You’ve probably already heard it before: cyber security matters for your business. But, despite the constant horror stories and warning from experts, many organisations do not have adequate provisions in place.
Often, businesses don’t believe it’ll happen to them. However, it’s only when a cyber attack has already happened that you wish you had put better processes in place.
For businesses considering their cyber security strategy, there are challenges to overcome. Resource, knowledge and skills gaps leave you unable to appropriately understand the processes needed, implement them and manage them long-term.
We know many SMBs have limited cyber security capacity. So, a basic approach of cyber security must-haves is ideal. It keeps you protected, without overwhelming your business or requiring cost and effort you simply don’t have.
We’ve put together a cyber security checklist that outlines everything you need for adequate protection across core risk areas.
Cyber security by numbers
Before we dive into what makes up good business cyber security, let’s explore why it’s important.
The data shows that cyber risks pose a growing threat to companies, with significant losses if an attack were to happen:
- 31% of SMBs have been victims of cyber attacks
- A successful cyber attack costs SMBs more than $250,000 on average
- 81% of SMBs believe AI has forced the need for additional security controls
- The three most common cyber threats facing small businesses are malware, phishing and data breaches
- 23% of small businesses report cyber attacks as one of the biggest threats they currently face
- Half of small businesses state it took them over 24 hours to recover from an attack
- One-third of small businesses rely on free cyber security solutions meant for individual consumers rather than enterprise solutions
- Cyber attacks are predicted to grow 15% every year, with data suggesting it will cost the world over £10 trillion by 2025
Why do businesses need adequate cyber security?
As the numbers show, cyber security should be a significant concern for businesses of any type or size. But when you’ve never fallen victim to an attack, it’s easy to deprioritise it and assume it will never happen to you.
However, cyber threats are becoming more common. If you haven’t been impacted, it’s likely you will be soon. By implementing cyber security effectively, you can prevent significant losses to your business.
The benefits of cyber security include:
- Protection of sensitive data: Every business handles vast amounts of sensitive data, including customer information, financial records, intellectual property and employee data. Cyber attacks can compromise this data, leading to significant financial losses, legal liabilities and reputational damage.
- Prevention of financial loss: Cyber attacks can result in direct financial losses through theft, extortion and ransomware demands. Additionally, the costs of recovering from a cyber attack, including system restoration, legal fees and lost business opportunities, can be substantial.
- Maintenance of customer trust: A data breach can erode trust, leading to customer churn and loss of future business. Strong cyber security practices demonstrate a commitment to protecting customer data, fostering trust and loyalty. This will also improve supply chain relationships and make you a trusted partner.
- Compliance with regulations: Many industries have strict data protection regulations (like GDPR). Non-compliance can result in hefty fines and legal penalties. Adequate cyber security helps businesses meet these regulatory requirements.
- Business continuity: Cyber attacks can disrupt operations, leading to downtime and productivity loss. Robust cyber security measures help ensure business continuity by minimising the impact of attacks and enabling rapid recovery.
- Competitive advantage: Businesses with strong cyber security practices gain a competitive edge. Customers are more likely to choose businesses they perceive as secure, and investors may favour companies with robust security measures.
If you want to minimise your losses before it’s too late, and build a reputation as a trusted organisation, it’s therefore crucial to implement cyber security protection as soon as possible.
Cyber security processes every business should have
Now you know how integral cyber security is to the long-term survival of your business, what exactly do you need to implement?
Our cyber security checklist contains the core elements you need, as a minimum, to prevent risk and how to implement them.
Antivirus, antimalware and firewall
These three tools are essential components of any cyber security strategy, each playing a specific role:
- Antivirus software: Scans files and programs on your business devices to detect suspicious activity and delete infected files, keeping your devices safe from viruses, worms and ransomware
- Antimalware software: Employs advanced techniques like behavioural analysis to identify and block emerging threats that traditional antivirus may miss, including spyware, adware and rootkits
- Firewalls: Filters incoming and outgoing network traffic based on predefined rules, blocking unauthorised access and malicious attempts
By using all three tools, you can gain a layered approach that detects and removes a wide range of highly common threats.
For antivirus and antimalware, you will need to purchase the software from a reputable provider. Microsoft Defender is a popular option. The software can then be installed by your IT staff and configured to do regular scans across all business devices. This gives you real-time protection against incoming threats.
Firewalls come in two types: software firewalls and hardware firewalls. Software firewalls should be included within your system operating and will secure remote devices. A hardware firewall is a dedicated physical device (ideal for network protection if your staff are based at one location), which can be bought separately or may even be included within your business router.
Ensure that software firewalls are enabled on all devices accessing your organisation and use a boundary firewall at each of your business premises (unless part of a managed office).
Device and software policies
A consistent policy across devices and software is crucial to keeping your network safe and preventing threats sneaking in. It is especially significant today, when many workers may use personal devices for work or have devices at home.
If these devices aren’t locked down, or unapproved software is installed on them, it could give cyber criminals an entry point.
Ensure all devices and software are configured with secure default settings, which should align with security best practice and your internal policy. You’ll also want to do the following:
- Change default passwords on new devices (including firewalls)
- Uninstall unnecessary included software
- Disable auto-run features
- Disable any users accounts and services not needed
- Use automatic screen locking to authenticate access to devices
- Set six-digit pins on all mobiles devices as a minimum
- Set 12-character passwords across endpoint devices
Once you have determined your policy, this will need to be configured across every device and software you use as a business for consistency.
BYOD
Bring-your-own-device is increasingly common, as your staff may wish to use personal devices (like smartphones) for business purposes. Some businesses choose to outlaw this, but it’s becoming more unavoidable.
So, it’s crucial to have a BYOD policy. The policy should address data encryption, strong password policies, regular software updates and secure network access protocols.
Implementing a Mobile Device Management (MDM) solution will help secure BYOD devices. MDM solutions enable remote device management, including software distribution, configuration and security updates. They also provide features like remote wipe to protect sensitive data in case of device loss or theft. Microsoft Intune is an example of an MDM solution.
Software and device control
Alongside your policies, you will want to maintain an inventory of all devices owned by your business and the software installed on them. You’ll want to note things like their unique ID, who is responsible for them and so on. This will help you to keep track of everything and can help with auditing and troubleshooting.
You will also want to set up an approved list of tools people can use and enforce it organisation-wide. You can make use of official app stores and application signing for mobile devices to minimise the risk of malware from third-party apps.
Finally, set up an internal software approval process people can use to request tools. This process should have stringent measures to ensure they’re safe (for example, meeting specific security standards).
User access control
It is crucial to ensure only verified users have access to your business network. This limits cyber criminals stealing data or taking control of your systems.
Firstly, you need to determine how access is designated. Aim to follow the least privilege principle, granting only the minimum level of access required to perform their job duties. This reduces the risk of data being breached.
You must also craft and document a user account creation and approval process for consistency across new users, which dictates how permissions are granted. On the flip side of this, you’ll need a process of removing permissions when someone leaves the business or changes roles. Aim to regularly review and disable inactive accounts.
You must also perform these administrative activities through a separate user account from your day-to-day login that access the internet and email, as this helps to keep the admin account secure.
Next, you need to enforce strong password policies among all staff, across all devices and accounts they use for business purposes. This means:
- Encouraging unique passwords and PINs across accounts
- Delivering staff awareness training that demonstrates password best practice
- Granting self-service password reset abilities across systems
Alongside strong passwords, you need multi-factor authentication (MFA). This requires users to provide two or more forms of identification, making it harder for unauthorised users to gain access. Most online services now include MFA as standard, so you need to make sure it is turned on across the board so internal and external users face it by default.
Cloud-based data protection
If you have on-premises data, this is usually access via VPN or VDI when staff are working remotely. In both cases the solutions need to be secured with MFA.
Alternatively, you can migrate data to a cloud-based service remove the need for complex on-premises solutions for remote access. These services do not require servers and offer more options for collaboration and device agnostic access.
On top of this, you should implement data loss prevention (DLP) tactics to better protect your data. This includes identifying and classifying sensitive data based on its value and sensitivity level, using tags or metadata.
The Microsoft Purview suite contains tools both for applying DLP tactics and sensitivity labelling.
Email filtering
Phishing attempts are one of the most common causes of cyber attacks, where criminals send spam emails to get your users to give information or click malicious links. Email filtering can help you prevent these emails reaching your users.
It monitors incoming and outgoing emails using various techniques like content analysis, header analysis and sender reputation. It categorises emails as spam, legitimate or suspicious, and takes actions like blocking, quarantining or flagging them accordingly.
Choose a reputable email client, like G-Suite or Exchange Online. You’ll also want to build on these with email filtering tools that are separately licensed, with configurable policy sets, central management and enterprise-level protection. Defender for Office 365 is an example of this.
Website blocking
Website blocking can help prevent employees from accessing malicious websites that could infect their devices with malware or expose the company’s network to vulnerabilities.
There are two main options to block websites across your business:
- Network-level blocking: This can be done through firewall configuration, DNS filtering or proxy server configuration. Either option will need to be set up by an IT professional.
- Software-level blocking: You can purchase specific web filtering software to block access or install browser extensions.
Both solutions are required to ensure protection both within and outside of your network.
In many cases, the security software you already have may offer traffic filtering (such as Microsoft Defender), though you may need to configure it.
Data backup and disaster recovery
Data backup and disaster recovery are critical components of any business’s cyber security strategy. It involves creating copies of data and storing them securely, allowing for the restoration of data in case of loss or damage. This should particularly apply to your most critical data.
Start by understanding the systems and data you have and how critical they are to operations, as part of a documented audit. This should be coupled with risk assessments that identify possible disaster scenarios and the effort required to recover. Within this, you must consider:
- How much downtime can be tolerated on any given system (Recovery Time Objective)
- How much data can realistically be lost (Recovery Point Objective)
These two factors will help you to determine the frequency of backups and the length of time they are retained.
You should schedule regular on-site (using local servers or external hard drives) and off-site backups (using remote locations or cloud-based storage) to provide rapid restore and disaster recovery abilities.
You will also need to refine a data retention policy, which outlines the specific rules for retaining and deleting different types of data. It should specify the retention periods for various data categories, such as customer data, financial records and employee information. It should detail the procedures for securely destroying data when it reaches the end of its retention period.
Additionally, you need a documented disaster recovery plan that outlines the steps to be taken to restore critical business functions and systems in the event of a cyber attack.
This should include:
- Business Impact Analysis (BIA): Identifies critical systems and processes to be prioritised.
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): Defines the maximum tolerable downtime and data loss.
- Data backup and recovery strategy: Outlines procedures for backing up and restoring critical data.
- Disaster recovery site: Specifies the type of site where you will temporarily store your operations. These can be hot (fully functional and ready to go), warm (with hardware and software, but requiring configuration and data restoration) or cold (a basic site requiring significant configuration).
- Communication plan: Defines communication channels and protocols for team members and stakeholders.
- Incident response team: Identifies and trains a dedicated team to handle disaster recovery.
- Testing and maintenance: Includes a schedule for testing the DR plan and updating it regularly.
- Vendor management: Outlines vendor responsibilities and expectations in a disaster scenario.
- Employee training: Provides training to employees on their roles and responsibilities in the DR plan.
Depending on the site option you choose, you will need to configure this. A hot site will take more time now, but will be quicker to deploy in a disaster event.
Spend time crafting your disaster recovery plan. While you will hopefully never need it, you’ll be glad you do if the worst happens.
Alerts and monitoring
Threat monitoring is crucial to uncovering incoming attack attempts, so you can prevent them taking hold.
Many cyber security tools now have inbuilt threat monitoring, including Microsoft Defender. These tools use a series of techniques, including log analysis, network traffic analysis, behaviour analysis and anomaly detection.
However, these still require necessary resource to respond to detected threats adequately. This also gives reactive coverage, as opposed to proactive.
If you want a more proactive approach that offers great protection, you will need to consider sourcing your own security operations centre. This does require a good amount of consistent cyber security resource to detect and respond to threats. To ease the pressure, consider leveraging technology like XDR, SIEM or SOAR to automate your detection efforts. Alternatively, outsource your SOC to an external partner.
Patch management
Patch management is a critical process in cyber security that involves the systematic identification, testing and deployment of software updates.
You should aim to stay on top of updates across your software, which may include operating systems, applications, firewalls and more. For larger updates, you will need to schedule these in at a time where uptime is less likely to be affected.
You will usually be alerted when a patch is available. This shouldn’t be left your end users to accept – instead, manage patch centrally to ensure they are applied to all devices. Critical security patches must be applied within 14 days of release.
Patches can only occur when the software is actively supported by the supplier, even if not the latest version. Where software is out of support it must be removed, upgraded or segregated from the rest of your network, or it could become vulnerable to attack.
You may also use automated tools to apply updates across your organisations. Microsoft Intune is an example.
User awareness training
Users are always going to be your first line of defence when it comes to cyber threats. As such, it’s integral that everyone in your business has a basic understanding of risk and their role in mitigating it.
Your user awareness training should encompass:
- Teaching the signs of suspicious activity (e.g. phishing emails or unsecured websites)
- Following password best practice
- Never giving out login details
- Sticking to approved applications
- Knowing when and when not to use sensitive data
- Reporting suspicious activities, breaches or lost devices
You should adapt the training based on your business requirements and security policies. Aim to document best practice and hold regular sessions for users, alongside reminders. This will keep cyber security front of mind and encourage people to do their part to safeguard the business.
Overcoming challenges
While this checklist should clarify the basics you need to implement across your cyber security strategy, we appreciate it can still take time and resource to put it all into place.
Common obstacles businesses face include:
- Overcoming the cyber security skills gap within the UK (which may make it harder to recruit the people you need)
- Managing long-term costs associated with cyber security provisions
- Getting support to progress your efforts
- Proving your cyber safety is up to standard
Fortunately, there are solutions to help.
The first is leveraging managed services to outsource your cyber security implementation and management to a third-party expert. You’ll pay a set contract fee (usually monthly), but this will give you the resource you need to run your cyber security operations. It also saves you need to recruit internal experts or exhausting capacity.
In most instances, your managed services provider will be able to give hands-on advice to improve your cyber security, including recommending tools and configuring elements for you. This enables you to get the basics in place so you can rest easy. They can even offer specific solutions that package the basics together for ease of deployment.
Another great starting point is Cyber Essentials. This is a government-backed cyber security framework which guides you through the implementation of core controls that protect your business. These measures have been purposely designed to be accessible for all kinds of businesses.
Once you have introduced the designated measures, you can submit a self-assessment. If successful, you will gain a certificate that proves your security standards and builds trust.
Cyber Essentials does come at a cost, as you’ll still need to do the groundwork and pay for the assessment, but it offers a clear route to follow to get ‘basic’ cyber security into place.
A managed service provider can also help you achieve Cyber Essentials certification.
Want to find out more about cyber security best practice for your business?
Cyber security is a complex topic, making it difficult to understand, let alone implement. It’s because of this that many organisations fail to properly optimise their security in line with best practice.
But cyber security doesn’t need to be overly complicated.
Our Get to Secure video series breaks down everything you need to know into short, digestible webinars, delivered by experts. We’ll tell you the basics you need to implement, why they matter and the steps to doing it all.