A Cybersecurity Checklist for Your Small-to Medium-Sized Business

March 3, 2020
Hosting, IT and Security
9 min read
Cyber Security Checklist

In the world of digital business, there’s no safety in being a small organization when it comes to online threats. In truth, often, small-to-medium-sized companies are more prone to getting targeted by hackers because of their vulnerability, and often, the issue is a lack of knowledge and preparation. Read on to learn how you can get started with this cybersecurity checklist.

It can be costly to resolve the repercussions from a successful attack; getting the organizations’ computers unlocked after a lockdown can cost up to US$148,000, a number high enough to severely damage revenues. Additionally, even if when the ransom is paid or the breach corrected, there’s the issue of a severely damaged reputation from potentially compromising customers’ data.

Read: The Very Expensive Truth About Downtime

Get Started with Securing Your Small to Medium Business

Although it’s challenging to be completely bulletproof, doing your research is an excellent place to start. We put together a cybersecurity checklist of actions you can take now to get a jump start on protecting yourself from cybercrimes.

  1. Keep Backups
    First things first; keep backups of your systems and regularly update them. Not taking this precaution leaves you without options if disaster strikes and hackers get access to your computers. The most common reason for cyber-criminals to lock down your computers is to gain ransom money for returning access to your unharmed data and machines. Consequently, you can actively mitigate this threat if you keep backups of all of your software in a safe, isolated location because restoring from your backups will be safer and less expensive than paying the ransom.
  2. Educate Your Employees About Cyber Security Threats
    Business owners can have the most rigorously protected software system, yet if an employee unknowingly invites a hacker in the front door, it doesn’t make a difference how meticulously you lock them at night. Educating your employees in a few critical subjects within everyday cybersecurity goes a long way to protect your systems from unwanted intrusions. Here are a couple of examples of the most prevalent threats concerning your employees.

    Phishing
    – Phishing is most commonly known for emails or text messages with malicious attachments or links, leading the victim to a website appearing to be original. Often this site will be asking for confidential information like social security numbers or credit card information. With time, phishing has become incredibly sophisticated and is now often a uniquely designed ruse based on meticulous research about your employees and your business. Instruct your employees on how to understand URL addresses and to be naturally suspicious of all internet sources. Additionally, provide some useful tips on how to verify email senders, and you are off to a good start. Learn more about ransomware and how to prevent a ransomware attack in this blog post.

    Installation of Unauthorized Software – On average, one out of four employees has installed unapproved software on their corporate computer without knowing the risks it brings to your organization. It takes just one download of a small third-party application and granted administrative access (click “yes” to run the installation on your computer), and the malware is in your system. In other words, if an employee downloads a piece of software without checking the internet source, or whether the software is allowed to use for business purposes at all, it can very quickly cause significant damage to your organization.

    Mitigate this problem by making your employees aware of the threats posed by running an unauthorized installation script, or better yet, revoke administrative access for most employees on your corporate devices.

    Weak Passwords – Weak or default passwords have been a security concern since the very beginning of technology, but remain as crucial as ever to address. As the list of software using login authentication grows longer and longer, it makes it harder to remember all the credentials. Consequently, it increases the temptation to reuse or choose default passwords. Mark Zuckerberg, the owner of Facebook, was in 2016 hacked, revealing his insecure password “dadada” to the world, which undoubtedly highlights how anyone can succumb to this unfortunate practice.

    You can reduce the risk of your employees using weak passwords by setting up policies forcing them to choose complex passwords. Additionally, employees should never be allowed access to Admin accounts or to share passwords between them. A useful trick is to implement a password manager for the organization, eliminating your employees’ need to rely on their memory for complicated passwords.

  3. Limit Access to the Internet
    Hackers typically access your software from a remote location, through an internet connection, making all devices with an internet connection a liability. By not allowing some hardware internet access, you’ll minimize the chance of an employee unknowingly letting in malware. Thus, consider which devices don’t need access to the world wide web and block that access.
  4. Add a Layer of Multifactor Authentication When Possible
    You know multifactor authentication from logging into your Google account or taking out money from an ATM. You’ll need to present multiple pieces of evidence to an authentication mechanism, from three categories; knowledge, possession of an item, or inherence. Incorporating multifactor authentication into your corporate software can prevent the worst from happening in the event passwords are stolen; with multifactor, no access will be granted to hackers unless they also possess the additional authentication factors, which is highly unlikely.
  5. Install a Proper Firewall
    Adding a firewall to your online protection is vital. A firewall filters network traffic based on IP addresses. It essentially limits access to your business from the outside and authenticates what data is allowed in and out of your systems. A firewall is a versatile tool and will secure both your database, as well as your server. Set up your firewall with custom open access to your website, so everyone can access your site, unless their IP address has been blocked, and do the opposite with your database and server. Moreover, modern-day firewalls can detect and block malicious network requests and viruses spread through emails, so it is worth the investment.
  6. Regularly Update and Patch Apps
    Not updating or patching your apps and computers is like leaving the front door wide open for cyberattacks. Microsoft and Apple only patch and update their OS and applications, leaving all third-party applications insecure if not taken care of manually. Although some apps, like Adobe or Flash, are self-updating, many are not. Manually checking and updating apps can be tedious and slow, so the best recommendation is to find and use available software to do the job for you.
  7. Have Clear Termination Policies
    People can be an asset in maintaining effective security, but they can also pose a threat to the same, particularly when you terminate an employee. Having a strategy in place for when this happens enables you to respond immediately and guarantees data security and confidentiality. It is vital to revoke the employee’s access to business systems and emails, as well as to retrieve any hardware or software the employee had at home. As a follow-up, verify the retrieval by having an exit briefing where you discuss security and confidentiality concerns.
  8. Install Antivirus on All Devices
    Installing antivirus software will stop known viruses from infecting your network, making it a necessary action to check off on this list. Don’t omit the company’s mobile devices, which are increasingly becoming the target for penetrating your security systems.
  9. Set-up an Email Security Gateway
    An email security gateway is effectively a firewall for your email. It scans in and outbound emails for corrupt content, and can block senders or prevent emails with malware to reach the intended recipient. Protecting your emails is especially relevant as it is still the number one method of communication for most organizations, and therefore also the number one choice of attack from cybercriminals.
  10. Setup a VPN
    A virtual private network creates a secure connection between computers and networks while encrypting all sent data. With the proliferation of BYOD (bring your own device) at many workplaces, it is an essential tool for when employees take their work elsewhere, outside of the protected network at your office. A VPN essentially ensures that no one understands the information sent to and from your device if anyone gets access to the same network as your computer.
  11. Run a Vulnerability Scanner to Check System Vulnerabilities
    A vulnerability scanner is a piece of software you can run on your computer to identify weaknesses in your systems. Testing your software environment is an effective way to make sure you don’t have unidentified unpatched applications or outdated security protocols compromising your systems. It is good to keep in mind that hackers often use the same vulnerability scanning tools as many organizations. Consequently, this underlines the importance of regularly running the scanner to stay one step ahead of someone potentially waiting to take advantage of your compromised system.
    Vulnerability scans can be quite pricey for a small or medium-sized company, but as with everything business security, Tigunia can help you select and run the right ones.

    Do You Know About the Bluekeep Vulnerabilities and Seven Monkey’s Patches?

  12. Have a Plan Ready
    Lastly, but most importantly: Have a plan prepared for if your business does get hacked. If your data is breached, it is critical to retrieve it as quickly as possible, and having a recovery plan can make the process smoother and less expensive.

Does This Cybersecurity Checklist Feel Overwhelming?

Going through these steps is a solid start on the road to reducing your risk of an expensive and potentially damaging cybercrime. If you read through this post feeling a little overwhelmed, you are not the only one. Our best advice: hire someone to do the job for you instead of choosing not to do anything altogether. In the long run, the money you spend on the preparation and protection is peanuts compared to what you’ll pay if disaster strikes.

At Tigunia, we offer right-fit technology for every sized business and our team of experts can help you build an effective data security program and maintain it, so you never have to worry about the safety of your information, your customers, or your bottom line.