We are all increasingly aware of looking after our personal information well. If you are running a business, staying safe online has much wider implications. Directed attacks on SMEs are becoming more and more widespread and the National Cyber Security Alliance estimates that 60% of all hacked SMEs go out of business within 6 months.

Yet most SMEs don’t regard Cyber attacks as a threat to their companyTo give you some idea what it’s all about and how you can protect your data and your business, we’ve compiled what we consider essential good digital practice items into a basic Business IT Security Toolkit, ranging from the totally obvious to the more obscure. 



Identify mission-critical systems, then evaluate what would happen if they were to go down. Make and regularly re-evaluate your contingency plans (Business Continuity Plans) and include multiple scenarios of IT failure. We all go into a bit of a flap as soon as even just the internet goes down. Imagine what would happen if your entire system failed. How would you continue to operate your business?


Back upNow. Not just your computer, website and databases, but also any other data-storing device you use in your business. Backups need to be kept in a different location to the backed-up data so they can’t be affected by theft or a catastrophic hardware failure. Back up regularly but beware of over-frequent backups. You’ll need to give yourself time to notice a fault between backups so you don’t compound the problem.


Having secure backups is the only reliable way of getting your files or website back if you’ve been hit with ransomware (as recently seen in the WannaCry exploit) – don’t get caught with your proverbial pants down.


Review & control insider access to critical IT systems, both physically and digitally. While your co-workers might not have any malicious intent, there’s always a chance someone accesses core systems and presses a button without understanding the full implications.



Keep all applications up to date with the latest software patches, especially operating system patches and browser updates. If you’re maintaining your own website, make sure you’re always running the latest version of your platform (Wordpress, Joomla, etc.) and plugins and install a basic firewall plugin. If you think about it, hackers have had much longer to develop exploits for older software, so those versions are exponentially more likely to be targeted. Enable desktop firewalls and run antivirus and anti-malware applications to provide several layers of protection. Install a better, more sophisticated router to have greater, more targeted control over your internal network.


Get rid of Flash. Adobe Flash has over 100 known exploit toolkits and in 2015 had the dubious honour of winning most frequently exploited product on the web. If you have flash on your company website you might want to think about a redesign.


Assign responsibility. Chances are, all your colleagues are using your system and have various levels of access. Consider making a tech-savvy member of staff responsible for maintaining basic IT security (just remember that the buck ultimately stops with the boss) and train your staff in good practice. We recommend having regular (annual) IT security appraisals by third party specialists so your system stays up to date and you’re not caught out. Your network could be running a rootkit or be part of a malicious botnet without you knowing!



You (and your co-workers) are a security layer. Begin by considering yourself a target for hackers and maintain a reasonable level of scepticism. Be aware of social engineering practices and have a basic understanding of phishing. Somebody could be targeting the boss (well phishing) or going specifically a known interest of yours or your company to entice you onto an unsafe website (spear phishing). Discourage the use of social media from work machines (you could be accidentally compromising your whole network), instead use private devices. Don’t use cheap USB sticks you found, bought from Asia or have been given on your work system as they might contain malware (baiting). Be aware that mobile devices are less secure than desktop computers and can be a gateway to private or sensitive information or even money. If they link up to the workplace network, they could also open the door to malicious attacks on your network. Don’t click on links in emails or texts that seem to come from a bank or institution – if you are worried, go directly to the provider and log into your account there. If friends email you asking for money, speak to them on the phone – their account has most likely been hacked. Trust nobody.


Use unique, secure passwords. Seems logical, right? However, studies found that the most frequently used passwords are frighteningly easy to guess. Having lots of passwords which are hard to remember will mean using a password manager, but this comes with the added bonus of allowing you to set up multi-step or 2 factor authentication, which is enormously effective.


Be honest about problems or mistakes, and above all don’t delay an issue. Whether it’s a biological or digital infection, it’s important to catch the culprit early before it takes root and causes massive amounts of damage. If a problem is hushed up and remains undetected for a few days because somebody is embarrassed, a scheduled backup could overwrite your clean data and leave you with a corrupted backup which is no use to anybody! That means encouraging your colleagues to come forward as soon as they suspect something might be wrong, and to discourage finger pointing.  


If you’re not overly familiar with digital practices, all this may sound overwhelming or reek of scaremongering. If we were to pinpoint the most important thing to take away from this article, it would be the understanding that personal data must be treated like money. It has a value, opens doors, can be traded and is therefore under threat from theft and misuse. This is especially significant if clients have entrusted us with their personal data, and we are responsible for its safekeeping. We would not give strangers easy access to our money, so why are we so blasé about digital information?


To finish off, we leave you with six warning signs that your IT security protocols might need re-evaluating:

• Blue screens of death

• Nobody in the office knows who is responsible for IT/website/backups

• More than 50% of your incoming email isn’t relevant

• More than 25% of incoming calls are not relevant to your business

• Non-business CDs and USB sticks in the office

• Private use of office IT equipment


Thank you to guest blogger Marina Hauer, Creative Director of Apricity Solutions Ltd based in the beautiful cathedral city of Salisbury, Wiltshire - the design superhero on a mission to hunt down and vanquish the Villains of Good Design.