In 2015, the world’s first “international cybermafia” stole up to $1 billion from more than 100 global financial institutions. The gang’s “spear-phishing” emails opened the bank’s digital doors and released trojans into each network, which then directed ATMs to transfer huge sums of money into dozens of hacker accounts.
Although your business might not have billions in the bank, data breaches like these could happen to any company, regardless of size. Implementing a small business cyber security checklist is the first step to securing your digital walls.
Small Business Risks Are Higher Than Ever
As a small business owner, you may assume your company isn’t big enough to be seen as a target for this kind of theft. But consider these statistics:
- As reported by the 2019 Verizon Data Breach Investigations Report, 58% of cyber attack victims are small businesses.
- Within the last 12 months, two-thirds of SMBs have suffered cyber attacks.
- The average cost of an attack is around $3 million, which is daunting, especially for small businesses without a cyber security plan.
- Recent data shows that nearly 60% of SMBs are forced to suspend operations after a cyberattack and never reopen for business.
These statistics indicate that your small company is probably the target of at least one type of potentially catastrophic digital threat. Thankfully, there are some simple policies you can implement today to protect yourself.
Your Small Business Cyber Security Checklist
America’s financial systems have noted the rise in attacks on small firms and the threats they pose to the country’s economy. FINRA, the Financial Industry Regulatory Authority, has created an exhaustive “Small Firm Cybersecurity Checklist” that breaks down the elements of computer system vulnerabilities. The checklist provides guidance on how to avoid losses to the digital thugs that exploit them.
We’ve expanded on FINRA’s guidelines to create an exhaustive small business cyber security checklist. By following this checklist, you can put practices in place that will provide protective barriers between you and the cyber crooks:
The first step is to identify the vulnerabilities in your digital structure.
- Inventory all assets and their related risks.
- Clarify users and access points because each poses an individual risk.
- Ensure encryption practices are current and enforced.
- Scan for intrusions. Detection programming is critical to capture intruders before they can cause damage.
- Develop or enhance the response plan if (or more likely when) disaster occurs.
2. Protect Customer and Proprietary Data
If your company shares data with third parties across any external portal, it is at risk for theft of that information.
- Identify all third parties (and their vulnerabilities).
- Clarify the data that must be shared and eliminate sharing unnecessary information.
- Establish controls between your company and the third-party company to isolate those procedures from the rest of the business.
3. Detect Intrusions Through Mobile Devices
You and your employees likely access company data through mobile devices. Those devices are often the easiest entry point into corporate databases.
- Identify all devices that touch the corporation and those with access to them.
- Clarify security elements within the device – passwords, encryption or others.
- Ensure the ability to wipe those devices clean remotely so your company retains control over their contents
- Clarify the authority of devices users to access enterprise data.
4. Use Multiple Layers of Protection
Consider taking a layered approach, also known as multi-level security or Defense in Depth (DiD). Layered security involves setting up multiple defensive mechanisms so that if one fails, another steps up immediately to thwart an attack.
- Deploy firewalls and intrusion protection systems on your network
- Set up antivirus software
- Use a data integrity solution to scan incoming data
- Leverage behavioral analysis to send alerts and execute automatic controls when other controls fail
5. Secure Your Wi-Fi
An unsecured Wi-Fi can open your network to anyone, including hackers.
- Rotate your Wi-Fi passwords to keep your network safe.
- Use separate guest and corporate networks.
- Limit guest network session lengths.
6. Respond to the Crisis
This is easier when a system-wide response plan is in place.
- Identify indispensable system elements.
- Ensure passwords and other protections are secure and up to date.
- Review malware programming for updates and currency.
- Ensure backups are scheduled and followed.
7. Recover Lost or Stolen Assets
Loss of vital company data or assets can put the business out of business.
- Ensure backup access is available.
- Ensure redundancies are current.
- Evaluate the entire recovery process. Once successful, hackers often return through the same paths to hack again.
8. Update Policies Regularly
Make sure your security policies and cybersecurity training curriculum are relevant and updated frequently.
- Constantly keep up with the latest IT security trends.
- Require IT staff to earn cybersecurity certifications.
- Host regular cybersecurity awareness training sessions.
9. Maintain a Strong Password Policy
Set stringent criteria for employee and company passwords to prevent unwanted access.
- Implement multi-factor authentication for extra account protection.
- Require password changes when data breaches occur.
- Require employees to use different passwords for each one of their accounts.
10. Hold Employees Accountable
If you have provided your employees with a multitude of security policies and training, then you should be able to hold them accountable.
- Expect your employees to use the knowledge they are provided.
- Test your team on their knowledge after a training session.
- Require employee signatures when implementing new policies.
Need Help Implementing Your Small Business Cyber Security Checklist?
Security is no longer a nice-to-have. It’s a requirement for every business, no matter how large or small.
If you don’t have the internal resources to implement security policies, it may be time to consider outsourcing these services to a professional.
At SugarShot, we understand that virtually every company will end up experiencing some sort of security disaster over its lifespan. That’s why we integrate cybersecurity into every aspect of our IT services. We’re passionate about providing small businesses with the holistic threat management and security planning they need to feel peace of mind.