20 Cyber Security Tips for Your Business
As a business, it is important to ensure that any information your customers share with you stays safe. In this comprehensive guide, we have provided some key cyber security tips that will help you keep user-information secure.
Cyber Security Tips
1. Use a Password Generator
Using a secure password is a cyber security tip that you must have come across before. The reason for that is because it is vital for the protection of your account.
Passwords considered as ‘Strong’ consist of a minimum of 8 letters, numbers and characters. A password generator creates a randomly generated password for you, which is more secure and harder to crack.
If a password is a word that can be found in the dictionary, no matter how long it is, it could be accessed via ‘brute-force’. Brute force attacks are when a hacker uses every possible combination of letters, numbers and characters to guess a password. This technique would previously not have been possible, but thanks to the power of super-speed computers in today’s modern age, they can go through millions of combinations in a very short timeframe.
To further increase their chances, attackers use tables with already “cracked” passwords. These tables are also referred to as ‘Rainbow Tables‘ and contain hundreds of commonly used passwords and their equivalent hashes. Even though it might not seem like a huge difference, if your password is a relatively common one, there are very high chances of it being found in one of these tables. Several measures have been taken to mitigate this, but your best bet is still to use a complex password.
2. Two-Factor or Multi-Factor Authentication
If your customers need to login to access your services, our recommendation is to invest in a two-factor or multi-factor authentication process.
Two-factor authentication requires a user to enter the password and provide another means of verification for logging in. For example, at an ATM, you need to have both the card and the pin to complete a transaction.
Multi-factor authentication is the same method but uses more than two pieces of verification in the log in process. Both of these options can be a reliable way to keep your customers’ accounts safe from unauthorised users.
3. Invest in One-Time Password Authentication
As part of your multi-factor authentication process, you could consider investing in one-time password (OTP) authentication. This is one of our favourite cyber security tips as it is a great way to add an extra layer of security.
Once requested, a password or passcode is sent via text message to the user’s registered phone number, a dedicate app or via email. This is then used to gain access to the account or data your customer is trying to view. This method means a hacker would need access to the user’s phone or email account AND passwords to get into the account, making the attack much harder.
4. Limit the Number of Log-in Attempts
As a business, if you provide clients access to a software program or service where they need to log in, you should limit the number of wrong log-in attempts to prevent hackers from making their way in using brute-force.
As we mentioned earlier, when using this method to ‘crack’ passwords, hackers use a computing device to generate millions of possible combinations of letters, numbers and characters. As the combination is generated, it is entered in the password field of the login page in an attempt to find the one that might be that account’s password.
By limiting the number of wrong attempts, you are restricting the number of combinations they can try. Since it is almost impossible to randomly guess a secure password in something like three attempts, this is a simple way you can keep customer accounts safe.
5. Consider On-Screen Keyboards
Another way cyber criminals will try to gain access to your data is by tricking you into installing malware, like keylogging software, on your computer. This malicious program records your keystrokes so that the hacker can see what you typed and when. They can then retrieve any passwords that you entered, using logic and the process of elimination.
For example, if you typed in your email address, followed by your username, it is logical to assume that the next bit you would enter is your email password.
To prevent sensitive information from getting out this way, use an on-screen keyboard when entering passwords for important accounts. You can activate one for Windows and Mac. You can download on-screen keyboard plugins via your browser, but as plug-ins are third-party created applications, they can not be guaranteed to be secure. If you are going to use an on-screen keyboard, you should ONLY use the one provided by your system.
6. Review Connectivity Requirements
With the rise of personal computing devices (which includes phones and tablets), it has become prevalent for people to always be connected. We are permanently logged in to our emails, social media platforms, and other such applications. However, this can be an easy way for someone to steal information or misuse an account, by simply gaining access to the device.
Certain services provided through custom software or mobile applications may include transactions where money is exchanged and they may store payment details. For example, your Amazon account has your bank card details saved for ease of purchasing.
If your service needs to similarly save payment details, you may need to review how important it is for the user to be constantly logged in.
Our suggestion is, if they don’t need to be logged in all the time, your service should have a session time-out. This way, if someone gets access to your customer’s device, they will not be able to access card details or make unauthorised purchases.
7. Secure the ‘Forget Password’ Feature
In most cases, when someone clicks on the ‘forgot password’ link on a log-in page, they get a password reset link sent to the email address or phone number associated with the account. In some cases, the service may ask you to enter the registered email address to which they will send the link.
A well-designed process would first check the email or phone number against the database to verify if it is registered and then send the link to reset the password.
An insecurely-designed system, on the other hand, will send the link without verifying. As a result, all a hacker needs to do is try to log in as someone else, fail, and click on ‘forgot password’. At that point, they can enter any phone number or email address and get a new password.
That is why, if you want to protect your customers against this type of hack, the password recovery system for your service needs to be well-thought-out and secure.
8. Backup All Data Regularly
One of the most important rules for security-responsible business is to back up all information. A backup is a copy of all the information your systems, server or databases contain, usually stored in another location. In the past, people used backup servers but now you also have the option of cloud storage services too.
Ransomware attacks are when cyber criminals gain access to your servers and deny your customers access to your service. Hackers demand large sums of money in exchange for restoring ownership.
If you have a backup of the information they are holding ransom, you can use it to recover critical data and resume services for your customers, even if it is limited, while you take measures to get back control from the hackers.
9. Backup Security
Whilst you may have created a backup of all user information, how you store it is important. Especially when using cloud storage, you need to be aware of the level of security offered by your provider so you can choose one who can offer comprehensive protection.
Unfortunately, even the most secure storage space has the potential of being compromised. That is why our cyber security tip here is that you should password-protect or ‘encrypt’ all your documents and folders before you store them on a backup drive. This way, even if someone gets into the storage, they will find it difficult to extract meaningful information.
10. Only save the minimum customer data required
Our data protection tip for your business here is to avoid storing any customer information that is not completely necessary for your service. As a business, you may need to store sensitive customer information as part of your service requirements. However, that means you also need to ensure that it is stored securely for protection. That is why you should review user registrations and product use to only save essential information.
For example, you may need a name and a registered email address to create the account. You may also need a registered phone number to which you send the OTP for a two-factor authentication. However, you may not need their payment details unless your service charges them a monthly fee.
If you only need their card details when they make a purchase, having it stored on your system can be a security risk for which you would need a high level of protection.
While it may be an inconvenience for the customer to enter their credit or debit card details every time they conduct a transaction, it is better than someone getting into your database and stealing this very sensitive information. If that happened, it would be bad not only for the customer but also for your business’s reputation.
11. Store Data in Parts
You may find that saving some sensitive information is unavoidable to ensure a smooth user journey and experience. In this case, it would be a good idea to not just password-protect your database but to also store elements in different locations.
For example, if you’re saving email addresses in one database and storing credit card details in a separate one, if one is compromised, cyber criminals won’t have access to all your customers’ details.
12. Malware Protection
Investing in anti-virus (AV) software for your employees’ devices is a great cyber security tip for any business. Once installed, an AV program will keep your business safe from a large number of untargeted attacks, or attacks that weren’t specifically designed for your company.
For example, malware that is encoded within downloadable content on the internet is not targeting anyone specifically and will affect anyone who downloads it. Such attacks can be screened by malware protection software before they become a problem.
AV software does not keep your device safe from all malware, but it can protect you from a variety of known viruses, adware and spyware. When it comes to cyber security, you can limit a majority of online hazards with a proper firewall and AV protection, but this alone will not totally protect you from a cyber security breach.
13. Set Up Notifications
On almost all occasions when an account or company information is compromised, there is a window of time in which you can take steps to ensure that the hackers can do no further damage.
As a personal example, if someone steals your ATM card without you realising it, you may get a phone notification when the thief tries to take out money or use it in a store. If you pay heed to this, you can block your card in time.
Similarly, if your software, database or app is set up to send notifications in the case of suspicious activity, this can be a great way to be alerted quickly enough to take action.
14. Secure Your Router
As you may know, if a cyber criminal can access your network, they can easily access other connected devices. That is why an important business cyber security tip is to have a password-protected Wi-Fi connection.
Additionally, it is essential to have a secure Wi-Fi router, not only for your systems as a defence against cyber-attacks but also to protect you.
How is that?
First, if anyone can connect to your network, they will use up valuable bandwidth for which you’re paying. If multiple people steal your connection, the internet connection becomes slow for your employees.
Second, if they use your network to do something illegal, the activity can be traced back to your IP address. That could get you in trouble with the law when it’s not your fault.
15. Protect Your Business from Espionage
Like we mentioned earlier, cyber criminals cannot simply ‘magic’ their way into a network or system. They need some initial information, that they can gather using malware, to gain entry and then use that foothold to ‘dig deeper’.
However, whilst malware is one way of get your details, a more traditional way of getting sensitive company information is using an insider, which is called industrial espionage.
To protect sensitive data from an attack like this, you need to devise processes which limit the amount of information any one person can access, as well as ensuring the proper data security and IT training is delivered to your employees.
16. Train Your Employees to Recognise Phishing Attempts
Phishing is a form of information gathering that cyber criminals use by taking advantage of the fact that most people trust an official-looking email. Victims also tend to act without thinking if they get very good or very bad news.
For example, if someone gets a correspondence that looks like it’s from their bank, they tend to take it at face value. If the email says there’s a problem with their account and to click a link, most people will do it without thinking because they would be concerned about their account getting blocked or losing their money. This link then takes them to a page that looks like what they were expecting but isn’t the official bank website. Here, they are asked for information that can allow criminals to access their account that they wouldn’t think twice about giving it away.
An important cyber security tip for protecting your business from such attacks is to train your employees to recognise phishing emails and how to deal with them. If they know what to expect, they will be less likely to give away information that could compromise them or your organisation.
17. Use Free Software with Caution
Free software can be great if you’re a business with a budget, but when installing such products, be aware of what the program includes and the permissions you are giving it. Wherever possible, only use software products from reputable companies or those that have a high trust factor based on online reviews.
There are times when it is convenient to use a free program for what might seem like a minor task. However, these programs might come with other unwanted features built in, even if it is a toolbar that is added to your web browser.
They may also come with trojans (hidden applications that are a part of the executable file) which are installed along with the software and impact the security of your device or network.
18. Anonymous Browsing
Encourage anonymous browsing when entering sensitive data in online forms.
Most browsers auto-save the information you enter so filling forms becomes quicker and easier for you. However, if a malicious intruder manages to access your machine, they can get all of these details.
If you browse the internet on Firefox or Chrome, you must know about its ‘Incognito Mode’. This private browsing option will not save browsing history or the data entered in forms, so others using the device will not be able to misuse this information.
19. Never Leave Your Device Unattended
As we mentioned earlier, most of us have certain apps and software on our devices that we always keep logged in. If the device is left unattended, anyone could get into your account.
Always keep your laptop or mobile device with you, and if you must leave your desktop computer, make sure you have a password-protected screen lock on to keep out unauthorised users from getting access.
20. Keep Software Updated
Whether it is software that you use in your business or bespoke software you had developed for your customers, it is crucial to keep it updated. Software updates are not just for features; They mostly include security updates. If a program is continuously updated to fix security issues, it will be less vulnerable to cyber-attacks.
As you can see, if you want to offer a software or app-based service to your customers, you need to ensure that your product is designed with user security in mind. You also need to have secure business practices so user data as well as the organisation’s integrity are not compromised.