Toro-Blog-listing

10 Questions every Small Business should be asking about Cyber Security...

Written by HQ | Jan 12, 2024 3:56:03 PM

Cyber security should no longer be considered just a technical concern, it needs to be seen as a pivotal business issue. Failing to address it adequately can lead to severe repercussions for your reputation, customer trust, legal compliance, and overall financial health.  

Despite the common belief that cyber threats won't affect smaller businesses; the alarming statistics paint a different picture. In the UK, a small business succumbs to a successful hack every 19 seconds, with a staggering 65,000 attempted breaches daily. 

The Cost of Ignoring Cyber Security 

The financial toll of a data breach can be crippling for small businesses, as evidenced by the average clean-up cost of approximately £25,700 (according to figures from insurer Hiscox). This encompasses expenses related to system restoration, potential ransom payments, hardware replacement, and the implementation of enhanced security measures. However, the aftermath of a breach is not confined to immediate financial losses. A substantial 33% of organisations admit to losing customers post-data breach, highlighting the broader impact on customer trust and loyalty. 

In this blog, we are going to look at 10 essential questions you should be asking yourself on a regular basis about your Cyber Security. These questions will help to ensure that you are doing the basics.  

1. Does every employee have an individual account and long, strong, unique password? 

Weak passwords, password re-use and password sharing remain one of the leading root causes of a data breach.  

123456 remains the most used password across the world! 

It’s important that you ensure employees create robust, unique passwords for each of their accounts. Make sure you have a policy in place, which outlines what you expect from a password, we’d recommend that you choose three random words and use a unique combination for each account. This approach makes it easy to remember, and difficult for others to guess. It ensures that if one account is compromised, the rest remain secure. 

We’d recommend getting a password manager to help secure passwords. A password manager (or a web browser) can store all your passwords securely, so you don't have to worry about remembering them, this will make it much easier for your team to create unique passwords for each of their accounts.  

2. Do you use multi-factor authentication? 

MFA provides an extra layer of defence and can help to protect against brute-force attacks, phishing scams, key-logging and social engineering.  

MFA can be simply implemented on most email platforms and various platforms you are using, so make sure it’s put in place.  

3. Are you backing up your files? 

Regularly backing up your files is a fundamental practice. In the event of a cyber-attack having up-to-date backups ensures swift data recovery, minimising downtime. 

4. Are your employees trained in recognising phishing emails? 

Your team is both your first line of defence and your greatest vulnerability. Human error accounts for 88% of data breaches. Providing your people with training on the threats, current scams and basic cyber hygiene will significantly reduce the chance of a cyber-attack. As part of your training make sure your employees can recognise and avoid phishing emails and they know what to do if the spot one.  

5. Do your employees regularly travel or work remotely? 

If your workforce operates remotely, it’s important to assess your security measures. Working from home can leave us far more vulnerable to cyber-attacks without the security protections that office systems provide – such as firewalls and a secure working environment. To find out our advice on how to safely work from home, please read our blog here (add link)  

If your team are regularly travelling, or working out and about, you need to make sure they are equipped with the training and knowledge of how to stay secure. For example, do you supply your team with privacy screens for their laptops and do they know to connect to a Virtual Private Network (VPN) when accessing external Wi-Fi? 

6. Where is all your data stored and who has access to it? 

Is your data stored on multiple systems, in the cloud or locally on staff computers? Restricting access to sensitive data minimises the potential impact of a breach. Clearly define access levels based on job roles and responsibilities.  

With every area of the business that involves sensitive data ask the question who needs access and what level of access do they need?  

7. What is your data recovery plan? 

We’d recommend developing a comprehensive data recovery plan outlining the key steps you would take in case of a cyber-attack.  

A timely and effective response will mitigate damage, expedite your recovery and likely save you a lot of money!  

8. What are your vulnerabilities? 

Regularly conduct vulnerability assessments to identify and address potential weaknesses in your cyber security infrastructure. We’d recommend working with an external provider to conduct a penetration (pen) test at least every 12 months. A pen test involves simulating controlled cyber-attacks on your organisation’s systems and infrastructure to uncover vulnerabilities and weaknesses. To find out everything you need to know about penetration testing read our blog here.

9. Do your employees use their own devices to access work information? 

It’s important to have a clear understanding if your employees use personal devices for work. If so, you should implement clear policies to secure these devices, ensuring they meet cyber security standards. 

10. How do you collaborate with our suppliers and partners on cyber security? 

Cyber security needs to be a collective effort involving your employees - you are only secure as your weakest link. 

Make sure that you collaborate with suppliers and partners to establish a shared commitment to cyber security best practices. Check the cyber security measures your suppliers have in place and make sure that you are fully confident that they aren’t the weak link!  

Cyber security is an ongoing commitment that requires vigilance, adaptability, and a proactive approach. By consistently addressing these ten questions, you can help make sure you are addressing some of the key areas.  

Remember, the investment in cyber security is an investment in the long-term sustainability and success of your business. 

If you would like more support, Toro can work with you to find the areas of weaknesses and help turn these into areas of strength.