“Whether you’re a team operating out of an office or an individual working from home, cyber security is an issue that every business should prioritise. It simply comes down to being prepared – and there are several steps that businesses should take to arm themselves against threats.”

Step 1: Focus your efforts

Plan in advance and establish where you’re most likely to face risks in order to target your efforts more efficiently. “Conduct a security audit: identifying your business’s security strengths, weaknesses and opportunities for improvements will provide a good foundation for your future decision-making process on appropriate technology and other measures,” advises Emm.

David Olsson, managing director of IT outsourcing firm Soitron UK, adds: “All businesses will have different requirements, but the first step is really to identify your pain points and where your business might be most at risk. For most companies, these risks will either sit with your customers, employees, suppliers or your assets.”

Step 2: Identify your users

Businesses should always be clear about who’s using their networks, says cyber-security adviser Vince Warrington. “Every single employee, contractor, temporary staff member or even someone on work experience needs to have unique access to your network, easily identifiable as themselves,” Warrington says. “Don’t allow generic usernames like ‘temp’ or ‘admin’, and make sure everyone uses a good password – the National Cyber Security Centre recommends using three or four non-related words as a good password that’s easy for people to remember – ‘BeddingSunglassesPictureToast’ is much easier to recall than ‘HSVjpy43mxw8z5!!’, and harder for a hacker to crack than ‘Password123’.”

Step 3: Educate your staff

Warrington says: “You might hear various security vendors saying things like ‘Users are the weakest link’, but they can be your greatest asset in defending against cyber attacks. Don’t just rely on a once-a-year, 10-minute online course – although they do have their place – but instead think of it as education, not training.

“You need to be constantly making your staff aware of what cyber-security risks are out there. Did you avoid being hit by WannaCry? Good, but did you then send a message to your staff saying: ‘You’ve seen the news. We’re protected, but this is why we ask you not to open attachments or click on links in emails’? A constant drip feed of information goes a long way – and don’t be afraid to use humour in your communications, or a reward system for good security behaviours.”

Step 4: Protect your customer data

Under the General Data Protection Regulation (GDPR) that came into force in 2018, legislation puts firms under increased pressure to take more care when looking after customer data or they may face a fine. “Businesses have to look more closely at their information security strategy and consider the impact of a catastrophic loss of data,” says Olsson.

Programmes that haven’t been updated are one of the key means that cybercriminals use to hack businesses

David Emm
Principal security researcher at Kaspersky Lab

“Businesses need a plan in place to restore their whole IT infrastructure, which could take months to recover following a cyber attack. Most important here is to limit the possibilities for damage before it occurs.”

Step 5: Be aware of the email threat

“By far the largest proportion of successful cyber attacks on businesses start with an email received by the organisation being targeted,” says Bruce Penson of computer support services Pro Drive IT. “This will usually contain either a link or use some other form of trickery – known as social engineering – to convince the end user to either click on the link or disclose their username and passwords. These fraudulent emails were found to account for over 75% of breaches in a 2018 survey by the British government.”

Penson says that businesses should consider sending simulated fraudulent emails to their staff. “If a member of staff accidentally clicks on a link or discloses their username and password, they will receive a message explaining what they’re doing along with a short training video,” he says. “This has two outcomes: firstly, staff will be more aware of what a fraudulent email looks like. Secondly, when staff know a campaign is in progress, they will not want to be the person who’s caught out and so they will naturally be more aware of email fraud.”

Step 6: Keep your software up to date

“Programmes that haven’t been updated are one of the key means that cybercriminals use to hack businesses,” Emm says. “Apply updates to your operating systems and applications as soon as they become available, and switch on automatic updates where this is available.”

Warrington adds: “Make sure whoever is responsible for your computer network is on top of patching [installing updates that fix problems in] systems, and remember that patching could mean downtime for systems. But it’s better to have your network offline for a short period of time while patching takes place, than it is to have it completely unavailable through a cyber attack, or to find out that your customer database has been stolen because a security hole wasn’t patched.”

Step 7: Plan your response

“The most important thing for SMEs to remember is that even the biggest companies fall victim to attacks,” says Mike Johnson, chief technology officer at online web creator Website Builder Expert. “While it might not be avoidable, you can have a robust strategy for what to do if it does happen. Develop a plan for who will be responsible for what, should an attack occur, and remember customers trust you when you are honest. So if you do fall victim to an attack, let your customers know and reassure them about what you’re doing to fix it.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top