The Small Business Cybersecurity Audit Checklist

As a small business owner, you might assume you're not a target for cyber criminals. You may think that hacking scandals are the stuff of major news headlines — a threat for only large corporations. However, the issue of cybersecurity affects companies of all sizes, including smaller organizations.

In fact, according to the 2019 Data Breach Investigations Report by Verizon, 43 percent of breaches involved small businesses. Many cyber attackers know that smaller organizations may lack the budget or technical skill to properly protect themselves. This makes them an easier, and more appealing, target than those with robust security measures in place.

The reality is that even a one or two-person business has the same ethical responsibility to protect client data as a Fortune 100 firm does. But it's not always easy to know if your data handling processes are secure. Let's go through our cybersecurity checklist to see how your business stacks up.

The Cybersecurity Audit Checklist

  1. Run operating system and software updates regularly.
  2. Practice routine website maintenance.
  3. Make sure your network is secure.
  4. Make backing up your data a top priority.
  5. Make sure all customer data is encrypted.
  6. Practice good password management.
  7. Use multi-factor authentication for critical data.
  8. Be aware of phishing scams.
  9. Collect and share only what you need.
  10. Run tests for vulnerabilities.

1. Run operating system and software updates regularly.

We're all guilty of hitting the "remind me later" button for our system updates. However, it's important to run those updates regularly. Operating system and software updates include critical patches to security holes, reducing the risk of data theft.

The one thing that many cyberattacks have in common is that they target known vulnerabilities in systems. They don't always have specific targets, but rather are just searching for weak entry-points.

For that reason, it's a good practice to enable automatic updates on all work computers. For any software that doesn’t update automatically, set a calendar reminder to check it and apply available updates. This will help you address vulnerabilities in your software before they are identified by a cyber criminal.

2. Practice routine website maintenance.

If you have a website that stores customer information, web security updates are critical. For example, many small business owners have sites running on content management systems like WordPress. These tools frequently release updates that are key to protecting malicious cyberattacks.

It's often the case that small businesses hire someone to build their websites, but don't have a regular maintenance plan. This can be risky, as regular updates to content management systems and plugins are needed to keep your site running smoothly.

If you are using a third party to manage your site, don't forget to ask questions. "Ask about their cybersecurity plan, their vulnerability testing and how they would proceed amid a data breach," says personal finance writer Darla Mercado.

3. Make sure your network is secure.

A firewall is a common first line of defense against hacks. They limit the probability of a successful data breach or someone bringing down your network. These days, you might already have a firewall and just don't know it. Many wireless routers come with this security feature built-in.

Firewalls can be a great method for preventing internet-based attacks. They can also prevent malicious traffic from leaving your network, which stops viruses from spreading if they do happen to get inside.

Another way to secure your network is through the use of a VPN, or Virtual Private Network. A VPN is an encrypted connection over the internet. The connection prevents unauthorized people from gaining access to your computer. This technology is especially useful for businesses that do a lot of remote work.

Again, if you are using a third-party to set up your firewalls, VPNs, or routers, make sure you perform some level of oversight. Making assumptions about their security controls can be dangerous, as you are ultimately responsible for the data.

“You need to do your due diligence because an increasingly large number of breaches and security incidents are occurring within third parties,” advises Rebecca Herold, CEO and founder of The Privacy Professor.

4. Make backing up your data a top priority.

Client information is likely fundamental to your businesses, and backing up data should be made a priority. If your network is compromised by a cyberattack, a backup is essential to restoring business as usual.

Unfortunately, many people procrastinate when it comes to backing up their systems, opening them up to losing their information permanently. "Ten percent of small businesses never back up essential data," says Lauren Hellicar at online business insurance brokerage Simply Business.

5. Make sure all customer data is encrypted.

If you're storing customer data somewhere, it's best if you encrypt it. If a hacker succeeds in copying encrypted data, they'll just end up with meaningless characters. Without a decryption key, they won't have anything of value.

"Data must be encrypted at rest in storage and in transit between locations. Unbelievable volumes of data still remain unencrypted because people think a firewall is enough. It’s not," warns Rick Braddy, cofounder and Chief Technology Officer of cloud data platform company SoftNAS.

6. Practice good password management.

Many of us know the basics of good password management: Don't use your birthday, first pet, or other information that's easy to obtain. Taking those standard safeguards a step further can help keep hackers out.

Cybercrime investigative journalist Brian Krebs advises,"Do not use words that can be found in the dictionary. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords."

The harder we make our passwords, the easier they are to forget. And, it's also important not to use the same password across multiple sites or databases. Because of this, many businesses rely on third-party services to safely keep track of their passwords, such as LastPass. “If entrusting all your passwords to the cloud gives you the creeps, consider using a local password storage program on your computer,” Krebs adds.

7. Use multi-factor authentication for critical data.

Multi-factor authentication is an increasingly popular security measure. Essentially, multi-factor authentication combines "something you know" with "something you have." For example, you might enter your password and then get a one-time code sent to your phone as a secondary safety measure.

If you have a highly confidential database, setting up multi-factor authentication goes a long way to protect it. It's a relatively painless method to implement and improves your security from some of the most common attacks.

"When computer users and businesses ask me for a single step they could take to dramatically enhance their security it's easy to answer: enable multi-factor authentication," says cybersecurity writer and podcast host Graham Cluley.

8. Be aware of phishing scams.

Cybersecurity experts will tell you that educating yourself and employees should be a top priority, since installing a firewall or using anti-virus software can't protect against certain tactics. Take phishing, for example, which is a popular cybercrime due to its easy execution and effectiveness. Hackers don't need to expose vulnerabilities or get around firewalls. Instead, they just need to send emails baiting people to download files or click on certain links.

"Whether through mass emailed salacious-subject emails, or targeted messages bearing alarming subjects and impersonating known senders, criminals know how to pique human curiosity so as to incentivize people to open a file," says cybersecurity advisor and consultant Joseph Steinberg.

That's why awareness is so important. The more you and your employees are alert to the most common types of cyber crime, the better protected you will be from hackers. "All it takes is one gullible employee and they’re good to go," writes crypto-journalist Sead Fadilpašić.

9. Collect and share only what you need.

A simple way to reduce the risk of data breaches is to be careful about what you collect in the first place. When possible, try not to gather or store confidential client details that you don't absolutely need. Data breaches can target information that isn’t critically important to a business, and that lack of importance is often why the data wasn’t secured.

By limiting the information you collect, you'll also limit the customer's exposure in the event of a breach. Informing your customers about how you collect and protect their data is a good way to build trust as well.You may further want to limit the information that your employees have access to.

Many businesses only give employees the information they need to do their job. This helps them from posing a risk either accidentally or maliciously.

10. Run tests for vulnerabilities.

Another way to be proactive about potential security threats is to run regular vulnerability tests. These scans are designed to alert businesses about weaknesses that could be exploited by hackers.

"My suggestion would be to have an audit from a suitably competent expert, as like many such dangers, it’s understanding the previously 'unknown unknowns' that is most important," advises Financial Planner Alistair Cunningham.

Vulnerability scans are especially crucial whenever you make significant changes to your internal systems. Those vulnerabilities could include unknown devices connected to your network, web configuration errors, and missing updates to your software. Taking the time to test these systems before they go live could prevent costly issues in the future.

Following the steps above will certainly go a long way to enhancing the security of your company data. However, there is no silver bullet for reducing security risks, says Georgia Weidman, founder of cybersecurity companies Shevirah and Bulb. "In fact, I strongly believe that preventative security vendors’ marketing strategy of, 'If you install our software (or put our box on your network), you won’t have to worry about security anymore,' is the root cause of many of the high profile breaches we see today," she says.

Share: