Seven simple cybersecurity steps to keep your business safe online

Cybersecurity
Online Safety
by Paul Duffy
12 Apr 2022

There have always been fraudsters and swindlers – and there probably always will be. In today’s always-online world, these criminals now employ more sophisticated means of separating you from critical passwords, personal data and money. The bad news is that cybercrime is growing exponentially every year.

Recent research by accounting firm Grant Thornton estimated the total losses of cybercrime to the Irish economy at €9.6 billion in 2020.

It’s not just global corporations and large government agencies that are being targeted. Small-to-medium sized businesses (SMEs) regularly find themselves in cybercriminals’ crosshairs.

According to our .IE Tipping Point 2022 Report, as many as six in 10 SMEs don’t take any precautions to protect their sensitive data – e.g. financial transactions, customer data – or they simply don’t know how.

None of the above quoted statistics are meant to scare you away from having an online presence for your business.  But they do serve as stark reminders of why it’s critical to secure your business against cyberthreats. If not, you risk losing revenue, customer confidence – and more.

How SME's protect consumer data

Let’s look at a few common cybersecurity and cybercrime terms

No doubt you have probably seen each of these terms in various news articles and blog posts, but what do they really mean to the cybersecurity of your business? Let’s have a closer look.

  • Data encryption: Encoding your private information or data via software so that it can’t be read or accessed by third parties without a special decryption “key” that only you (or trusted parties) hold.
  • Phishing/smishing: Phishing generally takes the form of a fraudulent email designed to trick users into giving up passwords or credentials. Smishing is similar in nature to phishing but is performed via fraudulent text messages that contain links to malicious websites.
  • Malware: Harmful software that is commonly spread via email attachments from legitimate looking senders, or through links to a malicious website.
  • Ransomware: A form of malware that’s designed to prevent you (the user) from accessing files or data on your system unless a fee – or ransom – is paid to restore access.

Seven simple ways to keep your small business safe online

Yes, cybercrime poses a very real threat to your business. Here are seven simple, but critical tips that you can take to improve your cybersecurity now.

1. Keep all your system software up to date

 

Software updates are easy to ignore and put off indefinitely. But they can play big role in ensuring your devices are secured. Yes, being repeatedly prompted to update your PC or mobile device can be irritating or intrusive, but these updates often contain the latest (and strongest) security patches. Old operating systems and software versions can be more easily exploited and accessed.

Think of it this way: Hardware and software manufacturers are constantly playing a game of one-upmanship with cybercriminals, with each trying to outwit the other. When cybercriminals find a gap or vulnerability to exploit, a company like Microsoft will swiftly develop security patches in response.

One of the simplest ways to keep your software up to date is to enable automatic updates through your device’s options or settings menu. If time and productivity are a concern, tell your device to perform critical updates during off-hours.

2. Install antivirus software (and make sure it’s turned on!)

 

Modern antivirus software is designed to root out and proactively remove malware threats from your computer. That’s why it is so important to have your antivirus enabled and resist the temptation to turn it off – even if periodic virus scans slow down your system.

Modern Windows and MacOS (Apple)-based systems include good, built-in antivirus software that is up to the task of handling the most common threats. Even better – this antivirus software can stay automatically up to date alongside your system.

If you’d rather bring in antivirus software of your own choosing, Avast, Bitdefender, Sophos and Norton are among the top-rated and most popular providers.

Each come with their own unique features and offer free trials. So, be sure to compare a couple of options before committing to a paid subscription. It’s worth noting that the onus is on you to keep the antivirus software up to date, as recommended by the provider, which is an important step.

Whichever provider you choose, make sure it protects against viruses, ransomware, spyware, adware and malware.

Cybersecurity

3. Use strong, unique passwords

 

Password protection provider Nordpass recently revealed that the most-likely-to-be hacked password (in a study of 50 countries) was “123456.” The same research showed people were also highly likely to use their own names as passwords. Even more distressing? About 84.5% of all passwords used globally can be cracked by professional hackers in under one second.

So, what qualifies as a strong password by today’s standards?

Well, a strong password should be at least ten characters in length and include a combination of upper and lower-case letters, numbers and symbols.

Avoid using any easily discoverable personal details – including names of family members, pets, your hometown or birthdays. As convenient as it might be, you should also avoid reusing the same password for multiple accounts.

For added security, Google’s Chrome or Apple’s Safari search engines can generate unique, impossible-to-guess passwords – made up of random numbers, symbols and letters – that will fill in automatically for you. This functionality can also be met by Password Managers such as LastPass or 1Password.

4. Educate your employees on cybersecurity risks

 

Security tools and passwords aside, one of your single best defences against cybercrime is security awareness and education. Enrol yourself and your employees (if you have employees) in an accredited cybersecurity training course from a reputable organisation.

Investing in good quality training can help make cybersecurity part of your business’s culture and can go a long way towards making your employees far more aware of potential threats.

5. Regularly back up and encrypt your data

 

Any essential business information, e.g. financials, customer data – should be regularly backed up to the cloud or to an external drive in a different location. Fortunately, there are several strong, cloud and software-based solutions – like, Rewind, Acronis and iDrive – that cater specifically to SMEs and can be easily set up and managed without needing a dedicated IT partner.

An important security measure is to encrypt your backups, as that will provide further protection for your data beyond a simple password. Many data backup solutions already offer built-in encryption tools, or the option to store encrypted backups.

6. Use two-factor authentication to keep your accounts safe

 

Two-factor authentication is one of the most simple and effective ways to protect yourself online. The biggest benefit? Two-factor identification adds an additional barrier for cyber criminals that might have been successful in stealing your primary password or credentials.

In most two-factor identification systems, a separate, randomly generated SMS code is sent to your phone (or device of your choosing). Unless cybercriminals can access that code on your phone, your accounts stay secured against any attempted breaches. Or even better would be to use an Authenticator app, which generates a one-time code that you use to confirm that it’s you logging into a website or service.

Your Google account, or Apple ID are prime examples of platforms that give you the option to enable two-factor authentication. A lot of people tend to use their Google account to sign up to other third party services so it is very important to enable two-factor authentication on it.

Google Authenticator and Authy are both excellent two-factor authentication apps for your business. Another option to consider is Yubikey, which is a USB device “biometric authenticator” which uses your fingerprint to authenticate.

7. Stay alert against social engineering scams

 

The easiest way to describe social engineering is that it’s a form of psychological manipulation – often involving persuasion – with the aim of tricking you into giving away sensitive information. Cybercriminals will target things like your Personal Public Service number (PPSN), passwords to your email or social media accounts, and online banking information.

One of the most common forms of social engineering is phishing. In a typical phishing scenario, you may get an email that appears to be legitimate and contains a file to view, or a link to click. Often, these emails are accompanied by urgent-sounding, or sometimes-threatening, calls to action. For example, “Your account has been compromised! Click here to recover your password,” or “Your package has been detained at customs. Pay duty fees now.”

How can you avoid phishing? Never assume an email is what it says it is until you know otherwise. Also be wary of senders that you don’t recognise, or with suspicious looking email addresses and domain names.

For example, the Revenue will never send you emails threatening fines or imprisonment over unpaid taxes.

By following these seven, simple cybersecurity steps, you can do a great deal to improve your business’ resilience to cyberattacks. While nothing will make you completely safe, most cybercriminals will focus their efforts on easier targets who are far less diligent.

Building trust with your customers

If you manage a website which processes customer information be sure to protect it with a security certificate. Customers need to feel safe and secure when purchasing online and will look for websites whose address begins with a https (not http) and displays a lock symbol. This indicates that a security certificate is installed. The majority of .ie websites (54%) have a security certificate, which ensures that consumers are protected from having their personal details stolen by cyber criminals during an online transaction.

If you have a .ie domain, learn more about additional protections such as DNSSEC (this adds an additional layer of cryptographic security to a domain) and Registry Lock (this protects a domain from malicious or accidental changes).

Keeping the .ie namespace safe

At .IE, protecting consumers, our customers and SMEs is important to us. We take a number of steps to keep the .ie domain as safe as possible and this ensures the level of security threat to .ie websites is a lot lower than .com.

Only individuals and businesses with a provable connection to Ireland can register a .ie domain, and all applications are manually reviewed to ensure that they meet this requirement. This process keeps Ireland’s country domain largely free from many of the quick-moving scams and other illegal activities that unmanaged domains, such as .com, cannot control as easily.

We proactively tackle technical abuse in the .ie namespace and are dedicated to fighting malware and phishing.

  • We work with a number of third parties, including regulatory bodies, to ensure the speedy removal of fake or illegal online stores and provide help to individuals and businesses that have been victimised by cybercriminals.
  • We use the services of Netcraft, who provide internet security services, including cybercrime disruption, application security testing and automated vulnerability scanning.  This service allows us to proactively identify online abuse issues, such as websites that are hosting malware, phishing or botnets.
  • We do a security scan of .ie zone file every month. Approximately 50 websites per month are identified as having security vulnerabilities. We provide this information to our Registrars (who you bought your domain from) who then contacts the domain holder and advises them action needs to be taken.

Further reading

Be sure to explore our other resources and content on our SME Start and SME Evolve pages.

Paul Duffy is our Systems Administrator in our technical services team and a subject matter expert on the Network & Information Security Directive (NIS2).