09 Jan Writing Simple Cyber Security Plans for Small Businesses
In the last in our series about business cyber security, we look at how to write a basic security plan for a small business. It’s one of those business essentials you don’t want to do without and something far too SMEs don’t bother with, but only takes a few hours to draft. Checking your computers should only take 20-30 minutes max per machine (if it can’t be automated). Running through the remaining items on the checklist we discussed in a recent post may take you an hour or two.
Here’s how to build your own working business IT security plan for a smaller business. Large companies with more complex needs will require a more sophisticated plan than this, something we can help with.
What level of IT security expertise do you need to make it happen?
As long as you can browse the web, edit a document and run an application, you already know enough about technology to protect your organisation at a basic level. Don’t let anyone put you off. Compared to the potential risks your business faces from unsecured IT, investing in cyber security always delivers a considerable return on investment.
Create a super-simple sample cyber security plan
The first draft of your company’s business plan doesn’t have to win any awards, run to hundreds of pages or be full of fine detail. It just needs to outline the threats you face, establish sensible common sense policies and assign responsibilities for taking action.
The best plans may be simple, but they’re also dynamic, just like the systems they protect. Everyone involved should take note of which policies are working and which need to be refined, changed or just thrown out and started afresh. It’s all about gathering together and formalising the knowledge you need to give yourself the power to control your IT security.
It always helps to distil your objective down to its most basic and potent form, so you know what your aims are. For many businesses, this may include aims such as:
Protecting our intellectual property and financial data
Meeting our regulatory and legislative obligations
Showing our suppliers and clients that we treat the security of their data seriously
Your team members
List your employees and allocate a cyber security task to each relevant person. For example:
Peter Smith – Head of sales – Responsible for overall IT security
Theresa Jones – Tech support – In charge of all security-led technical changes
David Davis – MD – Tasked with scheduling and managing monthly checks
What are your digital assets? List them all, including emails, client work files past and present, financial records, marketing collateral, staff information, project plans, schedules, customer data, contracts, and any other information you want to protect.
What are the risks you face? You might pin down things like:
- Accidental damage, for example, dropping a tablet and breaking the screen
- Natural disasters such as flood and fire
- Employee negligence, for example, accidental file deletion
- Employee misconduct, for example, stealing customer data
- Crime, for example, a break-in at your premises
- External risks like malware attacks and industrial espionage
- Technical failure, for example, the death of a vital server
- Security policies
Creating the plan
Now you’ve formalised your digital assets, the risks they face and the people responsible for managing those risks; you have everything you need to make basic plans about how to mitigate the risks. You might include things like this:
- Switching email to Microsoft Office 365 to ensure that our mail gets swept for viruses, archived and kept secure
- Moving data to a central file server
- Discourage staff from storing information on their local PCs
- Backup vital data every day – with local copies and in the cloud
- Storing critical customer and business information on SharePoint online
- Only staff working on a given project will have access to that project’s files
- Restricting access to business information like our accounts and payroll to a limited number of people on a need-to-know basis
- Setting up BitLocker on all company laptops to encrypt files in case they are lost or stolen
- Security-marking every laptop
- Getting a security company to audit our physical security, locks, and alarms once a year
- Updating our internet use policy with our lawyers and train new staff about it
- Ensuring everyone in the company is familiar with our IT security procedures
- Hold yearly training for the whole company to keep security knowledge fresh
- We will spot-check regularly to make sure IT security is being taken seriously, and our protocols are being followed
It’s a reasonably simple exercise, but even a basic cyber security plan can save you a world of pain. Integrity to this process is added by using an external company to audit it and your cyber security as a whole. This is what we do, so call us if you would like to discuss this informally.