26 Nov How To Write A Simple Cyber Security Plan For A Small Business
Creating a cyber security plan for a small business is a vital part of your cyber security defences. Almost half (43%) of cyber-attacks target small businesses. Creating and following a simple cyber security plan is the best first step you can take to protecting your business. It’s one of those business essentials you don’t want to do without and something far too SMEs don’t bother with, but only takes a few hours to draft. Larger companies with more complex needs will require a more sophisticated plan than this; get in touch if you’d like our help.
Checking your computers should only take 20-30 minutes max per machine (if it can’t be automated). Here’s how to build your own working business IT security plan for a smaller business. You can have your cyber security validated via Cyber Essentials verification which we can certify you too.
What level of IT security expertise do I need?
As long as you can browse the web, edit a document and run an application, you already know enough about technology to protect your organisation at a basic level. Don’t let anyone put you off. Compared to the potential risks your business faces from unsecured IT, investing in cyber security always delivers a considerable return on investment.
Create a super-simple sample cyber security plan
The first draft of your company’s business plan doesn’t have to win any awards, run to hundreds of pages or be full of fine detail. It just needs to outline the threats you face, establish sensible common-sense policies and assign responsibilities for taking action.
The best plans may be simple, but they’re also dynamic, just like the systems they protect. Everyone involved should take note of which policies are working and which need to be refined, changed or just thrown out and started afresh. It’s all about gathering together and formalising the knowledge you need to give yourself the power to control your IT security.
- Protecting our intellectual property and financial data
- Meeting our regulatory and legislative obligations
- Showing our suppliers and clients that we treat the security of their data seriously
Your team members
List your employees and allocate a cyber security task to each relevant person. For example:
- Peter Smith – Head of sales – Responsible for overall IT security
- Theresa Jones – Tech support – In charge of all security-led technical changes
- David Davis – MD – Tasked with scheduling and managing monthly checks
Assessing your threat
What are your digital assets? List them all, including emails, client work files past and present, financial records, marketing collateral, staff information, project plans, schedules, customer data, contracts, and any other information you want to protect. Then list the risks that thes assets may face. You might identify things like:
- Accidental damage, for example, dropping a tablet and breaking the screen
- Natural disasters such as flood and fire
- Employee negligence, for example, accidental file deletion
- Employee misconduct, for example, stealing customer data
- Crime, for example, a break-in at your premises
- External risks like malware attacks and industrial espionage
- Technical failure, for example, the death of a vital server
- Security policies
Creating the plan
Now you’ve formalised your digital assets, the risks they face and the people responsible for managing those risks; you have everything you need to make basic plans about how to mitigate the risks. You might include items like the following:
- Switching email to Microsoft Office 365 to ensure that our mail gets swept for viruses, archived and kept secure
- Moving data to a central file server
- Having policies for your organisation and staff to ensure secure working from home
- Backup vital data every day – with local copies and in the cloud
- Storing critical customer and business information on SharePoint online
- Only staff working on a given project will have access to that project’s files
- Restricting access to business information like our accounts and payroll to a limited number of people on a need-to-know basis
- Setting up BitLocker on all company laptops to encrypt files in case they are lost or stolen
- Security-marking every laptop
- Getting a security company to audit our physical security, locks, and alarms once a year
- Updating our internet use policy with our lawyers and train new staff about it
- Ensuring everyone in the company is familiar with our IT security procedures
- Hold yearly training for the whole company to keep security knowledge fresh
- We will spot-check regularly to make sure IT security is being taken seriously, and our protocols are being followed
It’s a reasonably simple exercise, but even a basic cyber security plan can save you a world of pain. Integrity to this process is added by using an external company to audit it and your cyber security as a whole, such as with the Cyber Essentials Plus certification.
Next steps: certifying to Cyber Essentials