Ensure that staff know how to identify and report phishing emails and security issues in general. Ensure staff know how to respond to such incidents and who to notify. Have a process in place to deal with any reported phishing emails.
General advice is to make sure all software is kept up to date. The first challenge is therefore to define 'all'. Take a fresh look at what systems and software you have on computers, routers, switches, appliances, telephony, UPS, door entry systems, printers, the lot. And don't forget the smart TV in the boardroom. Check that there are effective procedures for identifying new security patches as they are released, and then apply them in an automated, controlled manner. Make sure that automatic updates are switched on and make sure that all devices are patched and checked regularly for vulnerabilities.
Check antivirus software is installed, active and up to date on all devices.
Increasingly people are working from home or on personal devices – don’t share devices or passwords.
Make sure your important data can be recovered. This should be tested on a regular basis.
Have an incident plan and keep it safe. Make sure key staff have a hard-copy version of this plan. Do staff know what to do in the event of a breach? The incident response plan also needs to be tested using a simulation exercise.
Who has access to your data? People should only have the privileges they need to do their job and leavers’ accounts should be removed.
Strong passwords and multi-factor authentication (MFA) are essential. Look to the NCSC guidance. And push out educational communication on good password selection.
Ensure you understand the security practices of your service providers eg. IT or HR
Keep training up to date so that staff feel in control. Instil a culture of awareness about these issues within your organisation.
If your organisation is responsible for personal data, whether on a small or large scale, it is increasingly valuable to cybercriminals and those to whom it belongs. It is essential for you to document and record everything you do to protect it so that you can demonstrate accountability under the Law.
If you detect any unusual activity on your account, or don’t understand any of the above, rather than bury your head in the sand, speak to an expert who can help.
With so much cyber security advice out there, it can be difficult for small organisations to know where to start. The National Cyber Security Centre offers online training for small organisations and charities, which do not tend to have an IT department or technical staff responsible for cyber security.
The training demonstrates how you can improve your organisation’s resilience, and covers five key areas:
1. Backing up your organisation's data correctly
2. Protecting your organisation against malware
3. Keeping the devices used by your employees secure
4. The importance of creating strong passwords
5. Defending your organisation against phishing
For more detailed information, the following sites may also be useful: