I had a conversation with a client recently, who had been given a quotation from another company for security for their business.  They asked me to take a look at the proposal and tell me if all the suggested strategies (which had a significant cost attached) were needed.

I went through the list and told them that they already had security in place for three of the five items – and they probably didn’t really need all that was suggested.  The conversation then moved on as they asked “What do you think is my best safeguard for cyber security?”

My answer: “Vigilance.”

So we discussed what that might look like for their team.  I suggested that they focused on relating security to individuals’ personal situation.  Get them to think about what happens if someone gets access to their email account.  They will get details about your bank, credit cards, Netflix and other streaming services, social media profiles, Google account and much more.  What would that mean to them?

The same issues apply to business – but the numbers are usually bigger!

The next question was “Can you give me a checklist I can give to each of my team?”

So here is my checklist.

For the business owner or MD:

• Know what security is already in place and what needs to be added
• Ensure a secure back up is done automatically at least daily – for everything, files, documents, emails, Teams meeting records, in fact – everything that is in MS Office 365 or other cloud services.
• When your domain is set up on Ms365, there will be server checks for validity. SPF, DKIM and DMARK. If you use external marketing platforms, like MailChimp, AWeber, Constant Contact, Mailerlite, etc. you’ll need to verify these in order to use your domain name.  There is a new verification; BIMI.  This will require you to get business logo trademarked, and copyright protected, which will be used in additional checks.  Currently, this is not mandatory, but may become so in future.

For individual team members

Be vigilant regarding emails:

• Don’t click on anything you are not 100% sure is valid
• Even when emails appear to come from a known sender, double check the ‘from’ email address – if it’s not the organisation email, delete it. Or if there is a slightly different spelling in the email – e.g. tecso.com, instead of tesco.com – delete it.
• If in doubt check that the font, layout and presentation is congruent with previous emails from the same organisation.
• Be aware that banks don’t include links to click in emails. They may ask you to log into your account, but they won’t ask you to ‘click the button’.  That is usually the sign of phishing.
• Err on the side of caution and always check by phone for critical info, particularly if you get an email advising of a change in banking information.

Hackers no longer act immediately and actually remain in the background for a while.  They may get access to your email and not do anything for days, weeks or even months.  They’re monitoring activity and messages, so they get a picture of your activity over time before they take action; it’s really sophisticated.

When you’re choosing protection software, it’s best to get professional advice, so you aren’t replicating what’s already built into your software.

You’ll need:

• Virus protection against attacks on your operating system
• Malware software to stop anything that affects your email/web browser.

You only need one of each or one that does both.  If you install another level of protection it can eat up your computer resources checking on the existing protection.

Bear in mind that it’s a myth that Macs are immune to viruses!

Why is all this so critically important?

A client called me up a while ago and asked me “If we have a ransomware attack – how long will it be before we’re back up and running?”

My first question was “Have you had an attack?”

“No, but a business associate has – and they’re in real trouble.”

I reassured them.  “Don’t worry, we can have you back in action in hours.  We’ve got everything backed up.  We’ll simply lock down everything, block everyone out and then reinstall everything from backup and reconnect everyone.  It’s less than a day’s work.”

They were relieved that they were well-protected should the worst happen – and that their business downtime would be minimal.  One company who had a ransomware attack took four months to get the business back up and running; you can imagine how much that cost them!