THE ULTIMATE SMB CYBER SECURITY CHECKLIST
In 2015 over 100 global financial institutions were victimised by the first “global cyber mafia”, which resulted in the attackers stealing up to $1 billion. Using spear-phishing email scams, the gang gained access to each bank’s digital doors and downloaded remote access Trojans. The hackers then transferred huge sums of money into dozens of accounts around the world through ATMs.
Why is cybersecurity important for a small business? Even if your company does not have billions in the bank, data breaches like these could happen to any company, regardless of size. Implementing our Small to Medium (SMB) Business Cybersecurity Checklist is the first step to securing your digital data. If it is left unsecured, your business may suffer a continuity issue.
WHAT CYBERSECURITY RISKS DO SMB’S FACE?
If you’re a small to medium business (SMB) owner, you may think your company isn’t big enough to be targeted for cyberattacks. In fact, it’s the opposite, as small businesses often fail to invest enough in security measures and training, so they become the easiest targets for cybercriminals.
Consider these statistics:
- A cyberattack occurs every 39 seconds.
- 43% of which target small businesses.
- 60% of the small businesses that were victims of a cyber attack go out of business within six months.
- Nearly half (47%) of SMBs have suffered a cyber-attack within the last 12 months.
- The average cost of a cyberattack on a business is $200,000 USD, which is daunting, especially for small companies without a cybersecurity plan.
Statistics like these suggest that your small company could potentially be the target of at least one type of catastrophic cyberattack. The good news is that you can put in place some simple policies to help protect yourself today.
YOUR SMALL BUSINESS CYBERSECURITY CHECKLIST
Although cybersecurity has so many aspects to it, we have condensed our checklist down to only 11 broad topics for simplicity’s sake. As you implement this checklist, you can provide protective barriers from cybercriminals who exploit these weaknesses:
- Prepare for a crisis
- Perform a risk assessment
- Utilise multiple layers of protection
- Protect and backup your data
- Patch and update devices frequently
- Maintain a strong password policy
- Limit user access
- Enforce email restrictions
- Secure your Wi-Fi
- Train employees on security protocols
- Update security policies frequently
1. PREPARE FOR A CRISIS
Unfortunately, experiencing a cyber threat is a matter of “when” not “if.” Having a crisis plan in place makes responding to an emergency much easier. This SMB cybersecurity checklist can ensure you are ready to handle any security emergency.
2. PERFORM A RISK ASSESSMENT
Performing a risk assessment will help you develop a disaster recovery strategy and protect your most critical assets from threats. A risk assessment will reveal:
- Your most valuable assets: servers, databases, client information, trade secrets, partner document, websites, customer information (credit card data, address, etc.)
- The most critical threats to your business: system failures, natural disasters, ransomware attacks, accidental human interference, and malicious human behaviour.
- Vulnerabilities that allow threats to penetrate your security: old/out of warranty hardware, untrained staff members, unpatched or out-of-date software and systems.
- How to improve your security status: a suitable prevention and mitigation strategy.
3. UTILISE MULTIPLE LAYERS OF PROTECTION
Having multiple layers of security can dramatically improve your network. A layered security model uses intentional redundancies so that in the event of a failure, another system immediately steps in to prevent an attack.
- Ensure that your web browsers, operating systems, and security patches are up to date.
- Set up antivirus software and run scans after software updates.
- Deploy firewalls and Intrusion Protection Systems (IPS) on your network.
- Utilise a virtual private network (VPN) to secure company internet traffic.
- Analyse data integrity to detect suspicious behaviour.
- Utilise behavioural analysis to trigger alerts and automatically isolate threats.
4. PROTECT AND BACKUP YOUR DATA
If your company shares data with third parties across any external platform, it is at risk of theft. A small business may also be forced to close its doors if it loses valuable company data or assets due to a cyber-attack.
- Identify all third parties (and their vulnerabilities).
- Clarify shared data and eliminate sharing unnecessary information.
- Establish controls between your company and the third-party company so that those procedures are isolated from the rest of the business.
- Schedule differential backups daily as well as full backups monthly.
- Keep a secondary backup in the cloud or other offsite storage repository.
- Evaluate and test the entire data recovery process.
5. PATCH AND UPDATE DEVICES FREQUENTLY
Keeping your devices and applications up to date will significantly reduce the risk of many common security threats.
- Update the operating system and software on devices and servers regularly.
- Setup scheduled anti-virus scans – at least once a week.
- Uninstall any old or legacy software you don’t require anymore.
- Setup the ability to wipe devices clean remotely (in the event it’s been lost or stolen) so your company retains control over its contents.
6. MAINTAIN A STRONG PASSWORD POLICY
Employee passwords should follow strict criteria to prevent unauthorised access.
- Implement multi-factor authentication (MFA) for extra account protection.
- Passwords should be changed according to a timetable or whenever data breaches occur.
- Encourage the use of password generators to ensure password complexity.
- Setup encrypted password managers to store passwords securely.
- Require employees to use different passwords for every account they use.
- Restrict employees from sharing login credentials.
7. LIMIT USER ACCESS
A Harvard Business Review study showed that 60% of all cyber attacks were carried out by insiders. Among these attacks, three-quarters were driven by malicious intent, and one-quarter by inadvertent actors.
- Each access point poses an individual risk, so limit user access to specific data they need to perform their jobs.
- Setup appropriate company security groups for file access.
- Prohibit software installation without administrator permission.
8. ENFORCE EMAIL RESTRICTIONS
Cybercriminals frequently use email as an entry point to execute malware. Phishing scams and malicious links within email messages are common ways of tricking employees.
- To prevent threats from reaching their intended targets, use message encryption, spam filters, and antivirus software.
- Training employees on common scams and how to avoid them should also be part of employee awareness training.
9. SECURE YOUR WI-FI
Unsecured Wi-Fi can enable anyone to access your network, including hackers.
- Rotate your Wi-Fi passwords to keep your network safe.
- Change the routers default admin credentials.
- Separate your guest and corporate networks.
- Limit the length of guest network sessions.
- Audit and tighten firewall policies quarterly.
10. TRAIN EMPLOYEES ON SECURITY PROTOCOLS
After your employees have been trained on your security policies, hold them accountable for following them.
- Ensure that security standards are followed.
- Test your team’s knowledge after training.
- When implementing new policies, require employee signatures.
11. UPDATE SECURITY POLICIES FREQUENTLY
Regularly update your cybersecurity training curriculum and policies.
- Stay on top of the latest IT security trends.
- Encourage your IT staff to earn cybersecurity certifications.
- Schedule regular cybersecurity awareness training sessions.
REDUCE RISKS AND EASE IT HEADACHES WITH A CYBERSECURITY PARTNER YOU CAN TRUST
Network security is no longer a nice-to-have. Every business needs it, no matter how big or small.
If you lack the internal resources to implement security policies, it may be time to consider outsourcing these services to a professional.
Our team at Coast IT understands that almost every company will encounter some sort of security disaster throughout its existence. This is why we incorporate cybersecurity into all aspects of our services. We pride ourselves on providing small businesses with the proactive threat management and network security planning they need to feel secure.