Cyber Security Small Business Guide (NCSC)
Cyber Security Small Business Guide (NCSC)
Cyber Security Small Business Guide (NCSC)
Business
Guide
Small Business Guide Collection
1 https://www.cyberessentials.ncsc.gov.uk/
2 https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
3 https://www.ncsc.gov.uk/blog-post/what-can-ncsc-do-you
Your first step is to identify your Using cloud storage (where a service
essential data. That is, the information provider stores your data on their
that your business couldn’t function infrastructure) means your data is
without. Normally this will comprise physically separate from your location.
documents, photos, emails, contacts, You’ll also benefit from a high level
and calendars, most of which are kept of availability. Service providers can
in just a few common folders on your supply your organisation with data
computer, phone or tablet or network. storage and web services without
you needing to invest in expensive
Tip 2 hardware up front. Most providers offer
Keep your backup separate a limited amount of storage space for
from your computer free, and larger storage capacity for
minimal costs to small businesses.
Whether it’s on a USB stick, on a
separate drive or a separate computer,
access to data backups should be
restricted so that they:
4 https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
Not all service providers are the same, For further guidance on backups,
but the market is reasonably mature please see our Securing Bulk
and most providers have good security Data guidance6, which discusses
practices built-in. By handing over the importance of knowing what
significant parts of your IT services data is most important to you,
to a service provider, you’ll benefit and how to back it up reliably.
from specialist expertise that smaller
organisations would perhaps struggle The Information Commissioner’s
to justify in terms of cost. However, Office website also has a useful
before contacting service providers, introduction to cloud computing7.
we encourage you to read the
NCSC’s Cloud Security Guidance5.
This guidance will help you decide
what to look for when evaluating their
services, and what they can offer.
Tip 5
Make backing up part of your
everyday business
Tip 3
Tip 1 Keep all your IT equipment
Install (and turn on) up to date (patching)
antivirus software
For all your IT equipment (so tablets,
Antivirus software - which is often smartphones, laptops and PCs), make
included for free within popular sure that the software and firmware is
operating systems - should be used always kept up to date with the latest
on all computers and laptops. For your versions from software developers,
office equipment, you can pretty much hardware suppliers and vendors.
click ‘enable’, and you’re instantly safer. Applying these updates (a process
Smartphones and tablets might require known as patching) is one of the most
a different approach and if configured important things you can do to improve
in accordance with the NCSC’s EUD security - the IT version of eating your
guidance9, separate antivirus software10 fruit and veg. Operating systems,
might not be necessary. programmes, phones and apps should
all be set to ‘automatically update’
wherever this is an option.
At some point, these updates will no
8 https://www.ncsc.gov.uk/guidance/mitigating- longer be available (as the product
malware-and-ransomware-attacks
reaches the end of its supported life),
9 https://www.ncsc.gov.uk/guidance/end-user- at which point you should consider
device-security replacing it with a modern alternative.
For more information on applying
10 https://www.ncsc.gov.uk/blog-post/av-or-not-av
updates, refer to the NCSC’s guidance
11 https://www.ncsc.gov.uk/guidance/vulnerability- on Vulnerability Management11.
management
Tip 5
Switch on
your firewall
12 https://www.ncsc.gov.uk/guidance/10-steps-
Firewalls create a ‘buffer zone’ between network-security
(and tablets) safe Staff are more likely to have their tablets
or phones stolen (or lose them) when
they are away from the office or home.
Mobile technology is now an essential Fortunately, the majority of devices
part of modern business, with more of include free web-based tools that are
our data being stored on tablets and invaluable should you lose your device.
smartphones. What’s more, these You can use them to:
devices are now as powerful as
traditional computers, and because • track the location of a device
they often leave the safety of the office • remotely lock access to the device
(and home), they need even more (to prevent anyone else using it)
protection than ‘desktop’ equipment. • remotely erase the data stored on
the device
• retrieve a backup of data stored on
With this is mind, here are 5 actionable the device
tips that can help keep your mobile
devices (and the information stored Setting up these tools on all your
on them) secure. organisation’s devices may seem
daunting at first, but by using mobile
device management software17, you
Tip 1 can set up your devices to a standard
Switch on configuration with a single click.
password protection
Tip 3
A suitably complex PIN or password16 Keep your device
(opposed to a simple one that can up to date
be easily guessed or gleaned from
your social media profiles) will prevent No matter what phones or tablets your
the average criminal from accessing organisation is using, it is important that
your phone. Many devices now include they are kept up to date at all times. All
fingerprint recognition to lock your manufactures (for example Windows,
device, without the need for a password. Android, iOS) release regular updates
However, these features are not always that contain critical security updates to
enabled ‘out of the box’, so you keep the device protected. This process
should always check they have is quick, easy, and free; devices should
been switched on. be set to automatically update, where
possible. Make sure your staff know
how important these updates are,
and explain how to do it, if necessary.
At some point, these updates will no
16 https://www.ncsc.gov.uk/blog-post/three- longer be available (as the device
random-words-or-thinkrandom-0
reaches the end of its supported life),
17 https://www.ncsc.gov.uk/blog-post/ncsc-it-mdm- at which point you should consider
products-which-one-best-1 replacing it with a modern alternative.
18 https://tinyurl.com/y9hgclg4
19 https://www.ncsc.gov.uk/guidance/10-steps-
home-and-mobile-working
28 https://www.ncsc.gov.uk/guidance/phishing
https://www.ncsc.gov.uk/guidance/suspicious-
email-actions
29 https://exerciseinabox.service.ncsc.gov.uk/
Make sure that your staff are Attackers are always trying different
encouraged to ask for help if they think methods of attack, even when tools
that they might have been a victim like automatic email protection have
of phishing, especially if they’ve not prevented previous attempts. So it’s
raised it before. It’s important to take worth keeping on top of the techniques
steps to scan for malware and change used by attackers, to try and stay one
passwords as soon as possible if you step ahead. Consider signing up for
suspect a successful attack the free Action Fraud Alert service31
has occurred. to receive direct, verified, accurate
information about scams and fraud in
Do not punish staff if they get caught your area by email, recorded voice and
out. It discourages people from text message.
reporting in future, and can make them
so fearful that they spend excessive Monitor the advice from your local
time and energy scrutinising every Police Service, and Regional &
email they receive. Both these things Organised Crime Unit (ROCU), who
cause more harm to your business in will put out warnings of specific cyber
the long run. crime activity in your area. Join CiSP32
which provides a forum for cyber
If you believe that your organisation security discussion from beginner
has been the victim of online fraud, through to expert level. It’s also a
scams or extortion, you should report platform where organisations can
this through the Action Fraud share intelligence gathered from their
website30. Action Fraud is the UK’s own computer networks.
national fraud and cyber crime
reporting centre. If you are in Scotland
contact Police Scotland on 101.
A final word
Don’t leave the responsibility for cyber
30 http://www.actionfraud.police.uk/report_fraud security with a single person. Every
member of the team (including board
31 https://www.actionfraud.police.uk/sign-up-for-
action-fraud-alert
members) needs enough knowledge to
understand how cyber security impacts
32 https://www.ncsc.gov.uk/cisp on their area of focus.
@NCSC
@cyberhq
© Crown copyright 2020. Photographs produced with permission from third parties.
NCSC information licensed for re-use under Open Government Licence
(http://www.nationalarchives.gov.uk/doc/open-government-licence).