Cybersecurity checklist for small and medium businesses

Cyber security has been very much in the news for the last months with several major organisations affected.

No matter the size of the business, cybersecurity is an essential focus in today’s professional landscape. Although large companies are often the preferred target of cybercriminals, the fallout from a security breach can mean the end of a smaller organisation without the resources for significant damage control.

Post-pandemic cyber security for small and midsize businesses and technology enterprises is now more important than ever. The rise of remote working resulting from the pandemic has left many firms more vulnerable to attacks, while data breaches have become both more costly and potentially more disruptive.

For this reason, even a small business must be vigilant to protect its sensitive data from unauthorised access. To make sure all your security bases are covered, use this cybersecurity checklist as a guide.

Keep an updated inventory
Take a comprehensive inventory of every device connected to your network. This should include all hardware, such as company desktops, mobile devices and routers, and any software or applications installed. Keep this list updated as devices and software change so you’ll have a clear picture of all the elements that must be included in your network security plans.

Keep software and operating system up to date
For many of the most common security threats, simply installing the latest updates for your programmes and applications will significantly minimise your risk. Rather than trying to maintain a customised schedule for the newest security patches, set all the connected devices to update automatically as soon as they are released. This will ensure you’re always protected by the most recent responses to new threats.

Manage user accounts
Keep account permissions restricted to the lowest level needed for the user to complete their duties. Administrative accounts should only be used when necessary to make administrative changes. Limit access to the administrative account, ensure every employee has a separate account with unique log-in credentials and make sure remote access is granted through a virtual private network (VPN). If possible, require multi-factor authentication for system access. When an employee leaves the company, immediately remove their account.

Audit employee security knowledge
The biggest vulnerability to any cybersecurity plan comes from people. Mistakes happen, and people can get careless over time. Create a security awareness plan that reminds employees of the protocols they must follow and encourages immediate reporting of any suspicious activity. It’s important to find a balance between additional IT security service measures and convenience for staff. If protocols are too complex, it’s possible some won’t be followed in the interest of convenience. Implement a password policy that encourages strong password creation with minimum complexity guidelines, and have employees change their passwords at reasonable intervals.

Address email security
Make sure all incoming and outgoing emails are scanned for malicious items, such as viruses, malware and ransomware. Phishing scams and ransomware attacks are common tactics used by cybercriminals to obtain sensitive information, compromise an employee or upload malicious items. Many email providers for small businesses have tools available to help you filter spam and suspicious emails.

Restrict web traffic
Another possible access point for unauthorised users comes from malicious websites. Social media, especially, presents a significant risk of providing malware with an access point to professional networks. Set restrictions that allow employees to only visit trusted sites on an approved list. Limiting access to work-required sites greatly minimises your risk while providing the added benefit of limiting distractions while at work.

Utilize endpoint protection applications and Firewalls
Firewalls offer passive protection by monitoring all incoming and outgoing network traffic for anything outside the established security rules. Endpoint protection applications, such as anti-virus software and malware removal tools, can help catch malicious programs that make it through your passive systems. Just make sure to set up full scans on a regular schedule for more thorough protection. Install these programs on any mobile devices used for business as well.

Set up a data recovery plan
Protecting your data from unauthorised access is critical, but it’s also important to have a disaster recovery plan in the event your data is lost. Sometimes cyberattacks are intended to disrupt a company rather than steal information. Do you have all your important data backed up in case it’s corrupted or lost entirely? Backups should be encrypted and on automatic schedules to ensure they aren’t missed and the files are recent. Multiple backup methods offer an additional layer of protection, such as an onsite server and cloud backup.

Restrict Wi-Fi use
If your office has Wi-Fi, it should be password-protected to prevent access by those outside your business. If you offer wireless access to employees and customers, make sure the networks are separate to prevent the public from accessing the critical data stored on your business network. Remember that WPA2 offers better security with more complex encryption. Turning off your Wi-Fi outside of business hours will prevent hackers from unfettered access to break into your network when no one is onsite.

Be aware of new threats
Although software updates and endpoint security programs are generally based on the latest cybersecurity threats identified, sometimes there’s a lag between when a new risk is identified and when a solution is released. By keeping yourself informed of new threats as they’re discovered, you put yourself in a position to know the signs if you’re affected, allowing you to react quickly and minimise the impact on your business.

Develop a response for security breaches
Should a breach occur, having a planned response in place can dramatically improve the outcome for your company. Rather than reacting in the moment, you’ll have a list of actions you need to take to protect anything that hasn’t already been accessed. Having the steps written out will ensure you take all the necessary steps to stop the attack from doing any further damage and begin the recovery process if needed.

By David Thomas
|| [email protected]

David Thomas is a former Assistant Commissioner of the Hong Kong Police, consultant to INTERPOL and the United Nations Office on Drugs and Crime.
In 2011, he founded Safe Communities Algarve to help the authorities and the community prevent crime. It is now registered as Associação SCP Safe Communities Portugal, the first national association of its type in Portugal.
913 045 093
[email protected]