Fraud prevention foundations

Your first step is to identify your essential data. That's the information that your business couldn’t function without. Normally this will include documents, photos, emails, contacts and calendars, most of which are kept in just a few common folders on your computer, phone or tablet, or network.

Whether it’s on a USB stick, on a separate drive or a separate computer, access to data backups should be restricted so that they:

• aren't accessible by staff
• aren't permanently connected (either physically or over a local network) to the device holding the original copy

Ransomware (and other malware) can often move to attached storage automatically, which means any such backup could also be infected, leaving you with no backup to recover from. For more resilience, you should consider storing your backups in a different location, so fire or theft won’t result in you losing both copies. Cloud storage solutions are a cost-effective and efficient way of achieving this.

You’ve probably already used cloud storage during your everyday work and personal life without even knowing – unless you’re running your own email server, your emails are already stored ‘in the cloud’.

Using cloud storage (where a service provider stores your data on their infrastructure) means your data is physically separate from your location. You’ll also benefit from a high level of availability. Service providers can supply your organisation with data storage and web services without you needing to invest in expensive hardware up front. Most providers offer a limited amount of storage space for free, and larger storage capacity for minimal costs to small businesses.

Not all service providers are the same, but the market is reasonably mature and most providers have good security practices built in. By handing over significant parts of your IT services to a service provider, you’ll benefit from specialist expertise that smaller organisations would perhaps struggle to justify in terms of cost. However, before contacting service providers, you could read the NCSC’s Cloud Security Guidance first. This guidance will help you decide what to look for when evaluating their services, and what they can offer. 

We know that backing up is not a very interesting thing to do (and there will always be more important tasks that you feel should take priority), but the majority of network or cloud storage solutions now allow you to make backups automatically. For instance, when new files of a certain type are saved to specified folders. Using automated backups not only saves time, but also ensures that you have the latest version of your files should you need them.

Many off-the-shelf backup solutions are easy to set up, and are affordable considering the business critical protection they offer. When choosing a solution, you’ll also have to consider how much data you need to back up, and how quickly you need to be able to access the data following any incident.

Set a screenlock password, PIN or other authentication method (such as fingerprint or face unlock). The NCSC blog has some good advice on passwords. If you’re mostly using fingerprint or face unlock, you’ll be entering a password less often, so consider setting up a long password that’s difficult to guess.

Having said this, password protection is not just for smartphones and tablets. Make sure that your office equipment (so laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but encryption may still need to be turned on and configured, so check you have set it up.

If you’re given the option to use two-factor authentication (also known as 2FA) for any of your accounts, you should do: it adds a large amount of security for not much extra effort. 2FA requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method. This could be a code that’s sent to your smartphone (or a code that’s generated from a bank’s card reader) that you must enter in addition to your password.

If you are in charge of IT policies within your organisation, make sure staff are given actionable informationon setting passwords that is easy for them to understand.

Passwords should be easy to remember, but hard for somebody else to guess. A good rule is to make sure that somebody who knows you well couldn’t guess your password in 20 attempts. Staff should also avoid using the most common passwords, which criminals can easily guess. The NCSC have some useful advice on how to choose a non-predictable password.

Remember that your IT systems should not require staff to share accounts or passwords to get their job done. Make sure that every user has personal access to the right systems, and that the level of access given is always the lowest needed to do their job while minimising unnecessary exposure to systems they don’t need access to.

If you’re in charge of how passwords are used in your organisation, there are a number of things you can do that will improve security. Most importantly, your staff will have dozens of non-work related passwords to remember as well, so only enforce password access to a service if you really need to. Where you do use passwords to access a service, do not enforce regular password changes. Passwords really only need to be changed when you suspect a compromise of the login credentials.

You should also provide secure storage so staff can write down passwords for important accounts (such as email and banking) and keep them safe (but not with the device itself). Staff will forget passwords, so make sure they can reset their own passwords easily.

Consider using password managers, which are tools that can create and store passwords for you that you access via a ‘master’ password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.

One of the most common mistakes is not changing the manufacturers’ default passwords that smartphones, laptops and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.