Your Small Business Cybersecurity Checklist

It’s National Cybersecurity Awareness Month and, sadly, entrepreneurs are particularly vulnerable; 58% of all data breach victims are small businesses, which is a scary prospect at an average cost of $120K.

Would a cybersecurity attack be the cherry on top of a long and complicated year? Let’s make sure that doesn’t happen.

Assess your risk

Lots of us feel that we might be safe from cybersecurity attacks because we’re small businesses—who would target us?—but the truth is that these attacks are often automated and indiscriminate, and will target vulnerabilities in computer systems regardless of whether they’re a huge Fortune 500, a mom-and-pop outfit, or a work-from-home office freelancer.

Assessing your risk might look like oversight of every company asset and how it’s secured. It could be an in-depth look at how you store and move data in your network. It could be a bigger process that looks at industry-wide crime trends and training deficits within your employees. Find a process that works best for you where you are now, that could scale with you in the next year.

Use Good Cybersecurity Hygiene

It’s easy to approach cybersecurity with a credit card for the all latest tech and a prayer. In reality, good cybersecurity hygiene starts with a plan and protocols from you and whoever manages your computer systems and having clearly established security roles and responsibilities.

Here are some basic principles of cybersecurity. Ensure you’re well briefed on how they work in your organization in case your IT or systems manager departs without warning.

1. Limit what employees can install on their work computers
2. Install robust cybersecurity and network security
3. Back up your important data to the cloud
4. Secure your Wi-Fi networks
5. Regularly update your software and operating systems
6. Keep physical devices safe from theft

Keep a running best practice worksheet for employees

In a Keepnet Labs study, 1 out of 2 employees would open and read a phishing email, 1 out of 3 would click a link or open an attachment in a phishing email, and 1 out of 8 employees would actually share sensitive information requested in a phishing email. It’s a chilling reminder of both how threats that might seem obvious to us aren’t obvious to everyone and how advanced and convincing some scams are becoming. Equip your employees with a cybersecurity checklist.

1. A list of what to look out for in phishing emails
2. How to keep their corporate credit card safe when making online purchases
3. Securing their company mobile devices so that information is encrypted
4. Instructions for setting up two-factor authentication in your systems, and tips for creating a strong password
5. A list of good browsing practices
6. Advice for how to physically secure their work phone or laptop, and what to do if they’re lost or stolen

Keep customer data safe

A customer data breach is a scary prospect. According to Capterra, “Nearly 60% of small businesses close their doors within six months of a data breach, and that’s after they’ve spent those long months losing money, suffering through lengthy litigation, enduring brand and reputation dismemberment, and dealing with angry customers.”

Tighten up your internal systems

1. Make sure that you strictly limit who can access and amend customer data internally. Data loss prevention software can help identify what’s sensitive and manage who can access it
2. Have everybody in your organization do full data security training, even those who don’t manage customer data
3. Make sure your system’s manager can remotely wipe the data of stolen devices
4. Look into data breach insurance if you’re processing a lot of customer data each day

Keep your website up to date

If you process transactions or collect user information of any kind, nefarious actors will be interested in stealing data for any number of hacks; ransomware, gibberish hack, cloaked malicious code, or denial of service.

Lucy Carney from WebsiteBuilderExpert, suggests taking the following steps to protect yourself and the people who use your site.

1. Install SSL
   An SSL (Secure Sockets Layer) certificate encrypts information passing between your website and your visitors.
2. Use anti-malware software
   Malware is a term for malicious software designed to harm or exploit your service or network. Anti-malware software can detect and remove it.
3. Keep your website up to date
   Most website builders will handle updates for you, but if you’re using a platform like WordPress, which runs with many plugins, you need to be on top of them. Any add-ons you use can quickly become outdated and vulnerable to bugs, glitches, or hackers.
4. Manually accept on-site comments
   Bots may be able to post malicious links in your blog post comments that will leave your visitors vulnerable. Make sure that nothing goes live on your site without you checking it first.
5. Run regular backups
   A backup is essentially a copy of your website data in case the worst happens. You can use backup services, like CodeGuard, or you can do it directly through your website hosting.

If you’ve been compromised

Your first stop, as with any crime, is informing your local law enforcement or attorney general (as appropriate) and following their instructions. They might direct you to one of the following resources.

• You can report stolen finances or identities and other cybercrimes to the Internet Crime Complaint Center
• You can report fraud to the Federal Trade Commission
• Report computer or network vulnerabilities to US-CERT

The FCC’s Cybersecurity Hub has more information, including links to free and low-cost security tools, including a cybersecurity planning guide.

The government’s cybersecurity and infrastructure security agency is also running a Stop.Think.Connect—campaign, which offers information and toolkits to prevent attacks.