Richard Grey

Director of Information Security

The internet has brought us endless wonders. We can find mountains of information on any topic, conduct business all over the world and tirelessly keep up with the Kardashians on Instagram. But it’s not without its challenges. Scammers have grown fond of the internet as a means to steal information and defraud small businesses. That could come in the form of stealing your financial information to buy things with your credit card or hack into your cloud storage account or computer systems and encrypt your files until a ransom is paid.

While online threats may have become more and more advanced over the last two decades, a lot of the steps small businesses need to take to stay safe online can be carried out in an afternoon.

1. Choose your password carefully

Passwords should be long, difficult to guess and should contain mixtures of uppercase and lowercase letters, special characters and numbers. A good approach would be to construct your password out of a seemingly random phrase that has a meaning that’s easy for you to remember - this is known as a passphrase. Finally, it’s best practice to use different passwords across different services. This will stop your account being compromised for multiple services if there is a data breach.

A word of warning: never suggest passwords on an open forum, particularly passwords that are easy to hack! To celebrate World Password Day in 2018, Nutella advised their Twitter followers to choose a password that’s easy to remember, citing “Nutella” as an example. This security fail led to “Nutella” being included in a list of unsafe keywords to use as a password. You can check if a password is known to have been breached here.

2. Invest in a password manager

Password managers are nifty online tools which will let you store all your usernames and passwords in an encrypted database. As well as storing passwords, these tools also generate unique and random passwords, so you don’t have to create new ones for every service you use. The number of passwords you have to remember also reduces drastically: the master password for the password manager is the only one you need to memorise. Just be sure to make the master password as complex as you can and enable 2-Factor Authentication whenever possible (more on that later!).

The market-leading password managers aren’t free to use, but in my experience the money you pay for a password manager is well worth the security benefits it offers.

3. Be on the lookout for email scammers

Scammers love using email, and for good reason - it’s cheap and can be sent out to millions of people in just one click. Standard advice: if you receive an email you aren’t expecting, be vigilant!

Carefully analyse emails before taking action:

• Check the email address: Does the address look like its come from the proper URL? If you get an email from “HMRC” with the address RandomName@RandomWebsite.au, there’s a high chance it’s not legitimate.
• Look out for spelling mistakes: Spelling alone isn’t enough to determine that an email is suspect, but it can be a red flag in an email that’s purporting to be an official communication from an organisation.
• Hover over links: If you’re on a desktop computer or laptop, hover over links with your mouse to reveal the link’s address. If the address isn’t what you’d expect it to be, don’t click it.
• Take another step to verify the information: In addition to the steps above, consider other ways you can verify the information provided in the email. This could include calling the organisation or looking the sender up on Google or LinkedIn.

4. Consider getting 2-Factor Authentication

On the internet, passwords are the standard way to secure your accounts. Whether it be your email, your social media logins or online tools you use, it generally works in one step:

• you type in your username and password
• you then gain access to your account

2-Factor Authentication adds another step to the process. This usually involves you proving that it’s you trying to log in with something that’s linked to your account. This could be an authenticator app like Duo or Google Authenticator, or a code which is texted to a phone you’ve linked to the account. The process then becomes:

• Step 1: you type in your username and password
• Step 2: authenticate that it’s you logging in
• Result: you gain access to your account

Adding this extra step creates an extra layer of security to your accounts, stopping pesky hackers getting in on a weak or vulnerable password alone.

Combine this with a watchful eye on what you’re doing on the internet and you’ll be well on your way to keeping yourself and your small business secure online.

Richard Grey is an experienced cyber security professional with over 15 years of experience. He is currently Head of Information Security at FreeAgent.

Want to know more about security at FreeAgent? Find out how we keep your data secure.