Table of Contents
Simple steps to improve SME cyber security resilience
If your business was targeted by a cyber-attack, what would happen? Do you have the right elements in place to monitor, defend and mitigate against a security breach? Or could a cyber incident pose a significant threat to your business?
To assess if you could benefit from cyber security services, read through our checklist. Use our 50 questions to help your team decide if additional steps towards better cyber security need to be taken and if Landall Services could help to support you in that goal.
Governance & Policy for UK Businesses
1. Do you have a written cyber security policy?
It is important for SMEs to have in writing what the business does to maintain cybersecurity practices, to ensure your team are working towards those standards and to reassure anyone interacting with your business.
2. Is there a designated person responsible for cyber security?
Fragmented security can lead to weaknesses in SME cyber security: you don’t want one person taking care of MFA while another implements VPNs – this is how errors are made. Ideally, you want one person who is dedicated to safeguarding your business’ security.
3. Are staff trained regularly on cyber security awareness?
Human error remains one of the most common causes of security breaches – it only takes one link clicked or password entered to compromise your systems. Ensure all your staff, from CEOs to interns, are aware of cyber security threats and the best practices to defend against them.
4. Do you comply with UK GDPR and Data Protection Act?
For UK SMEs, it is essential that your business is compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act. These policies are designed to protect the rights of people interacting with your business, and by law you need to meet them.
5. Are you Cyber Essentials certified per NCSC best practices?
Cyber Essentials UK is a scheme recommended as a minimum requirement by the National Cyber Security Centre (NCSC). Taking the self-assessment is a good way for UK businesses to prove their dedication to risk management – go to ncsc.gov.uk to learn more.
6. Does your industry have specific cybersecurity requirements?
Certain industries will have different requirements: if you take credit card information, for example, your cyber security will be different from a business that doesn’t. Ensure you meet the specific requirements that apply to you.
7. Do you stay up to date on the latest policy changes related to UK cyber security?
The world of cybersecurity changes fast, with new threats being identified every day, and new policies being created to mitigate them. When new UK cyber related laws are passed, your business needs to be ready to adapt to whatever the requirements are.
8. Do you use cyber threat intelligence resources?
To keep up with the latest threats, it is a good idea for your business to have alerts set up from intelligence sources. For example, if the latest Microsoft update has a zero-day vulnerability that could put your business at risk, you want to know about it fast.
9. Have you conducted external audits?
Even if you think your security is flawless, there could be vulnerable areas you haven’t considered. By getting an external audit, you get a different perspective: issues that had gone unnoticed can be addressed, and your business will be more secure.
Access Control in Small Organisations
10. Are strong, unique passwords enforced?
Passwords are the frontline of account protection: make sure that staff are making them complex, with a mix of letters, numbers and symbols. Try not to use searchable personal details and avoid weak passwords like “password.”
11. Do you use a password manager?
A password manager helps users to create strong, complex passwords. Weak passwords can stem from passwords being forgotten, resulting in the same ones being reused: with password managers, your passwords are safely stored and remembered.
12. Is Multi-Factor Authentication (MFA) enabled for critical systems?
MFA adds another layer of security to your systems. If your password is compromised, with MFA it is far more difficult for bad actors to access your account. The extra security is worth the extra step you take when you log in.
13. Does each staff member have a unique login?
While it may seem like sharing login details between employees is harmless, it increases the risk of security breach significantly. The more people connected to an account, the more potential points of entry – ensure all staff have their own accounts to reduce risk.
14. Are administrator accounts only used when required?
As a rule, users should have access to as little as possible, only what is necessary for them to complete their work. Administrator accounts need to be used only when required as if they are compromised, the attack has full system access, instead of only partial.
15. Are strong lock screens enabled (PINs, fingerprints, Face ID)?
Devices should be set to lock when they are inactive or they detect nobody is present, requesting some form of identification to get back in again. Without these security tools, devices left alone in the office or in public are subject to risk.
16. Are user accounts reviewed and deactivated when staff leave?
Just because an account isn’t being used, doesn’t mean it can’t be used as an access point for a hacker: ensure when staff leave that their accounts are deleted, with all permissions removed, to protect your business.
17. Is zero-trust enforced to protect your SME?
Zero-trust is the cyber security mindset that all businesses should have. If you treat everything that might be a threat as if it was, you prevent any threats that do get through your security from becoming major problems.
Device & Network SME Cyber Security
18. Are firewalls and antivirus software installed and updated?
It is important to have these technologies set up to defend your systems from threats. Ideally your cyber security would go further, implementing cloud security measures and EDR/XDR (the next generation of antivirus), but this is a good place to start.
19. Have default firewall passwords been changed?
This applies to any default password, but is very important here: if you don’t change the default password and the company that created it is compromised, you could be at risk. Change it to ensure your firewalls stay secure.
20. Is your Wi-Fi network encrypted and password-protected?
Unauthorised users on your network are a significant security risk. Encryption makes traffic impossible to read while a password adds a layer of security to Wi-Fi access. Without these measures, your network could be easily accessed by malicious actors.
21. Are unused ports and services disabled?
If you had an active port that used to serve a function that is now not in use, make sure that it is deactivated properly. Otherwise, ports and similar services can be used as access points by cybercriminals, putting your business at risk.
22. Is auto-run disabled for USBs and CDs?
USBs and CDs can hold malicious software, that users can end up spreading across your business. By disabling auto-run, you ensure that these devices can’t have an immediate effect – it may only save seconds, but that could prevent a serious incident.
23. Do you use Virtual Private Networks (VPNs)?
By creating an encrypted tunnel for your internet traffic, as well as masking your IP address, VPNs make internet browsing more secure, while also making it harder for third parties and other websites to track you.
24. Have you undergone penetration testing?
Penetration testing is when a cyber security expert tries to access your system as a cyber criminal would. Penetration tests are essential risk assessment, highlighting issues before they can be exploited by real attackers.
25. To protect your business, are known malicious websites blocked?
While some sites contain hidden threats, there are many where it is obvious they have been compromised, and they should be blocked to prevent staff from reaching them. If they can’t be accessed, then the threat can’t spread to your systems.
26. Are downloadable apps limited to legitimate app stores on devices?
Like malicious websites, certain apps and downloading apps from untrusted sources can be used to spread malware. Ensure only trusted stores can be used and that only apps approved by the business can be downloaded onto business devices.
Software & Patch Management for SMEs
27. Are all systems and software regularly updated?
A device that isn’t updated regularly is easy for cyber criminals to compromise, because it doesn’t have the latest security settings and may be working on an unsupported version of the app or device: ensure devices’ applications are updated regularly to maintain security.
28. Are updates applied within 14 days of release?
Updates help to patch vulnerabilities and improve device performance, but they can only work if they are implemented. Enable automatic updates where possible and remind staff to restart devices off at the end of the day to give patches time to install.
29. Is unsupported software removed or isolated?
If software is no longer being actively used, but remains on devices, any vulnerability it may have can still be exploited by cybercriminals. Unsupported software needs to be isolated or removed as soon as it becomes redundant.
30. Are third party applications monitored for vulnerabilities?
You might have third party applications that help you to run your website or send emails. Any of these systems are as vulnerable to cyber attack as you are, so you need to ensure their security is as strong as yours is, or these third parties could be used as attack vectors.
Want content like this in your inbox?
Sign up and we’ll make sure to keep you up-to-date on new technologies, trends, and promotions.
Data Protection & Backup (Cloud Security)
31. Is sensitive data encrypted at rest and in transit?
Data – when it is being stored or sent – can be intercepted by cybercriminals if it isn’t encrypted. Encryption ensures that only you can read the data: even if it is compromised, if the hacker can’t break the encryption, your data remains private.
32. Are regular backups performed and tested?
It is important to have backups: if data is stolen in a ransomware attack, a backup can help you to get your business back on track. You also need to test if these backups are working, otherwise you’ll be disappointed if you end up needing them.
33. Do you have data backups in multiple locations?
If your primary data and backups are stored in the same place, a single incident – like a fire or a break in – could result in total data loss. Instead, try to keep a backup somewhere else, or consider using cloud backups to avoid physical risks.
34. Is access to sensitive data restricted by role?
Personal or financial data should only be accessible to those that need it for your business to run: the more people have access, the greater the chance of a breach. Implement role-based access controls to ensure sensitive data is only accessible to those who need it.
Email & Phishing Protection Against Common Cyber Threats
35. Is email filtering enabled?
Email filters can be used to protect users from annoying spam and malicious phishing emails, common cyber threats that often contain malware. Implement these rules to prevent threats from reaching user inboxes, stopping a potential breach before it can start.
36. Are email attachments scanned before opening?
Malware can be hidden in attachments on emails that, once clicked, could spread across your system. Ensure all attachments are scanned and, if anything suspicious is found, they are isolated before being reviewed.
37. Are suspicious links automatically flagged or blocked?
Links can contain malicious content, or can take users to sites where data can be extracted. Be certain that filters recognise these links and flag them as threats. Encourage staff to report and block senders of suspicious emails to prevent future contact.
38. Are staff given cyber security training to spot phishing emails?
There are a lot of signs that emails may be trying to trick users into revealing sensitive information, from poor spelling and grammar to domain names that are slightly off from what you might expect. Show staff what to look for and it will prevent attacks being triggered.
39. Do you run regular phishing simulations to test staff awareness?
One of the most effective methods of testing if phishing awareness training has worked is to send a simulated campaign to staff. If staff avoid clicking malicious links and report suspicious emails, the training is working. If not, additional support or refresher training may be needed.
40. Are suspicious emails reported and investigated?
Just deleting a malicious email is fine, but that attacker could try again, or could target a colleague. Ensure that any phishing emails are reported so that they can be investigated and, hopefully, stopped permanently.
Business Cyber Security Incident Response & Monitoring
41. Do you have an incident response plan?
Even with robust cyber security measures in place, it doesn’t guarantee security incidents will not occur: are you prepared if it does? A good plan can reduce downtime and isolate the incident, making the threat less significant than it could have been.
42. Is your incident response plan reviewed and updated regularly?
As threats grow and change, how you respond to them needs to evolve too: ensure that your response plan is regularly reviewed and optimised to give you the best chance of keeping your systems secure.
43. Is there a process for reporting and managing breaches?
If you are the victim of a cyber-attack, it is important to discover what happened and why. That way, you can look at your security, identify where the weakness was and address it, so it can’t happen in the same way twice.
44. Have you tested your incident recovery process?
Having the plan is one thing: testing if the plan works is far more effective. By simulating what you would do in the event of cyber-attacks, you won’t panic if one occurs – instead, you’ll know exactly how to deal with it.
45. Do you have alerts set for failed logins, large file transfers or off-hours access?
Any of these could be signs that someone is trying to infiltrate your system. With alerts set up, you could be warned about a potential attack before it escalates, allowing you to counteract it ahead of time.
46. Do you have a communication plan for notifying stakeholders in the event of a breach?
In the event of a breach, it’s essential to notify stakeholders promptly and transparently. Plan how you will communicate with stakeholders—choose appropriate channels, maintain transparency, and ensure consistency to meet legal and regulatory obligations.
47. Do you have cybersecurity insurance?
If an attack happens, having insurance can help you to recover financially, which is vital for businesses. Some attacks can result in your business being unable to function as usual, and insurance can help businesses survive during these periods.
Reviewing your cybersecurity solutions
48. Have you reviewed this checklist with your team?
Discuss cyber security with your team—colleagues may identify problems you’ve overlooked or suggest alternative solutions. Use the advice in this article to create a cyber action toolkit that you can use to keep your business more secure.
49. Do you feel confident in your SMEs’ ability to ability to respond to a cyber incident?
Confidence in your cyber security should reflect thorough preparation and readiness to respond to threats. If you’re unsure, revisit the checklist and identify areas for improvement to build resilience.
50. Would your small business benefit from a professional cyber security assessment?
This checklist covers a wide range of technical and strategic measures, that might feel overwhelming. Consider seeking expert support from Landall Services—we offer comprehensive cyber security assessments and solutions tailored to any kind of business, helping you to cover everything listed here and more.
