Cybersecurity Checklist for Small to Medium Businesses

As cyberattacks proliferate across the globe, small and midsize businesses (SMBs) have become prime targets for hackers and cybercriminals. Lacking the budget for enterprise-grade defenses, SMBs saw over 200 million cyberattacks in 2022, with the average breach now costing over $200,000.

Content Navigation show

Implementing core cybersecurity controls is no longer optional for SMBs – the existence of your business depends on securing critical assets from constantly evolving threats.

This comprehensive cybersecurity master plan lays out the essential, non-negotiable protections needed to secure your SMB in the modern threat landscape.

An existential threat:

According to leading research firms, over 70% of cyberattacks now target small businesses. These attacks have real impacts:

  • 60% of SMBs breached are forced to close shop within 6 months due to irreparable damage
  • Breached SMBs have their insurance premiums rise by 16-70% on average
  • 86% of consumers would reconsider purchases from breached SMBs due to loss of trust

The financial and reputational carnage makes it clear – SMBs cannot ignore the importance of implementing baseline cybersecurity precautions in order to survive.

Common Attack Vectors Targeting SMBs

While threat actors utilize a wide range of tactics, the most successful cyberattacks against SMBs generally fall into three categories:

Phishing – Fraudulent emails convincing victims to reveal passwords or sensitive data, or click on links or attachments that install malware. Phishing caused 36% of breaches in 2022.

Ransomware – Malicious encryption of systems and data until extortion payments are made. Ransomware attacks increased 105% against SMBs last year.

Data theft – Hackers exploiting vulnerabilities to steal and sell customer data and intellectual property on the dark web. The average cost of stolen records now exceeds $150 per record.

The cybersecurity controls outlined in this plan provide strong defenses again these most common SMB attack patterns.

The Cybersecurity Gold Standard Framework for SMBs

Cybersecurity frameworks provide prescriptive guidance on information security and data protection for aligning defenses with business risk. For SMBs, the most applicable frameworks include:

NIST CSF – Developed by the National Institute of Standards and Technology to help organizations manage cyber risks. Provides guidance across 5 functions – Identify, Protect, Detect, Respond, and Recover.

CIS Controls – Developed by the Center for Internet Security focuses on cyber defense through 20 critical security controls that stop most attacks.

ISO 27001 – An international standard for information security management that lays out security controls and formalizes ISMS.

This cybersecurity master plan cross-maps with elements of these widely adopted frameworks plus additional protections specific for SMB environments.

Employee Security Training

With 90% of breaches caused by human-related errors, building a culture of security awareness across all employees is essential.

  • Reduce phishing risk by 72% through continuous end user education on identifying threats in emails, texts and calls. Test effectiveness with simulated phishing and ransomware attacks.
  • Mandate strong 14+ character passwords, multi-factor authentication across all apps and systems, and password managers to eliminate 81% of credential-based attacks.
  • Institute safe web browsing habits like avoiding public Wi-Fi, enabling VPNs, and verifying HTTPS connections and website legitimacy.

Network & Infrastructure Controls

With remote and hybrid work expanding attack surfaces, securing network perimeters and internal components protects against intrusion and infection.

  • Harden wireless networks with WPA2+ encryption, hidden SSIDs, MAC address filtering, and isolation of guest networks.
  • Segment internal networks by workload or function to limit lateral movement if malware penetrates defenses.
  • Maintain constantly updated inventories of approved hardware and software to detect “shadow IT” that increases risk.
  • Implement firewalls and IPS/IDS systems with integrated threat intelligence to filter malicious traffic both inbound and lateral.
  • Conduct recurring penetration tests and vulnerability scans to find security gaps before criminals do.

Harden Endpoints

With users frequently off-network, securing endpoint devices against threats is crucial.

  • Install EPP/EDR tools combining signature-based protections with behavioral analysis and machine learning to block advanced threats missed by traditional antivirus.
  • Enforce full disk and container/folder encryption on devices and removable media storing sensitive data to secure data at rest per compliance mandates.
  • Manage endpoint security from a unified cloud console for greater visibility and control especially with remote workers.
  • Auto policy endpoint configuration changes to maintain continuous compliance.

Access Controls & Data Protection

Guiding principles for data security include data minimization, encryption, and restricting access.

  • Classify data into sensitivity tiers based on impact of exposure when setting data protection mechanisms.
  • Implement role based access controls to limit employee data to only what is required for their duties, enforcing separation of duties.
  • Establish data retention policies with defined periods for maintaining consumer data, financial reports etc. before archival/deletion.
  • Secure sensitive data both in transit over networks and at rest through enterprise-grade encryption.
  • Select cloud storage, collaboration and CRM tools with advanced security controls suited for highly confidential data.

Incident Readiness & Response

Despite best efforts, breaches occur. Detection and response capabilities minimize damage.

  • Institute formal incident response procedures designating personnel, responsibilities, external contacts, communication protocols and incident documentation.
  • Maintain contracts with external forensics investigators, crisis PR firms, notification providers, cyber insurance partners and other incident response service providers for rapid support.
  • Implement backup systems with offline, immutable copies to enable resilient data recovery after malware or ransomware attacks.
  • Adhere to breach notification laws and disclose incidents appropriately to affected individuals and partners.

Physical Security Controls

While cyberdefenses focus on digital assets, physically securing offices, devices and employees helps reduce certain attack vectors.

  • Secure all entry/exit points with authenticated access controls. Issue employee credentials like smart cards for building access.
  • Position monitors away from sightlines in public spaces. Enact clean desk policies requiring sensitive document lockup after hours.
  • Provide secure lockers for storing devices when not in use. Affix laptops and other portable hardware with cable locks when stationary.
  • Train staff in tailgating prevention techniques, alarm response procedures, visitor management etc. to strengthen human prevention barriers.

Business Continuity Planning

Alongside incident response, business continuity planning enables restoring normal operations faster after disasters.

  • Specify emergency procedures, key contacts, fallback infrastructure and arrangements for supply chain disruptions, technology failures etc.
  • Maintain automated, encrypted offsite backups of critical documentation, configs and financial records with regular validation testing.
  • Explore cyber insurance plans covering incident response costs, digital asset replacement, reputational harm minimization and income loss stemming from outages.
  • Implement redundancy for critical systems like internet, power, cloud and on-prem servers to reduce downtime from localized failures.

Compliance Considerations

While aiming to protect consumer privacy, compliance mandates also impose substantial penalties for violations by breached entities.

  • For SMBs handling credit cards, PCI DSS sets datapath encryption, access limitations and other controls required to accept payments. Penalties for non-compliance start at $100,000.
  • Healthcare SMBs face fines from $100 to $50,000 per affected patient record for HIPAA violations stemming from breaches of protected health information.
  • Under GDPR applied to EU citizens’ data, SMBs face fines up to €20 million euros for violations like unauthorized processing or deficiencies enabling breaches.

The controls within this plan help SMBs structure cybersecurity to satisfy major compliance regulations. But additional tailoring may be required for industry-specific mandates.

The Path Forward – Reinforcing Your Cyber Defenses

With advanced attacks battering SMBs daily, implementing baseline protections is the only path forward for vulnerable organizations. While expansive frameworks and individual technologies are important foundations, translating those into an actionable cybersecurity program tailored to your specific SMB environment will determine success.

Through creating a proactive cybersecurity master plan mapped to leading standards and guidelines – then diligently executing the tactics laid out across training, technology and process disciplines – SMBS can pivot from prey to well-hardened organizations no longer appearing as easy marks to opportunistic hackers. The recommendations encapsulated here provide the blueprint to make that transformation happen.

Tags: