Small Business News | Blog | UK | Workhorse

Hacked? Stolen Details? Advice from NCSC

Written by Alison Prangnell | Oct 25, 2019 10:37:34 AM

As they cyber security professionals regularly say, 'it's not 'if' but 'when'.  We are all in danger of our details being stolen but what do you do when you suspect they have?  It's common that smaller businesses don't have their own in-house cyber security expert so for both you and your employees, it is worthwhile getting to know the best approach when you suspect something could be up. A recent update from NCSC highlights what you can do.

Why this is important to you and your team

Do you have a password policy in your business?  You wouldn't be alone if you didn't.  All too often we rely on simple passwords for the fear of forgetting them, worse still team members have been known to use the same password for multiple systems, or even worse... the same password as their home accounts.  Seems simple, but it happens, a lot and it means a hacker can steal your personal details and then get into your work accounts, paralysing your business.

A few top tips to keep your business passwords secure:

  1. Password Managers
    Password Managers like 'LastPass' mean you don't have to write a password down and that you can share access securely to an account within a business without sharing the password.  You can also choose to have an encrypted password generated by the software, this will have no relation at to all your partner, pet or date of birth!

  2. Separate Work and Home Accounts
    It's vital that no-one in your team uses the same password for work as at home.  Or uses your work email for personal accounts.  One example is LinkedIn which blurs the line between personal and business.  Essentially the data and account belongs to your employee but often they are using it to generate business.  What is your guideline for this?  If they are using a work email address, it might be better to insist they use an encrypted password.  Why? A couple of years ago LinkedIn was hacked and the account details and user names and . passwords were stolen, hundreds of thousands of them around the world.  This list can still be bought on the DarkNet.  More than one top FTSE company found themselves vulnerable when it was highlighted that hundreds of their staff had used their work email address with a personal password that was easily unencrypted.  And the truth is, passwords can be unencrypted in milliseconds with specialist software partly because we all tend to use familiar patterns to construct them.  Any of your passwords feature a pet, spouse or child's name?

  3. Limit the Number of Systems
    Limit the number of systems people have access to 'need-to-have' and the level of privilege they have, e.g. access to accounts/invoicing.  A lot of small businesses are juggling a great many systems to get their work down and data has a tendency to get output on spreadsheets.  Reducing the number of apps and systems used will also increase your security.  One centralised system (like Workhorse) pulls everything you need in one place with hierarchical privileges meaning there aren't a dozen or more passwords flying about for different systems, all your business critical information is held in one place. 

  4. Have a Process
    In a lot of smaller businesses your greatest concern is simply serving your clients, not writing policies for something that seems like a remote possibility. But two things are important:

    1. Speed of response - the sooner you action any suspicion of hacked accounts you need to take action. There is a lot of advice on how to take action on the NCSC website with a link below. 

    2. Accountability - larger organisations are now realising that as they spread the accountability for cyber security among their staff, the greater their resilience against attack, over 90% of which is via email.  The biggest obstacle for this has been the fear of putting one's hand up in case you are penalised.  The mindset needs to be changed that taking action and noticing is seen as a positive thing, even if it is a false alarm and has taken a couple of hours of your time; better that than your systems being shut down. 

    3. Have a process - make sure you and your staff know what to do if they see something suspicious and how to recognise something suspicious.  

    Some advice can be found here in the NCSC's article for recovering hacked accounts:

    https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account

Source: www.ncsc.gov.uk - National Cyber Security Centre