The Ultimate Small Business

Cyber Security

Checklist

In 2015, the world’s first “international cybermafia” stole up to $1 billion from more than 100 global financial institutions. The gang’s “spear-phishing” emails opened the bank’s digital doors and released remote access Trojans into each network. The hackers then transferred enormous sums of money via ATMs into dozens of accounts around the world.

Why is cybersecurity important for a small business? Although your business might not have billions in the bank, data breaches like these could happen to any company, regardless of size. Implementing a small business cybersecurity checklist is the first step to securing your digital assets. If they remain unsecured, your business may suffer a continuity issue.

WHAT CYBERSECURITY RISKS DO SMALL BUSINESSES FACE?

As a small business owner, you may assume your company isn’t big enough to be targeted for this kind of theft. In fact, the reverse is true: since small companies rarely invest enough in security measures or training, they end up being the easiest targets for cybercriminals. 

Consider these statistics:

• As reported by the 2019 Verizon Data Breach Investigations Report, 43% of cyber attack victims are small businesses. 

• Within the last 12 months, nearly half (47%) of SMBs have suffered cyber attacks. 

• The average cost of a cyberattack on a business is $200,000, which is daunting, especially for small companies without a cybersecurity plan. 

• Recent data shows that nearly 60% of SMBs fold within six months following a cyberattack. 

These statistics indicate that your small company is probably the target of at least one type of potentially catastrophic digital threat. Thankfully, there are some simple policies you can implement today to protect yourself. 

YOUR SMALL BUSINESS CYBERSECURITY CHECKLIST

America’s financial systems have noted the rise in attacks on small firms and the threats they pose to the country’s economy. FINRA, the Financial Industry Regulatory Authority, has created a “Small Firm Cybersecurity Checklist” that breaks down the elements of computer system vulnerabilities. The checklist guides you through avoiding losses to the digital criminals that exploit these weaknesses.

We’ve expanded on FINRA’s guidelines to create an exhaustive small business cybersecurity checklist.  By following this checklist, you can put practices in place to provide protective barriers between you and the cybercrooks:

• Expect a crisis

• Perform a risk assessment

• Protect customer and proprietary data

• Detect intrusions through mobile devices

• Evaluate BYOD policies

• Maintain a strong password policy

• Use multiple layers of protection

• Limit user access

• Impose email restrictions

• Secure your Wi-Fi

• Backup your data

• Train employees on security protocols

• Update policies regularly

1. EXPECT A CRISIS

Unfortunately, experiencing a security threat is a matter of “when” not “if.” Responding to a crisis is easier when a system-wide response plan is already in place. Using this small business cybersecurity plan template will ensure you are ready to handle any emergency.

2. PERFORM A RISK ASSESSMENT

An IT security risk assessment helps create a sustainable disaster recovery strategy and protects your critical assets from threats. A risk assessment will reveal:

• Your most valuable assets: servers, websites, client information, trade secrets, partner document, customer information (credit card data, etc.)

• The most critical threats to your business: natural disasters, system failures, accidental human interference and malicious human actions

• Vulnerabilities that allow some kind of threat to breach your security: old equipment, untrained staff members, unpatched or out-of-date software

• How to improve your security status: appropriate prevention and mitigation steps

Read 4 Types of Security Audits Every Business Should Conduct Regularly

3. PROTECT CUSTOMER AND PROPRIETARY DATA

If your company shares data with third parties across any external portal, it is at risk for theft. 

• Identify all third parties (and their vulnerabilities).

• Clarify shared data and eliminate sharing unnecessary information.

• Establish controls between your company and the third-party company to isolate those procedures from the rest of the business.

4. DETECT INTRUSIONS THROUGH MOBILE DEVICES

You and your employees likely access company data through mobile devices. Those devices are often the easiest entry point into corporate databases.

• Identify all devices that touch the corporation and those with access to them.

• Clarify security elements within the device: passwords, encryption or others.

• Ensure the ability to wipe those devices clean remotely so your company retains control over its contents.

• Clarify the authority of devices users to access enterprise data.

5. EVALUATE BYOD POLICIES

Have you experienced data breaches through employee-owned devices? There are risks and rewards of having a BYOD (Bring Your Own Device) strategy that you should evaluate regularly.

• Confirm the number of devices connecting to your network.

• Reassess your enterprise-level security solution for employees’ mobile devices to maintain cost effectiveness.

6. MAINTAIN A STRONG PASSWORD POLICY

Set stringent criteria for employee passwords to prevent unwanted access.

• Implement multi-factor authentication for extra account protection.

• Require password changes on a timetable or when data breaches occur.

• Prohibit employees from sharing login credentials.

• Encourage using password generators to ensure password complexity.

• Provide encrypted password managers to store passwords securely.

• Require employees to use different passwords for each one of their accounts.

7. USE MULTIPLE LAYERS OF PROTECTION

Consider taking a layered approach, also known as multi-level security or Defense in Depth (DiD). Layered security involves setting up intentional redundancies so that if one system fails, another steps up immediately to prevent an attack.

• Maintain current web browsers, operating systems and security patches.

• Set up antivirus software and run scans after software updates.

• Deploy firewalls and intrusion protection systems on your network.

• Utilize a virtual private network (VPN) to secure company internet traffic.

• Analyze data integrity to detect suspicious behavior.

• Use behavioral analysis to send alerts and execute automatic controls when other methods fail.

8. LIMIT USER ACCESS

• Each access point poses an individual risk, so limit user access to specific data they need to perform their jobs. 

• Prohibit software installation without administrator permission.

9. IMPOSE EMAIL RESTRICTIONS 

Email is a common entry point for cybercriminals and malware. Tricking employees with phishing scams and malicious links within email messages is common.

• Use message encryption, spam filters and antivirus software to prevent threats from reaching their intended targets.

• Conduct employee awareness training to educate users on common scams and avoidance techniques.

10. SECURE YOUR WI-FI

An unsecured Wi-Fi can open your network to anyone, including hackers.

• Rotate your Wi-Fi passwords to keep your network safe.

• Use separate guest and corporate networks.

• Limit guest network session lengths.

11. BACKUP YOUR DATA

Loss of vital company data or assets through hacking or emergencies can put a small business out of business.

• Schedule backups regularly.

• Keep backup data in the Cloud or other offsite storage facility.

• Evaluate and test the entire data recovery process. Once successful, hackers often return through the same paths to hack again.

12. TRAIN EMPLOYEES ON SECURITY PROTOCOLS

If you have provided your employees with training on your security policies, hold them accountable to follow them.

• Require adherence to security standards.

• Test your team on their knowledge after a training session.

• Require employee signatures when implementing new policies.

13. UPDATE SECURITY POLICIES REGULARLY

Make sure your security policies and cybersecurity training curriculum are relevant and updated frequently. 

• Keep up with the latest IT security trends.

• Require IT staff to earn cybersecurity certifications.

• Host regular cybersecurity awareness training sessions.

REDUCE RISKS AND ALLEVIATE IT HEADACHES WITH A CYBERSECURITY PARTNER YOU CAN TRUST

Network security is no longer a nice-to-have. It’s a requirement for every business, no matter how large or small. 

If you don’t have the internal resources to implement security policies, it may be time to consider outsourcing these services to a professional. 

At SugarShot, we understand that virtually every company will end up experiencing some sort of security disaster over its lifespan. That’s why we integrate cybersecurity into every aspect of our IT services. We’re passionate about providing small businesses with the holistic threat management and network security planning they need to feel peace of mind. 

To learn more about SugarShot’s cybersecurity services, contact us today.