Expert Shares Essential Cybersecurity Strategies to Protect Your Business

August 2024 by Dr Phil Legg, expert at Independent Advisor Best VPN

• The global average cost of a data breach increased by 10% from the previous year, reaching £3.5 billion in 20241.

• Use Mobile Device Management and enforce Two-Factor Authentication across all platforms.

• Implement VPNs for secure connections and ensure regular data backups, preferably off-site or in the cloud.

1. Mobile Device Management (MDM) – Microsoft Intune and Apple both provide MDM capabilities for devices used within an enterprise environment, which allow IT administrators to manage devices in the unfortunate case of theft or loss. MDM also enables teams to ensure that devices are used for their intended business purposes, and help keep security patches up to date for individual employees.

2. Two factor authentication (2FA) – Online enterprise platforms such as Microsoft 365 and Google Workspace both support 2FA, meaning that users not only require their password to login, but then also need to authenticate their login activity using a second factor such as a mobile phone authenticator app or a physical security device. In the event a password is compromised, 2FA provides additional account security to keep your logins safe from intruders.

3. Password Management – Where users are required to maintain accounts for multiple online services, a password manager can help to curate and store unique passwords for each service. With unique passwords for different services (web sites), even if one is compromised and learnt by an attacker, other accounts are more likely to remain secure.

4. Virtual Private Network (VPN) – Last year alone, more than 400,000 cases of fraud and computer misuse were recorded, with 46% of UK businesses experiencing a cyber attack. Providing a secure VPN is essential for maintaining online privacy and security. At their core, a VPN establishes an encrypted connection between your device and a remote server, keeping your internet activities private and more safe from unwanted tracking.

5. Physical security – Ensure that employees have clear guidance on maintaining the physical security of their work assets, including laptops and other devices with sensitive information or access.

6. Shoulder surfing – Just as physical security is critical, ensure staff are aware of the threat of shoulder surfing - where a stranger can gather your private information by secretly watching your screen. This is especially likely when working in public spaces, such as cafes and trains. Never reveal sensitive data, like a password or credit card information, on a laptop screen in a public space.

7. Business continuity planning (BCP) – If a widespread incident was to occur across your IT estate, would you have a plan B? How would the organisation operate without email, or access to specific systems? Ensure that a BCP is in place that is both realistic and actionable, with clear guidance on how this would be implemented if necessary. Understand the operational cost to the business if such an event should occur, as well as assessing the expected likelihood of such an event occurring. This should factor into your risk management strategy.

8. Backup and Cloud Storage – Understand and classify the importance of your data assets, and ensure that off-site backups are maintained on a regular basis - especially for any data that is crucial for your business to function.

In the case of natural phenomena (e.g. earthquake, flooding, hurricane, etc), consider the use of cloud storage to provide offsite backup. Microsoft, Google and Apple all provide options for this, as well as other third parties. This alleviates the risk of storing data on a specific physical device. However, do also consider the classification of data and whether the data is appropriate to be stored within a cloud environment that is managed by a third party, before you create a back-up.

9. E-mail usage and phishing attacks – Ensure that staff remain vigilant towards e-mail usage, and potential phishing attacks. Provide training so that staff act with caution when deciding whether to click links from within unexpected emails. Providers such as Microsoft are ever improving their spam recognition and phishing detection, but scrutinising your inbox is still important. If ever in doubt of whether an email is legitimate, consider contacting the sender via phone to confirm that the email is genuine.

10. Social media – Provide training to staff about the usage of social media in the context of the business. LinkedIn and other platforms (including company websites) can be exploited by attackers to gain knowledge about organisations. Ensure staff remain vigilant to such threats, including the potential to be befriended by online contacts via social media, and the luring of sensitive information about workplace activity.