Use this cybersecurity checklist for small businesses to protect your organization from potential cyber attacks.
Understanding Cybersecurity for Small Businesses
You might assume that your small business is at low risk of cyber attacks because of its small size, but cybersecurity is just as important for small businesses as it is for multi-billion dollar organizations.
Even the smallest organization has the same ethical (and commercial) responsibility to protect client data as large businesses, even if you don’t have the same amount of resources to do so.
Small businesses rarely invest enough in cybersecurity measures or training. They often lack the budget or technical skill to properly protect themselves.
This leaves small businesses more vulnerable to attacks — and why not? Cybercriminals know that small businesses are typically easier and more appealing targets than organizations with well-funded security measures in place.
While a cybersecurity program might seem like an expensive endeavor for your small business, research shows that in the end, it’s worth the cost.
A 2019 Verizon Data Breach Investigations Report shows that 43 percent of cyber attack victims were small businesses. At the same time, the average cost of a cyberattack on a business is $200,000 — a potentially huge blow to small companies without a cybersecurity plan in place. Unsurprisingly, nearly 60 percent of small and medium businesses fold within six months following a cyberattack.
To avoid the hefty costs that accompany cyber attacks, the first step to securing your digital assets is to implement a cybersecurity checklist.
Before that, however, let’s take a look at the top cybersecurity threats facing small businesses today.
Top Cybersecurity Threats facing Small Businesses
Before you tackle a cybersecurity checklist, it’s important to understand the different cybersecurity threats facing your small business.
Malware. The most common cyberattack is malware (or malicious software). It includes spyware, ransomware, backdoors, trojans, viruses, and worms. Malware is usually installed into the system when a user clicks a malicious link or email. Once installed, malware can block access to critical components of your network, damage your system, and purloin confidential information.
Phishing. A type of social engineering that attempts to trick users into bypassing normal cybersecurity practices and giving up sensitive data such as usernames and passwords, bank account information, Social Security numbers, and credit card data, and so forth.
Phishing usually occurs via email scams; cybercriminals will send out phishing scam emails that seem to come from trusted senders like PayPal, eBay, financial institutions, or friends and co-workers. Users who click on the link in the email will be redirected to fraudulent websites that ask for personal information or install malware on their devices.
Distributed Denial of Service (DDoS). A DDoS attack tries to take down a company’s website by overwhelming its servers with requests. These shutdowns prevent customers from accessing your website and completing orders.
These three cybersecurity threats are the most common ones that small businesses face, but this list is not exhaustive. Learn more about what kinds of cybersecurity threats your small business might encounter.
Enter the NIST Cybersecurity Framework
Fortunately the NIST Cybersecurity Framework (CSF) can help your organization to keep sensitive data private and critical business information systems up and running.
Developed by the National Institute of Standards and Technology, the Cybersecurity Framework is a blueprint any organization can follow to build basic cybersecurity capabilities.
NIST comprises three components: framework core components, implementation tiers, and profiles. The core components consist of five “functions:”
The NIST CSF is promoted as a valuable tool for all businesses assessing risk and tightening security.
In addition to our cybersecurity checklist for small businesses, you should observe the recommendations and core components of NIST to best protect your organization from cyberattacks.
Cybersecurity Checklist for Small Businesses
The Federal Communications Commission (FCC) warns that “every business that uses the internet is responsible for creating a culture of security that will enhance business and consumer confidence.” It also lists 10 cybersecurity tips for small businesses. They are:
- Train employees in security principles.
- Protect information, computers, and networks from cyber attacks.
- Provide firewall security for your internet connection.
- Create a mobile device action plan.
- Make backup copies of important business data and information.
- Control physical access to your computers and create user accounts for each employee.
- Secure your Wi-Fi networks.
- Employ best practices on payment cards.
- Limit employee access to data and information,and limit authority to install software.
- Use strong passwords and authentication.
Below, we provide a comprehensive cybersecurity checklist for small businesses, based on the Small Firm Cybersecurity Checklist from the Financial Industry Regulatory Authority, that will help you put practices in place to protect your organization from cybercriminals. Here is the checklist at a glance, followed by a more thorough explanation of each action:
- Expect a cyber attack.
- Conduct a risk assessment.
- Protect customer data from attacks on third-parties.
- Prevent intrusions via mobile devices.
- Evaluate Bring Your Own Device (BYOD) policies.
- Set strong password policies.
- Maintain multiple layers of protection.
- Limit user access.
- Implement email restrictions.
- Secure your Wi-Fi.
- Backup your data.
- Train employees on cybersecurity practices.
- Update policies regularly.
Now let’s take a closer look at each of these checklist items to better understand how your small business can use them in your cybersecurity program.
Expect a cyber attack
Expecting a cyberattack is an important part of preparing your small business for its response. Unfortunately the matter really is a question of “when” rather than “if.”
Responding to a cyberattack is easiest when a response plan is already in place. This checklist will assure that you are ready to handle an emergency.
Conduct a risk assessment
An IT security risk assessment will help you create a disaster recovery plan, and will allow you to better protect your critical assets from threats.
A risk assessment will reveal:
- Most valuable assets: servers, websites, client information, trade secrets, partner documents, and customer information (credit card data, personal data, and so forth.)
- Critical threats: natural disasters, accidental human interference, system failures, and malicious actors
- Vulnerabilities: old equipment, untrained staff members, unpatched or out-of-date software
- Security status: appropriate prevention and mitigation steps
Protect customer data from attacks on third parties
If your organization shares data with third parties, that data is at risk for theft. To protect your customer data from attacks on third parties, we recommend:
- Identify all third parties as well as any vulnerabilities.
- Streamline which data is shared, and stop sharing unnecessary information.
- Implement controls that isolate procedures between your organization and the third-party company from the rest of your business.
For more on implementing internal controls, visit our internal control checklist for your small business.
Prevent intrusions via mobile devices
It’s likely that you and your employees access company data via mobile devices, which are often the easiest entry point into corporate databases. To prevent intrusions via mobile devices, do the following:
- Identify all mobile devices that come into contact with your organization, and who has access to them.
- Implement strict security elements on each device: passwords, encryption, multi-factor authentication, and so forth.
- Make sure you can remotely erase mobile devices to retain control over the contents.
- Clarify which mobile device users have access to enterprise data.
Evaluate BYOD policies
A bring-your-own-device policy has a number of pros and cons, including the risk of a data breach through an employee-owned device. If you decide that your organization should employ a BYOD policy, it’s important to evaluate that policy regularly:
- Establish the number of devices connecting to your network.
- To maintain cost effectiveness, reassess the enterprise-level security solution for your employees’ mobile devices.
Set strong password policies
Stringent criteria for employee passwords will prevent unwanted access. Try the following to establish and maintain strong password policies:
- Use multi-factor authentication for added account protection.
- Require organization-wide password changes on a regular basis, or when a data breach occurs.
- Prohibit employees from sharing login credentials.
- Employ password generators to ensure passwords are complex.
- Use encrypted password managers to securely store passwords.
- Require employees to use different passwords for each account.
Maintain multiple layers of protection
Also known as a multi-security or Defense in Depth (DiD), the idea here is to embrace a layered approach to security with intentional redundancies — so that if one system fails, another immediately takes its place to prevent an attack. Maintaining multiple layers of protection includes the following:
- Update current web browsers, operating systems, and security patches regularly.
- Use antivirus software and run scans after software updates.
- Deploy firewalls and intrusion protection systems on your network.
- Use a virtual private network (VPN) to secure company internet traffic.
- Analyze the integrity of company data to detect suspicious behavior.
- Send alerts and execute automatic controls using behavioral analysis when other methods fail.
For more on network security, check out our network security audit checklist.
Limit user access
Each data access point poses an individual risk to your organization. Limiting which users can access your most sensitive data will reduce the chances of a data breach.
Here are some ways you can limit user access:
- Limit user access to specific data needed to perform specific jobs.
- Prohibit software installation without administrator permission.
Implement email restrictions
Email is one of the most common entry points for cybercriminals and malware. Phishing scams are often used to trick employees into opening malicious links within email messages. Email restrictions can help prevent phishing scams from occurring.
To implement email restrictions, do the following:
- Use spam filters, message encryption, and antivirus software to prevent threats from reaching their intended targets.
- Regularly conduct employee cybersecurity awareness training to educate users on common scams and avoidance techniques.
- Send test emails out to employees to identify which are likely to open phishing emails in the future, and provide extra training for these individuals.
Back up your data
Regularly backing up your data to an off-site facility can prevent the loss of vital company data or assets through hacking or emergencies.
Backing up your data includes:
- Scheduling regular backups.
- Keeping backup data in the cloud or another off-site storage facility.
- Evaluating and testing the entire data recovery process. If successful, hackers will often return through the same paths to hack again.
Train employees on cybersecurity practices
An employee training program will help assure that your organization is better protected from cyberattacks.
Once your employees have been trained on security policies, it’s important that you follow through and hold them accountable to follow those policies.
Here are some things you can do to train your employees on your cybersecurity practices:
- Require employees to adhere to security standards.
- Regularly test your team on what they learned after a training session.
- When implementing new policies, require employee signatures.
Update policies regularly
Frequent updates to your security policies and cybersecurity training curriculum will assure that they will protect your organization from evolving threats.
To keep your security policies relevant, do the following:
- Stay current with the latest IT security trends.
- Require IT staff to attain cybersecurity certifications.
- Conduct regular cybersecurity awareness training sessions.
Cybersecurity Tools for Small Businesses
Network security is a requirement for every business these days, no matter how large or small your organization might be.
The most basic cybersecurity tools that every business should have include firewalls and antivirus software. Beyond those two, completing the cybersecurity checklist for small businesses we’ve outlined is the best way you can protect your organization from cyberattacks.
Many smaller organizations often don’t have the internal resources to implement security policies themselves. If this is the case, consider outsourcing these services to a professional.
No matter which path you decide is best for your organization, governance, risk, and compliance (GRC) software can help you get there.
How ZenGRC Can Help Protect Your Business from Cybersecurity Threats
ZenGRC from Reciprocity will help your organization assure that all your business systems and the data they hold are safe, as well as compliant.
Working in tandem with governance, risk management, and changing compliance demands to keep you up to date and safe, ZenGRC equips organizations with the fastest, easiest, and most prescriptive information security solutions on the market.
With ZenGRC, a team of cybersecurity professionals is always looking out for your organization and its assets to make sure you get the best protection against security breaches and cyberattacks.
ZenGRC’s compliance, risk, and workflow management software is intuitive, and provides an easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before they manifest into real threats.
No more hunting for documentation; no more searching emails or toggling screens: ZenGRC’s centralized, at-a-glance dashboards and simplified self-assigns can make executing this cybersecurity checklist a worry-free, Zen-like experience.
Then, you and your personnel will be freer to focus on the task at hand: keeping your data, systems, and networks secure and operational, and your clients and customers happy.
For more information on how ZenGRC can help your organization check-off the tasks listed on our cybersecurity checklist for small businesses, contact us for a demo today.