IT Security Best Practices

A guide to security best practices for small businesses

If you have ever lost a piece of work because you haven’t saved it, or your computer or online accounts have been hacked, then you will know how inconvenient and potentially damaging it is to your business. Our guide takes you through the steps you should take to protect your business.

Security is important across the services you use and across all your devices including desktops, laptops, phones and tablets.

1. Passwords

Strong passwords are made up of random words using upper and lower case, numbers and symbols. Ideally you should use different passwords for every application that you log in to but remembering lots of passwords is inconvenient, so what are the best options?

Consider a password manager eg LastPass or OnePass, but be sure never to forget your master password. Alternatively, there’s a lot to be said for a little black book so long as you don’t lose it and you don’t write your email addresses or other personal information next to your passwords.

If a service offers two factor authentication then turn it on, particularly for anything sensitive or important (eg bank accounts and your primary email account). Two factor authentication adds an extra layer of security, requiring the user to enter two separate means of identification eg a password that is memorised and a code sent via a text message or a token device.


A Bring Your Own Device (BYOD) strategy has many benefits to both employer (reduced IT costs) and employee (increased job efficiency and flexibility). However, it also gives rise to a number of issues relating to security and data protection. Make sure you have a BYOD policy so that people understand their obligations and what to do if devices are lost or stolen - ideally data needs to be wiped from their device.

3. Operating systems

Use a secure operating system which requires users to be authenticated. Always use the latest version as they have built in functionality to help protect your computer from attack.

4. Antivirus & firewall

Make sure you have both turned on and, again, always update to the latest version.

5. Administrator

Never use your computer on a day to day basis as an administrator user. If you are currently doing so, set up a new user with administrator privileges and change your settings so that you are not an administrator.

6. Attachments, downloads and links

Never download anything from unknown sources and don’t click on attachments or links which look suspicious even if they are from trusted friends - if you think it’s dodgy, then it probably is. Don’t take chances. Hover over links to see where they are going to take you. Links are one of the number one ways that malware ends up on computers. Most viruses come from pop up adverts which are nothing to do with the website you are looking at.

7. Backup and test

Everyone knows they should save documents periodically whilst they are working on them and to back up their data. This task is made much easier these days with data being automatically backed up to the cloud. You may also want to make regular backups to physical disks and keep them somewhere safe. However, backups are only useful if you can actually use them in an emergency. Always test your backup and restore process.

8. Rights management

Only give access to those who need it. Some systems and programmes come with rights management software so that you can control what recipients do with documents you send them or give them access to. You can set privileges to read only or to read and edit. Privileges can be set to expire after a certain date/time.

9. Encryption

How valuable is your data and what would the consequences be if you lost it? Depending on your answer you may want to consider data encryption, particularly for data held on laptops and mobile devices. For data transmission and particularly for online transactions, it is far safer to use secure connections e.g. only use websites with Secure Sockets Layer (SSL) certificates and consider extra security measures when sending data to other people especially over wireless networks.

10. Security policy

Last but not least, make sure you have a security policy – write it down and don’t just give it to your employees to read, educate them. Make sure they understand how important your company’s data is and what measures they can take to protect your business data. Everyone needs to understand their responsibilities and what their duties are under the Data Protection Act. Make sure this is covered when new employees join (ie it is part of their induction process) and that proper measures are followed when they leave (ie data is returned and access to data is removed). Your security policy should be part of your HR policies and procedures which should be made available to all staff and regularly reviewed and updated accordingly. Whatever your security policy is, make it easy for users to access and use the data they need. If you make it too difficult then they will find ways around it and your efforts will be wasted.

Delia Porter, MD & Founder