Businesses of all sizes are attractive targets for cyber criminals. The cost can be high when a large database, sensitive financial information or customer data is held hostage by hackers.
Protect your business with the following small business cybersecurity checklist detailing best practices and ways to keep hackers at bay.
A software vulnerability is a small weakness in your software that hackers can use as an entry point. Regular software updates (patches) from the software vendor will repair these weaknesses. Imagine your umbrella having small holes after being used many times. An umbrella repairman would cover the small holes with patches to make the umbrella look new and completely functional again.
Software updates can be set to automatic, so it doesn’t have to be a daunting task for you. Some updates occur as soon as the computer connects to the internet.
Upgrade your hardware systems whenever possible. A typical cybersecurity plan or template for small business overlooks this factor however it’s very significant given the small budgets available. Larger businesses tend to replace equipment much faster. This means small businesses often have very old and outdated hardware which makes them a very easy target for hackers.
Cybersecurity is only as good as its weakest link. If a business uses outdated hardware the whole organisation is vulnerable to a cyber-attack or data breach.
Not having the correct anti-virus software installed on your systems like leaving your front door unlocked at home. Unprotected cyberspace is always attractive to hackers and easily fond.
Installing the right anti-virus software on all company devices should be the first step of any cybersecurity plan for small business.
There are two critical elements your anti-virus software needs:
- It must be business grade (not the consumer version) of the software.
- It must have EDR enabled (End-point Detection & Response).
Things have changed in the last few years. Traditional anti-virus software (pattern-recognition based) is now outdated and not enough to properly protect your business. Behaviour based anti-virus software (NextGen, NGEP) with EDR is the latest modern technology you should be using.
Almost every business runs on data these days: data is the new oil they say. It’s why hackers target your business data and take it hostage to demand ransom payments. Any lost or stolen data can cost tens of thousands to recover and damages your business reputation with customers and your suppliers.
Every small business cybersecurity plan must include robust data backup and recovery measures. With the right backup strategy (3:2:1, offline, offsite, etc) your business can survive a ransomware attack and data breach without losing data. This can be the single difference between a business being able to continue operating as normal or being shut down and unable to operate.
Cloud backup should be part of your backup strategy. Relying on third party software vendors (even the largest like Amazon, Google and Microsoft) is not best practice and increases your risks of permanently losing data should a cyber incident occur with these vendors.
Regular Scheduled Audits
A complete small business cybersecurity checklist needs to include regular vulnerability scans (audits) for changes to your systems and network. Over time new devices are connected to the network, and new software programs are installed on those devices. In fact, new employees also pose a new threat if not provided cyber-awareness training.
This means it’s important to regularly (we recommend monthly) conduct vulnerability scans of all your assets on the network. This proactive approach to security will provide the best cybersecurity outcomes and nip issues in the bud. Finding a security weakness before it’s targeted by hackers can avert disaster.
The best small business cybersecurity plans are proactive, not reactive, and hence include regular scheduled audits of systems and processes to uncover issues before they become a problem.
Your employees cyber-awareness skills are critically important. Each employee who has access to your business systems is part of a team that either “protects or infects” your network. Well trained staff help protect your business, untrained staff help infect it (via poor security habits and behaviours). This is why all employees should be required to undergo basic cyber-awareness training.
Employees should be aware of all the cybersecurity policies and procedures in your business including protocols that protect your customer data, and how to respond in the event of a cyber-attack or data breach.
In addition, each employee’s access to data within the business should be restricted to only the data they need for their role.
Your cybersecurity plan should also be discussed openly with all employees to foster a culture of interest, feedback and ownership towards protecting your business from cyber-attacks.
Often the cause of a data breach in a small business is simply a weak password. The reason humans often choose weak passwords is because they’re easier to remember than complex ones.
Passwords are difficult to manage and often the last thing on a busy employee’s mind. Here are some techniques you can include in your small business cybersecurity checklist when it comes to password policy:
- Keep your passwords long, with a combination of 2-3 uncommon words. Ex: Tarro, Goal, Sun
- Include special characters and numbers should be required. Ex: Tarrogoalsun23#$!
- Capital and small letters should be required. Ex. TaroGoalsun23#$!
- Avoid obvious passwords like, names of pets, celebrities you like, birthdays and anniversaries.
- Avoid using personal names.
Set your system to require a password change regularly. At the minimum it should be changed at least every 40-60 days.
Educate your employees on the importance of keeping these passwords secure. Keep them aware of the possible costs of data breaches in your business operations.
Mobile Device Security
As technology advances in many workplaces, employees are often given the ability to bring their own device (BYOD) to work. These means employee devices are permitted to connect to the company’s network in order to facilitate work an employee might do outside normal business hours. However, whilst convenient and cost-saving to small business owners it also presents many risks.
Hence it’s critical that your company cybersecurity policies and procedures also apply to any personal devices that employees connect to your systems. A comprehensive cybersecurity plan or template for any small business needs to include and account for BYOD usage by employees as it’s becoming increasingly more common (especially in small business where the cost savings are significant).
Wireless Network Security
Many wireless networks use the default admin username and password which presents a grave risk of drive-by cyber-attacks.
Ensuring your wifi network is secure (ie; uses the latest encryption protocols) and has a long complex password is the first step in securing your wifi network. The next step is just as important, which is changing your default admin username and password (or at least the password).
In addition, employees should be educated on the risks of using open public wifi (eg; airports, cafes, friends) when travelling outside the office.
Incident Response Plan (IRP)
The most important part of your small business cybersecurity checklist is the incident response plan. What happens when a data breach or cyber-attack occurs? Who should you call first? Should you unplug all the computers?
Like a house fire, your response time is critical. A small fire only takes minutes to become a blaze that causes great damage. If the fire is extinguished early, the damage can be minimised.
This is why an incident response plan (IRP) is important for then a “fire” breaks out in your business. Every minute counts so trying to decide how to respond when a cyber-attack occurs is the wrong response.
You need to know in advance how you will respond, and this needs to be in writing and easily accessible to all employees (and printed out offline – not online!).
The plan should include your process for stopping (or mitigating) the attack, then investigating and recovering. Eg; immediately shutting down all access points in your network.
The final part of your IRP is the “lessons learned” or improvements step which involves evaluating what happened, why it happened and how to prevent or minimising it happening again in the future.
Of course, having a cybersecurity company monitoring your systems 24/7 can help detect these “fires” the minute they occur to help extinguish them faster and minimise the damage to your business.
Whilst this is just a sample small business cybersecurity plan and every business is different, it can easily be adapted to fit your business situation and needs to help ensure your cybersecurity is setup properly from the start and help reduce the chances of a data breach or cyber-attack.