American businesses are facing the growing problem of cybercrime. Cyber attacks can seriously harm an organization, especially for smaller companies that may lack the expertise and resources to prevent attacks. Implementing essential cyber controls as part of a cyber security checklist can help protect your organization, reduce downtime, and protect valuable data.
Regardless of the size of the business, cybersecurity has become a critical element of the American business landscape. While cyber attacks on large organizations make national headlines, a security breach can threaten the existence of a smaller business that may lack the necessary damage control resources. Recent research found that 95% of American small and medium-sized businesses experienced a cyberattack in 2021, meaning that SMEs should take extra steps to secure their data, networks, and IT equipment from unauthorized access.
Adopting essential cyber controls and implementing security solutions as a small business can help minimize the risks of cyber attacks.
Why put essential cyber controls in place?
The EU’s National Cyber Security Strategy is designed to tackle the challenge of cybercrime. It aims to secure information networks, systems, and infrastructure to minimize the risk of cyberattacks and seeks to raise cybercrime awareness among businesses.
By bolstering their cybersecurity, businesses can reduce the threat of compromised data and systems. Recent threats, such as ransomware attacks, can result in companies paying cybercriminals to release scrambled data and inaccessible systems.
Cyber security meshes behavior and IT solutions. Behavior includes ensuring staff is actively trained in data security and that there are clear security policies. In contrast, IT solutions include deploying technologies such as firewalls, two-factor authentication (2FA), and network monitoring software to detect and stop attacks.
Our Cyber Essentials certification process audits your organization to demonstrate to stakeholders and business partners that you take cyber security seriously and have adequate measures to protect data and systems.
Looking to ensure your business meets GDPR requirements? Read our guide to who is responsible for demonstrating GDPR compliance.
Essential cyber controls – security checklist
Here is our cyber security risk assessment checklist of issues SMEs should consider addressing to help improve cyber security.
Keep equipment up to date.
Conduct a comprehensive inventory of equipment connected to your network, including any BYOD equipment staff use. This should include desktops, laptops, mobile devices, and routers. Older legacy equipment may no longer be supported with security updates, while other cloud-based devices such as network printers can be attack vectors for hackers.
Ensure that the latest software updates are installed, as this can help minimize the risk of a cyber attack. Ensure that firmware updates are applied to networked IT equipment such as printers, routers, NAS drives, and servers. Updates often patch security vulnerabilities, closing security holes that hackers can exploit.
Consider reusing older equipment that is no longer updated into non-network tasks or recycling components.
Employees and training
Implement regular security and data processing awareness training for employees, contractors, and others who access business networks. Many cyber attacks are socially engineered, such as spear phishing, where an individual in a business is targeted with convincing emails designed to deploy malware or provide access to a network by cyber criminals. Regularly remind employees of the protocols they must follow and encourage the immediate reporting of any suspicious activity.
Access control
Not every employee in an organization needs access to all of its data.
Review account permissions, restricting access to the lowest level required for employees to perform their duties. Ensure every employee has a separate account with unique log-in credentials and allow remote access only through a virtual private network (VPN).
Enforce password policies for all employees, ensure each password is different for various accounts/sites, and incorporate multi-factor authentication (MFA) for sensitive accounts or those using remote access. A good example is a password and biometric (fingerprint) or a code sent to an email or phone number. Remember to delete employee accounts when an employee leaves the organization.
Cyber security defense
Assess your need for cyber security solutions for small businesses, such as:
- Firewalls.
- Anti-virus software.
- Anti-malware software.
- Network monitoring and alert systems.
These systems recognize unauthorized attempts to gain or hack information and block access or quarantine malware. Systems to monitor networks can alert you of suspicious activity and potential threats. Monitoring can help catch security breaches quickly before too much damage is done.
Ensure malware and security software is updated, ideally daily or hourly.
Bolster email security
Email attacks are one of the most significant security vulnerabilities for smaller businesses. Cybercriminals use phishing scams to deliver malware payloads such as ransomware or fool employees into sharing passwords and access credentials. Email security can be a particular issue for SMEs that use many different and sometimes older email protocols such as SMTP, POP, and MIME servers. Web-based mail can offer more robust security features such as message encryption, malicious email filtering, and detecting hijacked email accounts.
Segment the network
Assess your network topology, and build or restructure networks into manageable subnets with access control between different network layers or subnets. As part of a cyber security checklist, examine and limit access to different subnets, and limit mission-critical data or processes to specific and highly restricted subnets.
Data recovery plan
Ensure your business has a data recovery plan and is well-rehearsed to minimize downtime and test protocols.
Protecting data from unauthorized access is paramount, but you should also have a disaster recovery plan in place should your organization face a data breach or find its data held to ransom by cybercriminals. Ensure that data is backed up regularly. Backups should be encrypted, and more than one backup method used, such as an onsite server and cloud backup, to ensure additional protection.
Supplier security
Many businesses rely on a supply chain for their products or services. If a cyberattack happens to any of your suppliers, your business could also be at risk. Sensitive information, data, customer information, or access to essential areas could become available if security breaches down the chain.
To minimize the risk of this happening, ensure transparent relationships with your suppliers and encourage robust cyber security with suppliers.
Ask for their cyber security policies and if they’re certified in Cyber Essentials, ISO 27001 Information Security Management Systems, or ISO 27701 Privacy Information Management Systems, for example.
Need to demonstrate your IT security systems are robust and fit for purpose? Our Cyber Essentials with expert support is a great starting point to reduce harm to reputation and enhance data security processes.