To avoid becoming just another statistic in the rising tide of cyber-fraud, please review and implement, where possible, as many of these security tips in your organisation. This list represents generally accepted best practices for computer and information security, but is not exhaustive. We recommend that you document the procedures that are implemented and review them at least annually.
Too many organisations still permit computer users to choose weak and ineffective passwords. Short passwords made from common names (children or pets) or numerals representing a significant date (birthday) are trivial to guess and even easier to crack with modern software.
Prevent your users from being able to use simple, short passwords by enforcing a complexity policy and requiring frequent changes to deny them that other common habit of using one password for everything, forever.
It is now almost essential to ensure that two-factor (aka 2FA or multi-factor) authentication is enabled, and even enforced, on any business systems that are accessible directly via the Internet. That is to say, where a user can gain access from anywhere with an Internet connection and only needs to authenticate with their credentials. Humans are notoriously bad at keeping passwords a secret and the latest phishing methods have shown that it is trivially easy to con even the more security-aware users into disclosing them.
Requiring users to enter a secret password as well as a one-time code, computer generated and delivered to their smartphone, makes it close to impossible to gain unauthorised access to online systems.
Personal data is like gold to a cyber-criminal. Anything that can be used to identify an individual is a weapon and can be used to exploit an individual online and the organisation they work for. For this reason it is vitally important to ensure that devices that may store personal information, in any format, and can easily be mislaid (laptops, tablets, smartphones) have stored data encrypted.
If not only to protect the identity of the individual that exists on any business data your users keep for their work, you are also protecting your organisation. New data protection regulation (GDPR) commenced in 2018 has very serious implications for businesses found to be the source of leaked personal data.
Internet Content Filtering
Consider restricting the scope of the public Internet that your users can access. Much of the malware and hoax content exists in the murky margins where cyber-criminals try to lure computer users to execute their plans.
Proxy and gateway services are available that allow an organisation to define and enforce a policy of what Internet content will be accessible and automatically restrict access to content containing malware based on constantly-updated reputation lists.
It is highly-advisable for every organisation to systematically review how much they reveal about their organisation online, especially in social-media channels. Cyber-criminals use personal information gleaned from bios on company websites, online CVs as well as posts about activities on Twitter, Facebook and Instagram. This information can be exploited to make cyber-attacks more authentic (emailing a colleague and mentioning an event that was posted online) or just to gain that extra bit of personal information to get a hacker through the door.
We advise that personnel within an organisation that are privileged to financial information or can access finance systems, restrict their use of social media, especially in a business context.
One way of ensuring that you have covered all of the essentials of security best practices is to gain a certification. This requires an organisation to structure its analysis of its own security processes, creates that all-important documentation and then has this all assessed and approved by a third-party.
We would recommend that every business gains the Cyber Essentials certification from the government’s National Cyber Security Centre and that businesses with a higher-level of risk (e.g. Legal, Medical) pursue the Cyber Essentials Plus certificate.
More information on these certifications can be found here: