For small businesses security is a major issue. The problem is that a lot of advice remains trapped inside some of the country's most experienced security professionals and companies and is not always heard by the SMEs that would benefit from it.
The perception remains that to improve security requires huge organisational change and major investment, possibly beyond the pockets of smaller businesses.
But SMEs don't have to invest a lot of money - as long as organisations pay attention to the handful of big weaknesses attackers always look to exploit.
Here we collect some of the best advice.
1. Stop ignoring email threats
Email is the front door attackers will always try first. Why? Because it's an easy access point and can be an effective tool for hackers.
It only takes one email with malware attached for an attacker to gain your contacts and access parts of the network. Hackers can also email you using known named contacts allowing the attack to spread quickly.
You might be tempted to tell all employees not to open attachments from unknown contacts is, which frankly, is almost useless advice.
Instead, you should first look at the email systems being used, whether that be Hosted Exchange or Gmail which can be configured using whitelisting tools from contacts added to the address book. They also use their own filtering to reduce the load of suspicious emails in the first place.
All recent email clients, including webmail services such as Gmail will also treat attachments from unknown contacts as automatically suspicious, applying similarly tough rules to emails with embedded links. This is a start.
To help combat email phishing attacks, you should use anti-phishing testing software. Most of these will cost money, but there are a few good ones out there that don't.
We like US consultancy KnowBe4 as it offers a free online test which is worth trying out to get an idea of how well oriented a workforce is to phishing.
2. Assume websites are vulnerable
Exploiting flaws in ecommerce websites using SQL injection, cross-site scripting and the like is another absolutely standard way to attack a company.
If you are worried, you should use a vulnerability scanner to check if the website you're using is legitimate and secure.
Numerous website vulnerability scanners are available from Qualys, AlienVault, Acunteix (most of which offer free trails) while free open source tools abound although these require more expertise. Tools such as Vega and W3af and SQLmap are good places to start.
3. Disable risky software
Most work PCs run far too much software, some of it installed by employees without admins knowing anything about it.
This is incredibly risky but luckily remediation is possible simply by removing common-targeted software known to have a stream of zero-day vulnerabilities.
Most malicious attacks are from Flash video plug-ins for browsers, Adobe's PDF Reader application and the Java Runtime Environment (JRE, including old versions).
If you remove and uninstall them then you remove a large chunk of the risk attached. You'll probably be reluctant to remove plug-ins you actually still use, but if you need PDF capability, for example then the latest browsers have built-in a sandboxed viewer without the need to load the full program or even download the file.
So, at the very least, interfaces such as Flash should be enabled on demand, which requires the user to run them manually.
4. Use encryption well
No technology is more often invoked as a simple way to improve security than encryption, but using it is not a simple panacea.
The first challenge is that encryption is often expensive, proprietary to specific applications and, of course, the keys used have to be stored somewhere secure too.
However, encryption can still be useful for stored data, particularly mobile devices with platforms such as iOS and Android offering secure encryption as standard on recent versions. Business laptops will always be offered these days with Full Disk Encryption (FDE) as an option, one the SME should always take. USB sticks should also always be encrypted.
Small-scale desktop encryption is a bit more complicated, more so now that the famous stalwart open source program TrueCrypt is no longer seen as trustworthy. Microsoft offers Windows Defender in its Windows 10 version of the operating system, but there are other tools which tend to work in different ways from file by file encryption to creating encrypted volumes.
Symantec offers encryption products, and although relatively expensive does offer some central administration.
5. Secure online banking accounts
One of the main targets for attackers are machines used to access online business account the better to empty them. This type of attack is now epidemic with thousands of pounds lost at a time. There is no easy defence against this but thinking laterally, one option is to use a dedicated machine running a minimal install to access these services.
Most SMEs taking this approach either use a Linux machine or a stripped-down PC but another option is to use a cheap Google Chromebook.
Capable of being stripped back to a basic Chrome browser experience quite easily, they can't be infiltrated by executable malware the way other endpoints can.
The only limitation is that some don't come with a physical Ethernet port, something we'd recommend. Note: online backing should always be used with a full two-factor authentication system setup (i.e. not authenticated via SMS) regardless of endpoint. Note also that Chromebooks are not invulnerable, simply a lot less vulnerable when used in this way.
6. Get serious about passwords
It seems like a simple thing, but a secure password is an extremely important discipline to all businesses and employees to master.
Everyone knows passwords should be long, strong and changed often, but what does this mean in practice? How often is enough and how long and complex will make the grade?
The most important thing is simply to change passwords often that grant some kind of admin access. Doing this – and making them complex enough – will minimise the opportunity of attacks that do manage to get hold of them.
The only way to do this reliably is to automate the process using a password manager such as LastPass Enterprise, Centrify or Dashlane, although this also imposes 2FA security as an additional layer too.
For our full list of best password managers, see here.
7. Rationalise patching
Patching of endpoint software is a major chore for most businesses, however, it is a necessary evil.
While enterprises buy complex systems to manage patching to defined timetables and policies, small businesses can still try out free vulnerability and patching scanning tools such as Retina, Patch Manager or Microsoft's Baseline Security Analyzer (MBSA), the latter Windows-only.
8. Disable admin rights
Admin rights represent a major risk to SMEs. This is because it allows the user and software to do things that might put the machines in peril such as over-riding security settings or installing non-approved software.
Versions of Windows prior to Windows Vista granted users admin rights by default, which allowed malware writers to request the elevated privileges they needed without many barriers.
In Vista, Windows Server 2008 and Windows 7 this was tightened up using something called User Account Control (UAC), a much-criticised system that threw up requests for elevation to the user.
Many simply clicked yes and for good reason – legacy apps were designed to have admin rights to carry out certain actions so users needed this layer of control from time to time to stop applications failing to work.
In a much-needed reform, Windows 8 and 10 removed these admin rights and users requiring elevation by logging in with an account created for that purpose – no account, no elevation. On standalone machines, this account must be enabled although business machines should not be configured to offer this control.
9. Monitor cloud storage
Not everyone sees shadow IT and the cloud as an unmitigated risk but the potential for trouble is obvious.
Generally, cloud services are a major boon for SMEs but small organisations should be careful about using them naively. When it comes to storing an organisation's files in the cloud, these will normally be encrypted by the provider, e.g. Dropbox, to a high standard.
However, the provider holds on to the key and can, in certain circumstances, access them which is why third-party encryption systems such as Boxcryptor (which works with Google Drive, Dropbox, OneDrive and SugarSync) have sprung up to allow users to retain control over their own keys.
Most important of all, cloud storage is not the same as backup and should not, for example, be viewed as a way of defeating ransomware attacks that lock up a victim's data.
If ransomware encrypts data on a local PC and its attached storage drive, these files will also be copied in that state to the cloud service. Cloud storage will offer a set amount of days of file versions but reinstating these can be incredibly time-consuming and will cause problems for sharing.
10. Dispose of old hardware securely
Old storage and smartphones should be run through a reliable wiping process before being sold second hand or disposed of.
You should look at disk wiping software. We like DBAN, and it is free, open source and effective at removing data from a hard drive.