The basics you can pick up and walk away with: physical security and social media

Screen locks, premises, disposing of old kit, USB drives, social media account security, and the risks of oversharing. The unglamorous but high-leverage controls that prevent entire categories of attack.

_Part 10 of 12 in the Cyber security for the small business series._

This month we cover two things that small businesses commonly overlook because they do not feel like cyber security: physical access to your kit and your premises, and the social media accounts that represent the business in public. Both can let attackers around all the technical controls we have spent the year building, so neither is optional.

Lock your screens

Every computer and device should lock automatically after a short period of inactivity — five minutes is a sensible maximum. Staff should also be trained to lock their screens manually whenever they step away from their desk, even briefly.

On Windows: Windows key + L. On macOS: Control + Command + Q. On Linux: usually Super + L or Ctrl + Alt + L.

An unlocked, unattended computer is an open invitation. A visitor, a contractor, a cleaner, or even a disgruntled colleague could access whatever is on screen, read emails, copy files, or install software. It takes seconds. The discipline of locking is two keystrokes and costs nothing.

Secure your premises

Consider who has physical access to your business premises and your equipment:

Visitors should be accompanied in areas where they could access computers, servers, or sensitive documents. A visitor sign-in process is good practice, even at a small office. Who came in, who they were here to see, what time they arrived and left. It does not need to be elaborate; a notebook works.

Servers and network equipment should be in a locked room or cabinet where feasible. Your internet router, if accessible to visitors, could be reset or tampered with.

Meeting rooms with screens or whiteboards may display sensitive information. Clear whiteboards after meetings. Ensure screens are not visible from public areas, particularly through ground-floor windows.

Disposing of old equipment

When you replace a computer, phone, printer, or hard drive, the data on the old device does not disappear simply because you have deleted files or performed a factory reset. Data recovery from supposedly wiped devices is straightforward with freely available tools.

For devices leaving your control:

Use a reputable data destruction service that provides a certificate of destruction.

Use software-based secure wiping tools (such as DBAN for traditional hard drives).

For devices with solid-state drives — most modern laptops, all phones — a factory reset followed by encryption is generally sufficient.

For devices that have failed and cannot be wiped, physically destroy the storage medium. Drilling a hole through a hard drive's platters or breaking an SSD chip is crude but effective.

If you take a single device to the local tip with the disk untouched, you are donating your business data to whoever picks it up. People do.

Removable media

USB drives are convenient but risky. They can introduce malware, be used to steal data, and are easily lost. Consider whether your business actually needs to use USB drives at all. If cloud storage and email meet your file transfer needs, disabling USB storage on company devices removes the risk entirely.

If USB drives are necessary, use encrypted drives (drives that require a password before they can be read, such as Kingston IronKey or Apricorn Aegis) and maintain a register of who has them.

Never plug in a USB drive that you find lying around. This is a known attack technique called USB baiting, and it works far more often than it should. If a strange USB drive appears in the office car park, it goes in the bin. Not into a computer to check what's on it.

Social media — the other public-facing surface

Your business social media accounts should be treated with the same seriousness as any other business system. They are public, they speak for the business, and they are an attractive target for attackers.

Use strong, unique passwords for every social media platform. Do not reuse your email password, your personal social media password, or any other password. The password manager you set up in April handles all of this.

Enable MFA on all platforms. Facebook, Instagram, X, LinkedIn, and TikTok all support it. The setting is in security or login settings on each platform. Authenticator app over SMS where given the choice.

Limit who can post. Use the platform's built-in roles and permissions to control who can publish content, respond to messages, and manage account settings. Not everyone who creates content needs full administrative access. A compromised lower-privilege account is much less damaging than a compromised admin.

Separate personal and business accounts. Your personal accounts should not be linked to or used to manage business accounts where avoidable. If a personal account is compromised, you do not want it to provide a pathway to your business presence.

The risks of oversharing

Social media thrives on sharing. From a security perspective, every piece of information you publish is intelligence a potential attacker can use:

Office photos might reveal security equipment (or its absence), computer screens, whiteboards with project details, or badge/pass designs.

Holiday announcements signal that key people are away, which can be useful for both physical and digital attacks ("I am emailing on behalf of Sarah, who is on holiday and asked me to handle this urgently…").

Staff profiles provide names, job titles, and reporting relationships valuable for spear phishing.

Check-ins and location tags reveal patterns of movement and regular locations.

This does not mean you should stop posting. It means you should post with awareness. A quick mental check before publishing — could someone use this information against the business? — is usually sufficient.

Dealing with impersonation

Fake accounts impersonating businesses are increasingly common, particularly on Facebook and Instagram. These accounts may attempt to scam your customers, damage your reputation, or harvest personal information.

Regularly search for your business name on all platforms. Report and request removal of impersonation accounts. Consider verifying your accounts where platforms offer verification — it makes it easier for customers to identify the genuine one.

What October looks like

Two short tasks:

Walk through the office at 5pm one Friday with fresh eyes. What is on screens that have not been locked? What is on the whiteboards? What is sitting on desks that should not be? The list is your physical-security work.

List every social media account the business has. For each: confirm strong unique password, confirm MFA enabled, confirm you know who has admin access. If you find an old account that nobody uses any more — the LinkedIn page from 2018 a former employee set up — close it. Dormant accounts are the easiest accounts to take over.

Next month

November: AI-powered threats. What changes when attackers use generative AI, what does not change, and the simple usage policy that keeps your own staff from accidentally leaking the firm into a chatbot.