What is a Good Small Business Cybersecurity Plan?
Small Business Cybersecurity Topics
Here are the next steps to a good small business cybersecurity plan:
2. Develop a Bring Your Own Device (BYOD) policy.
- Define the minimum required security controls/ software needed for safe operation.
- Establish controls for application access and installations.
- Require endpoint management agents to be installed on personal devices.
- Develop, refine or verify your policies for employees that leave the company and how to remove data from personal devices. Think through file storage, email, collaboration tools, etc.
3. Educate your employees and reduce exposure credentials.
Change passwords as is needed to enforce strong password policies. If your systems have weak or dated password rules, beef them up. If you manage highly sensitive information that requires periodic password changes, put those rules and systems in place.
Use a password manager. Implement a password manager for all members of staff so they can maintain strong password policies without needing to remember long and complicated passwords.
Enable two-factor authentication on as many applications and accounts as possible. Microsoft 365 and other business accounts have the option to enable two-factor authentication, adding a second layer of security to your user accounts by sending a code to a secondary device in the users’ possession to enable login.
Educate employees with simulated phishing emails and security awareness training. We can’t emphasize this step enough. Approximately 88 percent of all data breaches are at least partly caused by human error. If properly trained to recognize risks, employees represent your company’s first line of defense against cyberattacks.
Put your policies in writing. Give your employees reference materials appropriate to their job responsibilities. In other words, explain the topics in greater detail when communicating with your IT staff than when addressing marketing or accounting personnel. This documentation should clearly explain the various threats and cover risk avoidance strategies when an intrusion is suspected. State who they should contact and display that information prominently.
Deliver short training modules regularly to increase retention. Some studies suggest that humans forget approximately 50 percent of new information within an hour of learning it! Consciously reviewing new information helps fight the “forgetting curve,” so opt for ongoing training modules instead of annual brushups. For instance, ransomware attacks in the news might spur a brief video explaining how that particular threat works and what they can do to dodge the risk.
4. Look for and defend against insider threats.
- Restrict privileged user access to only personnel that absolutely need it.
- Remove user access from employees who’ve changed roles or left the company.
- Monitor logins and directory access for atypical user behavior or document access.
- Monitor for rogue network devices.
- Enact network and file segmentation to limit file access by job, location and/or need.
5. Create an incident-response plan.
Define responsibilities. Identify critical network and data resources and how to recover them. Define who’s responsible for neutralizing threats, implementing business continuity measures and restoring normal operations. Be sure to include audits, breach assessments, etc., in those plans, which may involve coordination with outside specialists. (Sometimes, these specialists are covered in your cyber insurance policies.) And be sure to plan for communications while you’re at it (see below).
Develop a business continuity plan. How will operations continue in the event of an attack? Ideally, you can tackle business continuity needs for outages caused by weather, construction and other events (like a pandemic) at the same time.
Establish internal and external communication plans. Determine who will inform and update executives and internal stakeholders during a cyberattack. Plan for external communications during and after an attack just in case customers or suppliers cannot access your systems. Find out what disclosure rules you may need to adhere to if sensitive or personally identifying information data is breached.
Are you looking to work with a managed services provider for your business?
We can help! Get in touch with us below to speak to one of our experts.