Tech Results

The Ultimate Cybersecurity Checklist for SMEs

The Ultimate Cybersecurity Checklist for SMEs

Cybersecurity is key for digital transformation. With the exponential rise in adoption of Cloud, Internet of Things (IoT), AI/ML, Blockchain and other emerging technologies has accelerated the pace of digital transformation – which has further increased the risk of cyber-attacks. So, without cybersecurity, a reliable, sustainable, trustworthy and robust digital transformation is not at all possible.

In the last few years, cyber attacks on UK SMEs are on the rise. Below are some very interesting data to understand better the current situation of UK SMEs from cybersecurity per se.

  • Half of the UK’s SMEs have suffered a cyber-attack, with ransomware attacks the most frequently experienced, followed by phishing emails
  • Two thirds have been the subject of increased incidents, and 54% have suffered a financial loss
  • 52% of business owners have invested in staff training to help prevent cyber-attacks, rising to 70% in the Engineering sector and 61% in Manufacturing
  • 50% have invested in additional cyber security in the past 12 months, with Engineering and Manufacturing again leading the way

Source: Close Brothers Asset Finance (April 2022)

  • Over half (51%) of SME businesses and self-employed workers in the UK have experienced a cybersecurity breach, according to a new study by insurance firm Markel Direct
  • The most common attack methods faced by SMEs were malware/virus related (24%), data breaches (16%) and phishing attacks (15%)
  • More than two-thirds (68%) said the cost of breaches they experienced was up to £5000
  • 88% said they had at least one form of cybersecurity, such as antivirus software, firewalls or multifactor authentication
  • 70% said they were fairly confident or extremely confident in their cybersecurity arrangements
  • 53% had antivirus/malware software in place, and 48% had invested in firewalls and secure networks.
  • 31% revealed they conducted risk assessments and internal/external audits on a monthly basis
  • 11% of respondents said they would not spend any money on cybersecurity measures, viewing them as “unnecessary costs

Source: Infosecurity Magazine (Jan 2022)

Why is Cybersecurity Important for SMEs?

Cybersecurity for SMEs is very important more than ever now. SMEs are soft targets for hackers these days as they can easily exploit for personal gains. 

It is largely because most of the SMEs 

  • Don’t invest in comprehensive cybersecurity programs
  • Cannot afford to hire in-house IT staff, provide ongoing cybersecurity training and buy cyber insurance
  • Under-reporting of cyber incidents 
  • Low awareness about cybersecurity among staff
  • Don’t have a well-defined WFH and BYOD policy
  • No defined plan to mitigate cyber risk

Despite all of the above mentioned challenges, cybersecurity should be high on the agenda for UK SMEs in 2022. It’s because the potential cost of a cyberattack is much higher than the average cybersecurity spending. Plus, it can damage your business in multiple ways such as disruption to daily operations, loss of customer trust, reputation damage, increased stress and anxiety along with regulatory fines.

What is a Cybersecurity Checklist?

It is a list of best practices, recommendations and tips to help businesses protect their IT systems, networks, and programs from cyber attacks. 

It’s a starting point of any cybersecurity assessment that helps to design a comprehensive cybersecurity plan and reduces the overall risk or impact of a cybersecurity threat.

7 Point Cybersecurity Checklist for SMEs

It’s important for SMEs to build a strong cybersecurity posture to protect their business, clients and employees data. Here is the cybersecurity checklist designed specifically for SMEs to help take right measures to protect their digital assets.

1. Conduct a risk assessment

A cybersecurity risk assessment is the process of identifying, analysing, evaluating, and prioritising various risks and vulnerabilities that could affect your business assets.

Here are the 5 steps to conduct a cybersecurity risk assessment:

  • Identify your valuable assets
    Make a list of valuable assets of your business that you like to safeguard against cyber attacks. This can be customers / employee / business data, websites, email accounts, social media accounts, payment information, intellectual assets, servers, workstations, networks, VOIP systems, software etc. 

  • Know your risk for each asset
    Learn about different types of risks associated with assets (e.g. outdated hardware/software, viruses, data security breach due to human error, hardware failure, cyber attacks etc.) that might affect your business.

  • Conduct an impact analysis for each asset
    Know what kind of impacts or consequences (e.g, financial / data loss, brand reputation, customer churn, penalties and fines, lawsuits etc) each risk might bring that is associated with a particular asset’s vulnerability.  

  • Make a plan to fix those vulnerabilities
    Look for a robust, more secure and long term solution (rather than going for quick and cost-effective) while planning to mitigate or eliminate identified vulnerabilities.

  • Create a risk assessment policy
    It’s recommended to create a risk assessment policy that documents all risks identified, what measures were taken to best secure the asset, how frequently such risk assessment should be conducted along with a plan of action whenever a new asset is added.

2. Better Cybersecurity Controls

Below is a list of effective ways to improve the cybersecurity of SMES to protect from hackers and safeguard sensitive data.

  • Adopt a strong password policy where you set up guidelines for the length of the password, ignore use of common words, generate passwords using lowercase, uppercase, numbers and special characters, don’t reuse passwords, enable 2FA authentication etc.
  • Install a firewall to monitor all incoming and outgoing network traffic to ensure network security.
  • Go for a paid antivirus software for a comprehensive and robust protection from viruses, spyware, malware, phishing emails, malicious websites etc.
  • Keep operating systems, software and apps up-to-date for all your devices.
  • Implement email authentication (SPF) checks to ensure that email is coming from the trusted source
  • Turn on multi-factor authentication wherever available to gain access to an app or website that requires two or more authentication methods.
  • Implement role-based access controls that will allow or deny access to network resources based on job functions.
  • Take a multi-layer security approach to make it difficult for hackers to penetrate your systems.
  • Invest in a reliable data backup and recovery solution to help to get your business online in the event of loss of critical data due to cyber or ransomware attack. 
  • Implement your own continuous monitoring plan to reduce cyber risk.
  • Implement additional security software, for example zero trust.

3. Review and update key policies

It’s very important to review and update below mentioned policies on a time to time basis and keep it up to date. Also, must enforce policies natively on an ongoing basis.

  • BYOD (Bring your own device) policy
    It’s a policy created by companies that outlines the rules & procedures for employees allowing them to make use of their personal devices for work-related activities.

  • WFH (Work from home) policy
    It’s a policy created by companies that outlines the rules & procedures for employees that they need to follow while working remotely or from home.

  • Data backup & disaster recovery policy
    It’s a policy created by companies that outlines the rules & procedures on how an enterprise’s data backup should be taken for safekeeping along the process that needs to be carried out in the event of disaster, such as cyber attack, hardware failure or manmade error to ensure business continuity.

  • Risk assessment policy (as mentioned above)

4. Cybersecurity awareness training for employees

Consider cybersecurity awareness training for employees as an investment as many data breaches were the outcome of human errors. By providing this training to employees at the regular intervals will help them to identify and respond well to cyber attacks / threats. Also, keep them abreast with the latest cybersecurity trends, news and best practices. This will help create a positive culture of cybersecurity across your staff.

Some of the key topics that must be included in cyber security awareness training in 2022  are social engineering, phishing, cloud security, computer / mobile device security, password security, malware, ransomware, email scams, identity theft, multi-factor authentication, public WiFi, secure remote working, removable media, compliance etc. Ensure that cybersecurity awareness training is high-engaging, practical and customised as per employee role.


5. Expect a cyber attack

“Hope for the best, plan for the worst”  is worth adopting for SMEs. You can surely hope that no attacks will happen, but at the same time be prepared for the worst.

Cybersecurity is changing. Don’t just solely focus on making an IT infrastructure more and more secure with a blind assumption that no one can penetrate it. 

Always expect a cyberattack. It will help SME to be well-prepared to handle an emergency and ready with its response.


6. Develop a robust threat response plan

In the event of a cyberattack, it’s important to have a solid threat response plan in place to act swiftly. It should clearly outline what steps need to be taken in the event of an unforeseen incident, who are the key people to be involved, who will be responsible for mitigating the threat and restoring your IT systems and services. 

This plan will be unique to each business and cover 3 major aspects – protect enterprise data, reduce damage and quick recovery. However, speed does matter – early you detect, less is the damage.

Conduct a follow-up after an incident recovery to record the threat impact on the business. Update your cybersecurity strategies and processes for vulnerabilities discovered and conduct a session with all stakeholders to communicate the lessons learned from these incidents.

7. Consult a cybersecurity expert

You should consider hiring a trusted third-party cybersecurity company by outsourcing key aspects of your cybersecurity, if your IT team is small or lacking experience. 

It will help to discover gaps in your IT infrastructure, take required measures to achieve needed compliance, strengthen your security posture and avoid potential attacks.

Don’t take chances. Consider hiring an outsource cybersecurity expert as an investment. It is certainly going to cost less than suffering a data breach.

Cybersecurity Checklist