This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.
The cyber threat to small businesses has never been at a higher level than it is right now in the post-COVID era. Small business owners are in a uniquely exposed situation because of the close link between their financial livelihood and the fortunes of their business. Both could be severely impacted by a cyber-attack.
As the owner or manager of a small business, you may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.
As the owner of a small business, I understand the small company perspective. Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In these short articles, I hope to show you how.
A Checklist for cyber risk
A key step in the efforts of small companies to become cyber resilient is to ensure that they have considered all areas of cyber risk in the business. It doesn’t have to be a complicated process as a straightforward checklist will help identify and document the major risks that exist in your organisation.
This step can be followed by a consideration of how controls might be introduced to reduce the identified threats and vulnerabilities that place the organisation at risk. Below you will find such a checklist covering your people, technology & data, third parties, remote access, user accounts and business governance.
Businesses that have not taken steps to protect their organisations against the risk of a cyber incident are taking a huge risk.
- Do staff receive ongoing cybersecurity training to maintain awareness levels?
- Do staff undertake reviews to ensure that they understand cybersecurity risks? Are results measured and monitored to ensure improvement is achieved?
- Do you test cyber awareness regularly by sending spoof phishing emails or using test social media scams?
- Do your employees understand the significant risk that can arise from poor cyber practices e.g. opening suspicious attachments, revealing passwords by telephone or using unsecured public Wi-Fi?
- Do you have appropriate mechanisms for staff to be able to report suspicious issues quickly and effectively in a “no blame” culture?
- Do you apply onboarding/exit processes when staff join and leave your business?
- Do you conduct appropriate checks on new employees to understand if they represent a potential information security risk?
- Have you reviewed the people risks that arise from remote working arrangements?
2. TECHNOLOGY AND DATA
- Do you know where and how your data is backed up and stored and whether the data is encrypted?
- Do you have appropriate mechanisms for securely sending and receiving data files?
- Do you have an inventory of hardware and software assets and individuals who are responsible for ensuring that the inventory is kept up to date? Do you have an asset management policy?
- Do you have appropriate firewalls to protect your IT infrastructure?
- If you outsource IT functions, do you receive regular management reports?
- Are your wireless networks appropriately secured?
- Do you have email and internet traffic filtering software?
- Do you regularly check the hardware, operating systems, data, and other software against a 'good known state' baseline?
- Do you use intrusion detection software? Do you review logs of successful and unsuccessful attacks and probes/scans on your system?
- Do you have a security roadmap, and do you review it against your overall IT roadmap regularly?
- Have you classified data by sensitivity and risk?
- Do you patch your software automatically when an update is made available?
- Do you have effective anti-malware defences on all devices and scan for malware regularly?
- Have you reviewed the cybersecurity and data protection requirements of remote working?
3. THIRD PARTIES
- Do you understand the cyber risks arising from third-party service providers and the suppliers who make up your supply chain?
- Do you have a process to assess third parties and suppliers for cybersecurity risk? Do you undertake appropriate due diligence before engaging with them?
- Do you place appropriate contractual obligations on third parties requiring them to take steps to keep your data secure?
- If you use third parties for data processing or storage, do you have appropriate contractual mechanisms to be notified quickly of potential security issues given your GDPR obligations?
- If you outsource significant functions, does your Board of Directors receive regular reports on these outsourced activities?
4. REMOTE ACCESS/BYOD/REMOVABLE DEVICES
- Do you allow remote access to your IT systems? If so, do you have appropriate software and controls in place to ensure that access is secure e.g. a corporate VPN?
- Do you require multifactor authentication for remote access requests?
- Do you have appropriate policies that ensure you secure mobile devices?
- Is corporate data processed or stored on the personal devices of employees?
- Is data encrypted on mobile devices? Can mobile devices be remotely wiped in the event of loss or theft?
- If you allow employees to use personal devices when working remotely or to bring their own devices (BYOD) to the office, do you apply appropriate restrictions to personal use to maintain security? Have you considered the use of secure areas on personal devices?
- Do you allow the use of removable media, and if so, do you have a policy covering this?
Have you reviewed the cybersecurity and data protection requirements of remote working?
5. USER ACCOUNTS/PASSWORDS
- Do you require unique accounts for each user of your information systems?
- Do you restrict administrator access accounts to the absolute minimum necessary?
- Do you have a policy requiring strong, “hard to guess” passwords?
- Do you use software to reduce common password risks?
- Do you automatically prevent the use of common passwords, the reuse of old passwords and force password changes regularly?
- Do employees receive training on good password practices?
6. BUSINESS GOVERNANCE
- Do you have written policies, standards, and procedures to manage cyber risk and ensure that all employees are aware of these?
- Does your Board of Directors/management team regularly consider cyber risk at their Board/management meetings?
- Does your organisation have a documented cyber incident response plan that is regularly tested?
- Does your business have an incident response team?
- Does your Board of Directors/management team understand the sources of the key cyber threat to the organisation's “crown jewel” information assets?
- Has the Board of Directors/management team considered cyber insurance to protect against the financial consequences of cyber risk?
Peace of mind from cyber risk
Small businesses are big business for Cybercriminals. If you lead a small business, you may struggle to make sense of this complex environment. You could be concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.
If this is your situation, I hope that this article has been useful in introducing you to the topic of cyber risk for small businesses. I also hope it has convinced you that cyber risk is a business-critical risk that can be, and needs to be, managed like any other business risk.
In the next article in this short series, I explain what small business leaders really think about cyber risk.