A small business cybersecurity checklist can be just the tool needed to get a fledgling cybersecurity program off the ground:Sarah is the CEO of a small and growing company appropriately named Sarah’s SaaS Startup. Her company has 15 employees, one of whom recently clicked on a phishing link and had one of their accounts compromised. While they were able to quickly reset the password and limit any damage, the close call has Sarah thinking it’s time to start doing something about cybersecurity. But where should she start?
A checklist with proper instructions for starting a small business cybersecurity program for a small business would be a great asset in helping Sarah’s SaaS Startup – or any SMB – start protecting themselves from cyber threats.
What is a cybersecurity checklist?
A cybersecurity checklist is a tool to help organizations plan or execute their cybersecurity programs. They can be used to track progress toward the implementation of a new control or be used periodically to ensure all controls are being regularly practiced such as quarterly access control reviews or semi-annual internal audits.
We (Fractional CISO) have provided an example cybersecurity checklist below!
Why do SMBs need a cybersecurity plan?
Cybersecurity plans help SMBs protect themselves from cybersecurity attacks, which are becoming more common as cybercriminals increasingly target them. SMBs are particularly vulnerable to cyber attacks, since they don’t often have the resources to recover from serious attacks. Some SMBs have even been forced to close as a result of major attacks such as ransomware.
In 2019, a small doctor’s office in Michigan shut down after a ransomware attack led to them losing all of their medical records. They refused to pay the ransom and, being close to retirement age, chose to close down for good .
Later that year, an Arkansas-based call center was forced to lay off 300 employees after a ransomware attack shut down all of their operations . They tried to recover their services but were unable to do so for over two months before being forced to close.
While these are obviously worst-case scenarios, they show the very significant threat that cyber attacks pose to small and midsize businesses. Even if a cyber attack doesn’t force an organization to close, it can cause tens or hundreds of thousands of dollars in damages!
It is important for SMBs to take cybersecurity seriously. Thankfully, there is a lot even the smallest organizations can do to protect themselves.
First, understand the common threats at play. Second, build a cybersecurity program to address them.
Cybersecurity Checklist Download
The most common cyber threats to SMBs.
There are a number of common threats SMBs will face. They are discussed here in the order of importance we believe they carry.
Phishing
Phishing is when a threat actor sends an innocuous-looking email containing a malicious link meant to distribute malware or steal login credentials. Phishing is one of the oldest attacks in the book, but it is still frighteningly effective – it is the single most common successful cyber attack.
There are several alternative forms of phishing too. “Smishing” (SMS phishing) is the use of malicious text messages in the same way. “Vishing” (voice phishing) uses phone calls.
There are two great defenses against phishing attacks.
1. Cybersecurity Awareness Training
Phishing attacks work by tricking employees into clicking on links they should not. High-quality cybersecurity awareness training will train employees to not click that link!
2. Email Protection
Ideally, phishing emails can be caught before they’re delivered to users in the first place. In our experience, Gmail provides decent email protection by default. Microsoft Office 365 does not and should be supplemented with either a high-end license with enhanced protections or the use of an external email protection tool (such as Mimecast, Proofpoint, GreatHorn, and others).
Ransomware
Ransomware has been responsible for most of the cybersecurity-related headlines over the last couple of years, and for good reason! Ransomware attacks are hugely damaging and disruptive incidents, capable of putting a massive organization’s operations on complete freeze while they scramble to recover their systems. They can cause millions upon millions of dollars in damages.
The two primary controls SMBs can use in a ransomware defense strategy and they are as follows: 1. Having good backups
2. Practice restoring them.
Credential Stuffing
Credential stuffing is an easy, low-effort cyber attack that even inexperienced bad guys can attempt. The threat actor takes a bunch of credentials leaked from one cybersecurity breach and tries them on other accounts. This is often effective because so many users reuse the same username and password for many accounts. This happened on a large scale to Disney+ subscribers in 2019.
Thankfully, it’s also easily preventable for all businesses! Introducing a strong password policy that disallows users from reusing the same password for any account can stop this attack from ever being effective. Implementation of the policy is best supported through a password manager.
Unpatched Systems
Nearly every single patch released by a software or system vendor closes at least a couple of security vulnerabilities. Sometimes, those vulnerabilities are being actively exploited by attackers. When a patch is released, it’s very important to update each system promptly. Leaving systems unpatched leaves an SMB exposed to completely unnecessary risk.
The best way to combat this is to get into the practice of patch management ! Establish some procedures for regularly checking for updates and patching all systems.
Social Engineering
Social engineering is an attack in which the attacker tricks a victim into divulging information or performing their desired action. Phishing is a type of social engineering attack, but social engineering in the context of cybersecurity is often used to refer to attacks in which the bad guy convinces an employee to pay a fake (or real) invoice to their account.
Beyond cybersecurity awareness training, good processes around double-checking invoice/banking/routing number changes from vendors will help prevent these attacks from working.
Security Misconfigurations
Cybersecurity tools can’t do their jobs if they aren’t configured properly! Common software all businesses use, such as Microsoft 365 and Google Workspace, have many settings that can be used to improve the security of accounts and files within them. Unfortunately, the default settings tend to be for “less secure” rather than “more secure.”
It’s important to ensure that all major systems have their security settings configured in a way that aligns with an organization’s risk model. We have published guides for configuring both Google Workspace and Microsoft 365 ’s security settings.
Unsecured Devices
Every device that accesses an organization’s resources is a potential attack vector for the bad guys. This goes for both company and employee-owned laptops and cell phones. Whether an organization provides devices or operates with a Bring-Your-Own-Device (BYOD) model, there need to be rules set to restrict access to machines where work is performed.
Company-issued devices are best managed with a Mobile Device Management (MDM) tool. Employee-provided devices need to be governed by a BYOD policy.
How to start an effective cybersecurity program for your small business: 3 (big) Steps
Every organization should have a cybersecurity program, but it is challenging to know where to start. In our experience, following these steps will lead to any business having a simple, functional cybersecurity program. They are available as a downloadable cybersecurity checklist at the end of the article.
1. Assemble the Team.
The first step is to assemble the cybersecurity team. These individuals don’t have to know anything about security to get started! An effective team will have these three individuals.
Executive Sponsor
The executive sponsor is the single most important team member. The program is far less likely to succeed if there is no executive sponsor. This person should be a high-ranking individual (ideally someone with a “C” or “VP” in their title) who will ‘own’ the program and ensure there is broad organizational support behind it.
They do not have to know anything about security. They only need to put their weight behind the program to ensure all departments and all employees in the organization will get behind it.
For the example of Sarah’s SaaS Startup, Sarah herself should be the executive sponsor!
Project Manager
The project manager can have almost any title and be from any department as long as they have excellent organizational and communication skills. They also don’t have to know anything about security. Their role is to line up resources and coordinate communication within the organization to ensure everybody has what they need to get cybersecurity tasks done.
This person could have any number of titles: administrative assistant, office manager, and of course, project manager!
Sarah appoints John, her administrative assistant, to be the project manager. He is well-organized, disciplined, and has a good working relationship with everybody at the company.
Technical Lead
The last role is the technical lead. This person also doesn’t have to know anything about cybersecurity – to start. They do need to have a strong technical background and be willing to learn. They will be responsible for the implementation of technical security controls.
Common titles that would succeed as the technical lead include CTO, IT Director, and VP of Software Engineering, but there are many more!
Sarah picks Ben for the role of technical lead. He is the company’s CTO and has the most knowledge about both the company’s products and IT systems.
2. Start meeting weekly.
Another meeting? Yes, absolutely!
The cybersecurity team must meet weekly to keep the urgency high and help get the program off the ground. If meetings are less frequent, it can be difficult to keep the drive towards success high as other tasks will take priority in the cybersecurity team’s minds.
Early meetings should focus on implementing the three universal cybersecurity controls.
Once the program is operational and meeting agendas become light, the frequency can be reduced to once every other week. Go back to once weekly as needed for big pushes (such as a complex new control, new tool implementation, or starting a compliance program).
Sarah puts a 45-minute recurring weekly meeting for Tuesday mornings on the cybersecurity team’s calendar.
3. Implement the three universal cybersecurity controls.
While we here at Fractional CISO love to say “there is no one-size-fits-all solution in cybersecurity” it’s not the whole truth. There are three must-have cybersecurity controls that every organization of every size, even sole proprietorships, should have.
1. Multi-factor Authentication
Multi-factor authentication (MFA, sometimes known as two-factor authentication or 2FA) prompts users to enter a one-time code when logging in. It can help protect accounts from being compromised even if a password is stolen. MFA should be enabled for all Internet-facing tools and administrator accounts.
2. Cybersecurity Training
As previously stated, phishing is still an incredibly prevalent cyber attack. Cybersecurity training is essential for training all employees to recognize and report common cyber attacks such as phishing.
3. Patch Management
Every system and software has vulnerabilities that are constantly being discovered, exploited, and patched. It is important to get into the regular habit of patch management. Allowing already-known and fixed vulnerabilities to exist in an organization’s network is self-own. It is important to get into the practice of regular updates to ensure nothing can be easily attacked through known exploits.
Cybersecurity Checklist Download
Conclusion
It takes about three months, but by taking one step at a time Sarah, John, and Ben are able to roll out all of these new practices into the company.