How to Write a Simple Cyber Security Plan for your Small Business

When setting up their small business, cyber security is often one of the last things on most business owners’ minds. Between planning, funding, marketing and finances, it is both easy and dangerous to overlook the safety and security of your organisation.

Did you know that according to official statistics from the Cyber Security Breaches Survey 2020, over 46% of cyber-attacks target small businesses? To prevent yourself from becoming another statistic, the best step you can take is to create and follow a simple cyber security plan that’s tailor-made for small businesses. They typically take only a few hours to draft, but will protect you against disasters such as data leaks, malware attacks and any of your intellectual property being stolen.

Your digital assets are money in the bank – so don’t make it easy for cyber criminals by leaving the vault ajar!

It’s worth noting that larger companies or those with more complex needs may require a more sophisticated plan. In this case, you can get in touch with one of our cyber security experts, who can advise you on the best protection for your business.

How do I get started with my cyber security plan?

Checking your computers normally takes no longer than 20-30 minutes per machine (if it can’t be automated). Here’s how to build your own cyber security plan for your small business.

If you’re really keen to demonstrate your commitment to cyber security, you may also consider securing a Cyber Essentials Certification for your business. We offer a complete service to help you secure either a Cyber Essentials, or the more comprehensive Cyber Essentials Plus certification. If you think this could be right for you, feel free to contact us to discuss your security needs further.

​What level of IT experience do I need?

As long as you can browse the web, edit a document and run an application, you already know enough about technology to protect your organisation at a basic level. So, don’t be discouraged. Compared to the potential risks your business faces from unsecured IT, even a relatively small investment of time or money in cyber security will deliver a considerable return on investment by protecting you from potentially huge losses due to cyber crime.

Create your sample cyber security plan

The first draft of your small business’s cyber security plan doesn’t need to be hundreds of pages long, overly detailed, or win any awards. It just needs to outline the threats you face, establish common-sense policies and assign responsibilities for taking action.

​The best plans are simple, but they’re also dynamic — just like the systems they protect. Everybody in your organisation should take note of which policies are successful and which need to be refined, changed or just thrown out and started afresh. It’s all about gathering together and formalising the processes which will give you the power to control your IT security.

Your cyber security plan objectives:

1. Protecting your intellectual property and financial data
2. Meeting your regulatory and legislative obligations
3. Showing your suppliers and clients that you take the security of their data seriously

​Your team members

List your employees and allocate a cyber security task to each relevant person. For example:

• Peter Smith – Head of Sales – Responsible for overall IT security
• Theresa Jones – Tech support – In charge of all security-led technical changes
• David Davis – Managing Director – Tasked with scheduling and managing monthly checks

Assessing your threat

What are your digital assets? List them all, including emails, client work files (past and present), financial records, marketing collateral, staff information, project plans, schedules, customer data, contracts, and any other information you want to protect. Then list the risks that these assets may face. You might identify things like:

1. ​Accidental damage (e.g. dropping a tablet and breaking the screen)
2. Natural disasters such as flood and fire
3. Employee negligence (e.g. accidental file deletion)
4. Employee misconduct (e.g. stealing customer data)
5. Crime (e.g. a break-in at your premises)
6. External risks like malware attacks and industrial espionage
7. Technical failure (e.g. the death of a vital server)
8. Improper security policies

Creating the cyber security plan

Now that you’ve listed your digital assets, the risks they face and the people responsible for managing those risks; you have everything you need to make basic plans to mitigate the risks. We would suggest including items like the following:

1. Switching email to Microsoft Office 365 to ensure that your mail gets swept for viruses, archived and kept secure
2. Moving data to a central file server
3. Having policies for your organisation and staff to ensure secure working from home
4. Backup vital data every day – with local copies and in the cloud
5. Storing critical customer and business information on SharePoint online
6. Only staff working on a given project will have access to that project’s files
7. Restricting access to business information like your accounts and payroll to a limited number of people on a need-to-know basis
8. Setting up BitLocker on all company laptops to encrypt files in case they are lost or stolen
9. Security-marking every laptop
10. Hiring a security company to audit your physical security, locks, and alarms once a year
11. Updating your internet use policy with your legal team and training new staff about it
12. Ensuring everyone in the company is familiar with your IT security procedures
13. Hold yearly training for the whole company to keep security knowledge fresh
14. Spot-check regularly to make sure IT security is being taken seriously, and your protocols are being followed

Putting together a basic cyber security plan for your small business is a seemingly simple exercise, but it can help you to consider your current risks and, ultimately, protect you from serious security breaches in the future.

Forensic Control Can Help You

If you’d like to take your business’s cyber security to the next level, you may also consider using an external company to audit your security as a whole. With our Cyber Essentials and Cyber Essentials Plus service at Forensic Control, we can examine your current security processes, use our expertise to identify any weak points and support you on your way towards a globally-recognised security certification.

If you are interested in a Cyber Essentials certification, you can learn more about the scheme on our Cyber Essentials FAQ page. If you would like to discuss the best security options for your business, you can contact us and speak to one of our cyber security experts today.