Original Article
May 14th, 2024


Reducing risk in a business and keeping systems secure

Author: Matt Nally, Survey Booker, CEO

Whether you are a sole trader or a large enterprise, it’s beneficial to make your systems more secure than the average firm so that malicious actors move onto lower-hanging fruit. Drawing from his firsthand experience in implementing cybersecurity measures within his own business, Matt Nally, CEO of Survey Booker, offers invaluable insights to help you achieve quick wins in enhancing your cybersecurity.

Cybersecurity is an easy topic to ignore. Most think “It won’t happen to me” or “I’m just a sole trader”, but even if you’re small, you’re not unknown. From our podcast on cybersecurity, you’ll know that robotic scanners quickly pick up on everything online and you’ll be somewhere in a hacking funnel.

If you aren’t implementing some basic security practices, you risk being the low-hanging fruit for the sake of a few minutes’ effort. It’s surprisingly easy to be more secure than the average when so many ignore easy solutions to protect themselves. If you’re thinking of moving on to another article, you’re either following the steps below or the low-hanging fruit. 

What are the key risks to your business?
There are two key risks to your business: people and systems. 

Protecting your systems
In today’s interconnected world, the risk of cyber threats poses a significant challenge for businesses, regardless of their scale. From data breaches to ransomware attacks, the potential consequences of inadequate cybersecurity can be detrimental to a company’s reputation, financial stability, and overall operations. To protect your business from these risks, it is crucial to implement robust cybersecurity practices.

That doesn’t mean going back to pen and paper, storing paper files and sending letters by carrier pigeon! Hard copy records have their own risks of being lost, damaged or destroyed. We simply need to look at how you can protect yourself.

For optimal benefits to your business, consider which systems you use that would have the greatest impact on your day-to-day operations and reputation if they went down. For example, if someone was able to hack into your emails, they could:

  • send emails pretending to be you
  • make payment requests to customers that appear legitimate
  • reset passwords for your other systems and gain access

Hence, prioritising maximum security measures for your email system is paramount. Your CRM would be the same as it’s central to running your business efficiently. Whereas, software for designing marketing imagery or logos may be less of a concern.

So, how can you protect your online systems easily?

Implement a strong password policy
Strong passwords are key as your first step of defence. The golden rules:

  • Use a secure password containing letters, numbers, and special characters.
  • Don’t share passwordseach user must have their own login.
  • Don’t reuse passwordsif one password is in a data breach, all your systems are at risk
  • Don’t use similar passwordsone small tweak is easy to brute-force attack (where hackers try lots of similar variations automatically)
  • Don’t force periodic password resets. This might seem counterintuitive, but the National Cyber Security Centre’s advice is not to regularly force password changes. You are more likely to set a weaker password, so you remember what it was changed to. You should change passwords if you think it has been breached.

Does it make that much difference? Here is a graph of how quickly different passwords can be guessed in a brute-force attack (guessed at speed by a computer). Your password complexity takes you from an easy instant hack to virtually impossible.

*Quick tip: Passwords in the green would be hard to remember and type in each time! Implement a password manager such as LastPass or 1Password. These often have a free tier for individuals. These will generate complex passwords, store them securely and prefill them into login pages so you don’t need to remember them!

Lost your device? You can login on another device to your password manager to revoke access to the lost device.

Implement Multi-Factor Authentication (MFA)
It might take 7qd years to brute-force your password. However, passwords alone are no longer sufficient to protect your business from unauthorised access. If someone can guess it or find it in breached data, they are straight into your account and off they go.

Implementing multi-factor authentication (MFA) adds an extra layer of security by requiring you or your team to provide additional authentication, such as a fingerprint, a unique code, or a token, in addition to the password. That way, after your password is entered, you still have one step to go.

MFA significantly reduces the risk of your account becoming compromised even if passwords are stolen or cracked. Survey Booker helps protect you by requiring a minimum complexity of password and offers the option of 2FA and Single Sign On.

Practice regular software updates and patch management
Yes, we’ve all heard it before. And yes, we all like to keep pressing ‘snooze’ or ‘try again tomorrow’ on that update button because we’re in the middle of something. However, outdated software often contains known vulnerabilities that cybercriminals can exploit.

To minimise this risk, establish a regular update and patch management process. Keep your operating systems and applications up to date with the latest security patches provided by vendors. Enable automatic updates wherever possible, and regularly check for updates manually if automatic updates are not available.

Regularly back up and protect data
Data loss can be devastating for a business, revealing what you are doing, when and who for. If your data is subject to a ransomware attack or simply all gets deleted, backups ensure that you can easily restore and restart. Of course, that’s only helpful if you back up your data frequently, otherwise, you’ll still be missing a lot of information.

Again, it’s easily ignored but a nightmare when you need to recover your information and you’ve neglected it. Days and weeks go by very quickly without you realising you’ve not made any manual backups!

Emails and file storage can easily be set to automatically backup using different systems online, so you don’t have to remember to do it yourself. Systems like Survey Booker also regularly back up data for you.

Use a VPN when using public Wi-Fi
As a surveyor frequently on the move, utilising a VPN (Virtual Private Network) is essential when accessing public Wi-Fi networks. While you’re likely to stop at places like coffee shops, the majority of public Wi-Fi hotspots are vulnerable to security breaches. This exposes you and your data to potential risks, as malicious entities can easily intercept your device’s activities on these networks.

A VPN enables you to encrypt traffic to and from your device and reduce the risk of a malicious actor monitoring what you are doing. This means you can still use public networks but without taking as much of a risk.

Choose your suppliers wisely
Your suppliers not only deliver services to you but also handle your sensitive data. Hence, the security credentials of your suppliers carry significant weight, indicating their commitment to safeguarding your data. Engaging external auditors to assess their practices underscores their dedication to maintaining robust security measures. Suppliers lacking accreditations may overlook vulnerabilities in their systems or processes, potentially exposing your data to risks.

What should you look for? An internationally recognised accreditation is ISO 27001. It’s a rigorous process that looks at all aspects of a business’s security, from software to people.

Why does this matter? Cybersecurity is one of the hottest topics at the moment. If a key supplier to your business cannot operate due to a cyber-attack, you can’t either, so you want to know they’re doing everything they can to keep you running smoothly.

External certifications help you ensure suppliers are meeting specific standards as they undergo audits by accredited third parties. This means you can choose suppliers with your due diligence done for you. For this reason, Survey Booker maintains ISO 27001 certification and undergoes multiple audits each year.

While you may have fortified your systems, the most significant risk to their integrity remains you and your team. After all, we’re all susceptible to human error. Instances such as falling prey to phishing scams, taking shortcuts, or setting weak passwords for convenience are common pitfalls. So, how can you ensure the security of both yourself and your team?

Educate and train employees on cybersecurity best practices
Provide regular and comprehensive cybersecurity training programs that encompass a wide range of topics, from best practices to recognizing common threats and effectively responding to security incidents. Ensure the training is interactive and engaging, using real-life examples and case studies to reinforce the importance of security practices. This makes it easier to spot a suspicious-looking email or form. Additionally, always provide explanations for the rationale behind security measures, as understanding the “why” is pivotal in fostering behavioural change.

Clear security policies and guidelines
Develop clear and concise security policies and guidelines that outline expectations and responsibilities for employees regarding information security. This should cover everything from password policies, clear desk policies and leaving devices unattended.

Phishing simulations and testing
Phishing is when ‘attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware or direct them to a dodgy website’ (National Cyber Security Centre).

How do you test if your team can spot a malicious email or text? Regularly conduct phishing simulations and testing exercises to assess employees’ susceptibility. These are where employees see an email and fall victim to not realising that it is a malicious email designed to harvest credentials. These simulated attacks can help identify areas where additional training or awareness is needed so they don’t fall victim to a real one.

Restrict what your team has access to
Team members should only have access to data they require. Regularly review and update access permissions, particularly during role changes or when employees leave the organisation. This proactive approach serves to prevent an employee from maliciously making changes or deleting data as many attacks can start from within. Moreover, it safeguards your business in the event of compromised accounts, as hackers face limitations in making system changes with reduced access levels.

Mobile device management
It happens more often than we’d like to admit – people misplace or lose their devices all the time. Whether you’ve accidentally left your tablet on the roof of your car, or your phone has fallen out of your pocket on a train, these incidents are commonplace. A mobile device manager allows you to connect your company devices to the device manager and you can remotely lock or wipe a lost device so that any data contained on it can’t be accessed by a third party. The risk of losing a device is also why you should store all your data on the cloud and not on the device itself!

Protecting your business from cyber threats requires some planning. While it may be tempting to overlook this aspect and hope for the best, implementing quick and effective measures now can significantly bolster your security. Investing just a couple of hours now could potentially save you hours of headache in the event of a data breach.

What are the easy wins you can implement after reading this article:

  • Implement a password manager and strong password policy
  • Implement multi-factor authentication
  • Check if the certifications of suppliers you are using and consider moving to accredited suppliers

Want to learn more about mitigating business risks?
Check out our podcast where we have episodes with cybersecurity specialists, ISO 27001 auditors and more. They share their insights on how you can best protect your business and help keep yourself safe and secure.

Survey Booker is the industry’s leading CRM and Survey Management System. Whether you are looking to reduce the amount of time lost on admin, grow sales, collaborate better as a team, ensure all your compliance is handled, provide a better experience to customers or increase profitability, our customisable system adapts to your needs. Contact Survey Booker to find out more