While in school, you may have had “look right, look left, look right’ drummed into you so much that it’s second nature before you cross the street.
‘Backup, backup, backup’ is the same – and it needs to be more than second nature. It’s recently been suggested that the world creates ‘2.5 quintillion bytes of data every day’ (a quintillion has 30 noughts in the UK system, and 18 noughts in the US system) and amongst that somewhere is your data, which needs to be made secure. With such a mind-blowing quantity of data, it follows that there are exponentially more risks. It makes sense to seek professional advice on cyber security, such as highly experienced consultants like Mustard IT to guide you through the ever-changing field of IT and security.
According to the Office of National Statistics, the rates of computer viruses fell by 27 percent in the year up to June 2019, however, the rates of cyber crime and fraud rose in that same period. It’s been suggested that a member of the public, and even more so a small business, is more likely to be a victim of computer crime than traditional forms of crime such as mugging, theft or robbery. Whilst there’s still a need to be prepared for computer viruses, there’s perhaps a greater need to prepare for and to combat cyberattacks.
The 4 Basics
It’s almost inconceivable nowadays to think of a business existing without IT; and where there is IT, there is a cyber security risk. Countering those risks includes looking at cyber security holistically and doing the following four basic steps to protect your data and business.
Step one: Find the crown jewels
Identify which company data is what you might call the ‘crown jewels’ — that data which is irreplaceable and necessary to function. Whilst most company’s data may require backing-up, this core data requires special attention.
Step two: Keep data out of reach
Just as no-one would not keep their wallet in the cutlery drawer or their credit card lying on the bedside table for a burglar to pick up with ease, so too should data be kept out of reach. Do not keep back-ups within the same system as the actual data; if the data is accessible to the cyber-criminal, then any backup on the same network is equally accessible. Keep your back-up somewhere physically separate to the actual data, such as on an external hard drive or a secure USB, in a different room or – even better – a different building. When keeping data secure, consider keeping it on more than one item; for example, on a USB, an external hard drive, on an externally-hosted cloud and a mix of those things. The ideal is to have this data in a location separate from the workplace and secure from physical threats. There’s immense value in minimising access to that back-up, for certain approved staff members and equally, more than one person needs access to the cloud in case of emergencies.
Step three: Utilise cloud storage
Having an in-house external hard drive as back-up is fine; having that same data in the cloud is better. There are many secure sites for cloud storage, and a good IT consultancy will provide guidance on how to go about this. As would be expected, there are a range of options, beginning with free storage and then paid possibilities (depending on the quantity of storage required).
Step four: Educate staff on back-up basics
Educate staff about the essentials of backing-up and provide ongoing training in back-up best practices. Many commercial back-up options will allow for automatic back-up of certain data to certain files or folders, which dramatically reduces the workload of workplace management. What needs to be in place is planned scheduled back-up of the core business data, and other less vital data. Have a plan for what is to be backed up, who will back the data up and how, who will have the authority and know-how to retrieve that data, and a plan for recovery should there be a breach. Back up in two places, e.g. an external hard-drive and the cloud, a USB and an external hard-drive, and keep that data away from the network.
The National Cyber Security Centre provides a small business guide with the basics on securing any SME. This is particularly useful as a starting place, before seeking the advice of professional IT specialists.
Other simple things to consider-
There is value in creating a USB policy; many workplaces have a ‘NO USB’ policy, which is worth considering. The IT department or consultancy could lock PC ports from being able to use a USB for information transfer whilst leaving that same port able to function for other purposes. It is assumed that cyber security is in place to battle external threats; unfortunately, that is not always the case. A USB plan may involve locking out staff USB ports, generating and distributing a ‘No USB’ policy, and providing training to staff members on how to work without using USBs. Should the company not wish to lock ports, then it may be appropriate to request monitoring of USB use by staff. This can be organised by professional IT support. It may prove very important to do this prior to a staff member leaving the company.
Lastly, something which cries out to be done is the establishment of and mandatory use of two-stage authentication. This is very simple. Someone would have to login using their password, that person is then sent a PIN number to a pre-arranged phone or another laptop; they simply retrieve that PIN and enter it in the original site. In some instances, it may not be a PIN number but a question which has been set up already; for example, the user’s secondary school or favourite food. Regardless of the process of two-step authentication, PIN, question or biometrics, this is a sensible approach to be part of a company-wide security review.
What makes sense is having adequate training and support, not only for new staff members but ongoing for all staff members. Too often training is seen as job specific, but IT training – and particularly cyber security – is far too important to be left to the occasional training afterthought.