A key step in the efforts of SMEs to become cyber resilient in 2021 is to ensure that they have considered all areas of cyber risk in the business. It doesn’t have to be a complicated process as a straightforward checklist will help identify and document the major risks that exist in your organisation.

This step can be followed by a consideration of how controls might be introduced to reduce or even eliminate the identified threats and vulnerabilities that place the organisation at risk. Below you will find such a checklist covering your people, technology & data, third parties, remote access, user accounts and business governance.

Businesses that have not taken basic steps to protect their organisations are taking a huge risk.

1.     PEOPLE

Do your staff receive cybersecurity training regularly to keep their awareness levels high?
Do staff undertake reviews to ensure that they understand cybersecurity risks? Are results monitored to ensure improvement? 
Do you test cyber awareness regularly by sending spoof phishing emails or using test social media scams?
Do your employees understand the significant risk that can arise from poor cyber practices e.g. opening suspicious attachments, revealing passwords by telephone or using unsecured public Wi-Fi?
Do you have appropriate mechanisms for staff to be able to report suspicious issues quickly and effectively in a ”no blame” culture?
Do you apply proper onboarding/exit processes when staff join and leave your firm?
Do you conduct appropriate checks on new employees to understand if they represent a potential information security risk?


Do you know where and how your data is backed–up and stored and whether it is encrypted?
Do you have appropriate mechanisms for securely sending and receiving data files?
Do you have an inventory of hardware and software assets and individuals who are responsible
for ensuring that the inventory is kept up to date? Do you have an asset management policy?
Do you have appropriate firewalls?
If you outsource IT functions, do you receive regular Board reports?
Are your wireless networks appropriately secured?
Do you have email and internet traffic filtering software?
Do you regularly check the hardware, operating systems, data and other software against a 'good known state' baseline?
Do you use intrusion detection software? Do you review logs of successful and unsuccessful attacks and probes/scans on your system?
Do you have a security roadmap, and do you review it against your overall IT roadmap regularly?
Have you classified data by sensitivity and risk?
Do you patch your software automatically every time an update is made available?
Do you have effective anti-malware defences and scan for malware regularly?


  • Do you understand the risks arising from third-party service providers or the suppliers who make up your supply chain?
  • Do you have a process to assess third parties and suppliers for cybersecurity risk? Do you undertake appropriate due diligence before engaging with them?
  • Do you place appropriate contractual obligations on third parties requiring them to take steps to keep data secure?
  • If you use SaaS or cloud storage, do you have appropriate contractual mechanisms to be notified quickly of potential security issues in view of your legal obligations for Personally Identifiable Information under GDPR?


  • Do you allow remote access to your Information systems? If so, do you have appropriate software and controls in place to ensure that access is secure?
  • Do you require multifactor authentication for access requests?
  • Do you have appropriate policies that ensure you secure mobile devices?
  • Is data encrypted on mobile devices? Can mobile devices be remotely wiped in the event of loss or theft?
  • If you allow employees to bring their own devices (BYOD) to the office? Do you apply appropriate restrictions to personal use to maintain security? Have you considered the use of secure areas on BYOD devices?
  • Do you allow the use of removable media and if so, do you have a policy covering this?


  • Do you require unique accounts for each user of your information systems?
  • Do you restrict administrator access accounts to the absolute minimum necessary?
  • Do you have a policy requiring strong, “hard to guess” passwords?
  • Do you use software to reduce common password risks?
  • Do you automatically prevent the use of common passwords, reuse of old passwords and force password changes on a regular basis?


  • Do you have written policies, standards and procedures in place for managing cyber risk and ensure that all employees are aware of these. 
  • Does your Board of Directors regularly consider cyber risk at Board meetings?
  • Does your organisation have a documented cyber incident response plan that is regularly tested?  
  • Does your business have an incident response team?
  • Does your Board understand the sources of the key cyber threat to the organisations “crown jewel” assets?
  • Has the Board considered cyber insurance to protect against the financial consequences of cyber risk?

A company that addresses these risk areas and puts controls in place to reduce their risks to an acceptable level, will be well on the way to improving their cyber resilience.

Small businesses are big business for Cybercriminals. You may be managing a small business, struggling to make sense of this complex environment and concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.

If so, the online education course offered by Surviving Cyber can help you prepare your pathway to peace of mind. If you like the sound of the course,  Surviving Cyber – the Small Business Owner’s Pathway to Peace of Mind, you can register here.

The course is currently being piloted with the first cohort of students. If seats on the course are not available when you enquire, please join the Surviving Cyber email list to receive ongoing communication from me, including details of future courses. I look forward to engaging with you.