Cyber security is big news - no surprise when cyber crime cost the equivalent of £210 per person in the UK last year.

Data loss and cyber breach leave companies needing to fix their websites, their systems and, most damaging of all, their reputations. In the most extreme cases this can seriously disrupt trade, lose customers and destroy businesses.

Get your profile on our website, use of our endorsement icon and a host of other benefits when you become a Which? Trusted trader.

How to protect your business from cyber attack

Cyber attacks will take advantages of the weak points in your systems. That could be anything from passwords, to software, to people. Not every cyber threat is down to an anonymous hacker remotely accessing your computers. Your employees can leak information – accidentally or maliciously – or your suppliers could pass on information about you and your working practices to a competitor.

There are some basic steps that everyone can take to protect their businesses and the data they hold.

1. Use strong passwords made up of three random words 

Hackers find it more difficult to break passwords that combine three random words, such as ‘dogbrightsquare’ than single words. Adding symbols and numbers to a password can make them even more secure.

Never use any of the following in passwords:

  • Your partner’s name
  • Child’s name
  • Family member’s name
  • Pet’s name
  • Place of birth
  • Favourite holiday destination
  • Something related to your favourite sports team

2. Use separate passwords for your email, social media and online banking

These areas are the most useful to hackers, so the most important to protect. If you struggle to remember different passwords, try using password-managing tools such as Lastpass. These remember all your passwords for you, and you access them using a two-step verification process, similar to the systems used by banks or Google.

3. Always download software updates

If you update your software as soon as you’re prompted, you'll have the latest protection against hackers and viruses.

4. Delete any suspicious emails

Phishing is widely used by hackers to insert viruses on to your systems , so they can access information more easily. Do not click on any links within unfamiliar emails, or offer up any information unless you are absolutely sure that the request is legitimate. If in doubt about an information request via email, contact the company or individual directly to check.

5. Use anti-virus software

Check the Which? guide to anti-virus software to find out more about what’s available. The most effective software is not always the most well known.

6. Access government advice and training

The UK government is so concerned about the cyber threat to business, it provides free online training courses to help you and your staff protect against cyber threat. It has also created the Cyber Essentials scheme, to help you to increase and maintain the level of cyber security in your business.

7. Control who has access to sensitive data

Ensure bank details or company information is password protected and restricted to those who need to have access.

8. Ensure staff do not take company data off the premises

Train your staff so they understand about data handling and the importance of cyber security.

9. Monitor online activity

Setting up a monitoring system should alert you to any problems and help you resolve them more quickly.

10. Put a plan in place to cover you if the worst were to happen

Imagine your IT systems went down – how would you be able to process orders, communicate with customers, issue invoices or carry on the rest of your working processes? If you had a data breach, who would you need to inform? Who would you call to get your IT working again? Thinking about these issues in advance will provide a valuable starting point if you are faced with a cyber breach.

The government has issued specific guidance on cyber security risk management for small businesses if you need more information.

Protect your data

The UK Data Protection Act requires you to protect data you hold and process about your customers, suppliers and staff. This includes all personal information – names, addresses, salaries, bank details and any other information that could be used to identify individuals.

You must:

  • collect only the information you need for a specific purpose
  • keep it secure
  • ensure it is relevant and up to date
  • hold only as much as you need, and only for as long as you need it
  • allow the subject of the information to see it on request.

Your business can be fined if you fail to comply with these basic principles. For more information, the Information Commissioner’s Office has a guide for small businesses.

Phishing for personal information can take the form of fake emails, offers and coupons on social media. If your business name is used as part of a hoax, this is potentially very damaging for your reputation. Equally you need to ensure that you, as a consumer, don't give away your details to fraudsters who are looking to steal elements of your online and offline identity.

In May 2018, the European General Data Protection Regulation (GDPR) will supplement the Data Protection Act. The GDPR is a piece of legislation concerning the holding and processing of personal information, designed to increase data privacy. It places further responsibility on businesses to gain specific consent for the collection of data, plus tougher regulations around processing and moving that data around. There will be huge financial penalties for getting this wrong, making it even more important to ensure your systems are watertight.

The cost of cyber breaches

UK government figures show that 60% of small businesses experienced a cyber breach in 2014. In the worst cases, this resulted in costs of between £65,000 and £115,000 on average. Smaller businesses are just as vulnerable as larger companies – sometimes more so, as they won’t necessarily have the same level of resources dedicated to cyber security.

Several traders have already found this out the hard way. A carpenter in Bristol had his email hacked, and the hackers sent out invoices to his customers, diverting payments to their own accounts[1]. A similar fraud was perpetrated by hackers who accessed the email of a building company[2]. In both these cases the customers ended up out of pocket – something that is hugely damaging to a business’s reputation.

Richard Parris, Which? head of computing comments: ‘As a customer, it's hugely important to feel confident with the online security used by the companies you deal with by email or on their websites. Ultimately, you're giving them your business, and that means all the right protections need to be in place to ensure your personal and financial details will be taken care of securely.’

More on this…