There’s a lot of chat these days about how organisations should be handling their cyber security.
It’s with good reason, but you could be forgiven for shrugging your shoulders and thinking "I don't know much about this stuff, and I don’t have time to learn. I just need to keep our business costs low and focus on staying afloat. We’ll think about cyber security once we’re bigger".
We get it. Starting out as a small business ourselves, we know all about watching our costs. But as cyber security specialists, we’re also going to tell you how important it is for everyone to be safe and secure online. Especially you, our small business friends!
And guess what? You don’t have to wait until you’re bigger — whether that’s in size or in budget.
There are ways to understand cyber security without feeling overwhelmed, and there are ways to sort out your cyber security right now without spending a fortune.
That’s what we want to share with you today: cyber security explained in plain English, using the simplest of terms. You’re in a jargon-free zone.
Join us as we go through this handy guide, all about how to easily and painlessly set your business up for cyber security success.
What is cyber security and why do small businesses need to care about it?
Cyber security is a term that describes the actions we need to take to protect our organisation's people, data, and systems from having bad things happen to them online.
Those bad things could be scams or other crimes that happen to us on the internet, or they could be individuals or groups trying to get access to our systems or our data. If you’re thinking, “I don’t have any data I need to protect”, remember data can be something as simple as the names and contact details of your team or your customers.
Whatever business you’re in, chances are you deal with systems and data every day. Here are a few examples.
- You collect, store, and manage information about your customers, partners, and suppliers — like their names, email addresses, phone numbers, and more.
- You use websites to present and market your business, manage and spend money online, and communicate with people.
- One of the many hats you wear could be keeping your organisation’s IT systems running smoothly, or maybe you have a dedicated IT company who takes care of this — including making sure your customers’ emails get to your inbox, not your spam folder.
The number one reason small businesses need to care about cyber security is because your people, data, and systems are precious and valuable — to you, and to potential attackers. These are the things that matter most to keeping your business running without a hitch, and good cyber security practices go a long way to keeping them safe.
As a small business, it’s easy to think you’re too small to be targeted, that no one will find your accounts or systems online, or that cyber security is too expensive and complicated to bother with. With any luck, we can change your mind about that today.
At SafeStack Academy, we believe everyone deserves to be safe online. That’s why we’ve written this how-to guide on setting up cyber security for small businesses. No fancy tools, bags of money, or hiring extra people required.
So, let's get started!
Guide: Six steps to cyber security for small businesses
- Step one: Make a list of your digital tools, accounts, technology, and systems
- Step two: Use long, unique passwords and a password manager
- Step three: Turn on two-factor authentication
- Step four: Keep your devices and systems up to date
- Step five: Set up your backups
- Step six: Understand your risks and come up with a cyber security incident response plan
Step one: Make a list of your digital tools, accounts, technology, and systems
The first step in your organisation’s cyber security journey is knowing all the different elements that need protecting.
We all use so many different digital tools and accounts these days, and it’s super handy to have them all written down in one place. You may want to get someone else in your team to help you with this step, just in case you don’t know all the answers.
Grab a copy of our templates below and we'll start by filling out the asset list template with all the online tools and accounts you use.
Common examples of these include:
- Social media platforms (like Twitter, Facebook, and Instagram)
- Website content management systems (like Squarespace, Wix, and WordPress)
- File storage systems (like Dropbox, Google Drive, and OneDrive)
- Email platforms (like Gmail, Outlook, and ProtonMail)
- Communications platforms (like Slack, Discord, and WhatsApp)
- Money management platforms (like online banking, PayPal, and Xero)
Note down everything you can think of, using the template as a guide.
Once that's done, jump over to the next column in the asset list template and list out all the technology and systems you and others use to access these tools and accounts.
This will include things like:
- Web servers
- Devices like laptops and mobiles
- External hard drives or USBs
- Your local office network
Let’s go through an example based on a company website. There are a few questions you’ll need to answer about this to make sure you get all the info you need.
What website content management system do you use?
Say you use WordPress — jot this down in the “Tools and accounts” column.
Who manages your website and how do they access it?
The web developers who built and maintain your website have access to the backend, which they log into remotely from their devices. Your marketing manager uses their company laptop to add new blog posts. Note all this down in the “Technology and Systems” column.
What other tools are connected to your website?
You might use something like Google Analytics to track your website’s performance — so this would also go in the “Tools and accounts” column.
Once you’ve filled out everything on your list, it’s time for the next step in your cyber security journey: passwords! Read on for everything you need to know about making them secure.
Step two: Use long, unique passwords and a password manager
You might have noticed some of your devices offer auto-generated passwords made up of lots of characters and symbols. It can be a little intimidating. And the good old “1234” or birthdate seems to do the trick, right?
You know what we’re going to say. Those simple, very easily guessable passwords don’t do the trick at all — no way, no how.
The online world has changed dramatically over the years, with hackers now using state-of-the-art technology to attack systems and steal valuable data. They even have dictionaries with the most commonly used passwords, and you can bet “1234” is one of them.
If you think some of your current passwords aren’t strong enough, there’s no need to panic. Reset them to something longer and more unique and then make this a habit every time you create a new account.
One easy tip for making up passwords is by stringing together names of 4-5 objects — like, "correct-horse-battery-staple".
From this point on, focus on creating long, unique passwords and saving them in a password manager. When we say "long", we mean more than 16 characters; and when we say "unique", we mean a different password for each and every account. Yep. It might sound painful, but there’s a really good reason why.
The thing is, passwords get lost. They get lost on a post-it in your office and they get lost online. It's not all on you — sometimes the websites you give them to lose them on your behalf. Not cool, but a tiny bit cooler if you’re prepared for that possibility.
Password attacks are often automated, with hackers collecting leaked passwords and automating processes to try them on other websites. Attackers know most people reuse passwords — they’re easier to remember that way. And that’s exactly why a password manager will make your life a lot easier.
Password managers like 1Password or Bitwarden can not only store all your passwords, they can generate them too. Say goodbye to that correct-horse-battery-staple. Some password managers also have the functionality to share access across teams in an organisation.
If you’re wondering "how can all my passwords be safe in one place?", the answer is that you still need a password to access that place. But you only need one, which makes the memorising process a lot easier. And as long as that password is long and unique, you’ll be fine. Password managers also use multiple layers of encryption to keep you and your passwords safe.
Finding a password manager that suits how you work is important, because if it doesn’t work for you, you won’t use it. And we really want you to use one!
If you’d like some help to work out which password manager will fit you best, check out Login LockDown’s comparison table covering the features of various password managers.
Now that your passwords are unique and stored securely, let's get your accounts protected with two-factor authentication.
Step three: Turn on two-factor authentication
Two-factor authentication (2FA) is an extra layer of security for your accounts. When you use 2FA, you need your password plus something else (like a code from an app) to log into your account — and you can only get that something else if you have access to another one of your devices.
2FA can be as simple as entering a code into your laptop that gets texted to your phone, or you can get a bit fancier and use an app like Google Authenticator. By adding this layer of protection, you know that having your password won’t be enough for someone else to access your accounts.
Sure, it makes the logging in process a little slower, but you can use those extra seconds to think about how much safer your accounts are. Huzzah!
While we’d love it if you used 2FA for every possible account, you should definitely use it for the accounts you absolutely can’t afford to lose when it comes to keeping your business running. These accounts might include things like email, money management systems, or file storage systems.
Chances are you’ve already been prompted by some online services to set up 2FA — Mailchimp, Microsoft Teams, and Google are a few examples that come to mind. If you’ve taken that prompt and done it, bravo — you’re on the right track.
To work out which accounts to prioritise 2FA for, we’re going back to the list of tools and accounts you made.
Look through all the accounts you’ve listed and think about what would happen if you couldn’t access them. The ones you identify as day-ruiners (at the very least) are the ones you should prioritise.
They’re most likely to be the accounts that hold information about your customers, your company’s financial information, or the communications (like email or social media) that are essential for your day-to-day.
Some 2FA is better than no 2FA; but like most things, some methods are stronger than others. If you have a choice, go for push notifications through the smartphone app of the service you’re logging into, or use a hardware security key like a Yubikey.
If those options aren’t available, apps like Google Authenticator or Authy are also good options for getting your 2FA codes.
While you’re setting up 2FA (which you are, because you’re a smart cookie), you may be given backup codes or asked to provide a recovery email or phone number. Store these backup codes somewhere safe, ideally in your password manager. As for the recovery email and phone number, be sure they’re ones you have direct access to at all times.
If you’re searching high and low for the 2FA setting in an account and not having any luck, try this list of major services that offer it.
You’ll probably find at least a few of the services you use don’t offer 2FA and be left wondering “what now?”. Not to spook you, but we’re talking about protecting information that’s sensitive, critical, or both.
We really encourage you to think about how you can reduce the data you keep on that service, or maybe even switch providers — of course, to ones that support 2FA.
Now, onwards! So you can keep using 2FA and secure the technology you run your business with, you need to keep your devices up-to-date. Let’s go through how to do that.
Step four: Keep your devices and systems up to date
It’s time to turn our attention to the technology and systems column of your asset list.
This may include:
- Software or apps you use on your organisations’ mobile devices and computers (this could be accounting software, online banking apps, and other business tool software)
- Operating systems for any servers you run (like a file server in your physical office)
- Operating systems for any cloud infrastructure you run (for a lot of folks, this will include the web server you use to run your website)
- Software running on that cloud infrastructure (like the content management system you use to run your website)
- Plugins or other content management software for your website (this could be things like plugins for online shopping carts)
Before we get into the “how” of keeping all these devices and systems up to date, let’s make sure we understand the “why”.
It can be easy to think of popup messages reminding you to update your software as just plain annoying (we’ve been there), but they’re popping up for good reason. Updates usually have fixes for cyber security weaknesses in your software — so every time you close out of one instead of running it, you’re turning down a chance to be safer.
Hackers use automated software that tells them about vulnerable systems on the internet. They can then try to take advantage of those systems by running automated processes. That's one reason why there’s no business too small to be attacked: a computer running a process without any human input has no idea if you’re a tiny team or a massive multinational.
Now let's get into the “how” of keeping devices and systems up to date.
One of the best ways to stay on top of your updates is to set them to run automatically. Your devices will usually need to restart so the update can take effect. This can take a bit of time, so grab a coffee and take a well-earned break while you think about how far you’ve come in your cyber security journey.
There might also be cases where running software updates means your team or day-to-day operations are affected or your systems are temporarily unavailable. If you know this is likely to happen, have some communications ready to share with the people it will affect.
As long as everyone knows what’s happening and why, there’s nothing to worry about.
It's also well worth creating backups of what’s stored on your devices before you run updates. This way, you can restore from your backed-up files if something doesn't go quite right, and you won’t be at risk of losing important information.
You guessed it: it's time to talk backups.
Step five: Set up your backups
One of the joys of living in the modern world is that your mobile devices and computers should be able to run automatic backups. We all love automation, but when it comes to backups, let's make sure we automatically send them to a safe place.
Depending on how you like to do things, that could be a physical hard drive that you can store safely, or a trustworthy cloud storage service.
If you can’t run backups automatically, set yourself a reminder to do them regularly — at least once a month, but ideally once a week. How often you run backups depends on how much data you’re willing to risk if something goes wrong.
You might even want to run them daily to max out your protection.
Cloud storage services are a popular choice for backups, and for good reason. They let you make a copy of the information on your devices, and you can easily access your backups from wherever you are and restore your information whenever you need to.
Here are a few steps to follow if you’re going down the cloud storage path.
- Choose a reputable cloud storage provider. They’ll be looking after a lot of your important stuff, so make sure you trust them to do a good job.
- Check you have a secure password and 2FA set up on your cloud storage account.
- Check you have enough space in your cloud for the backup.
- Select the files, folders, and applications you need to back up.
- Turn on automatic backups.
Alternatively, you may prefer backing up to external hard drives. In this case, your process could be as simple as plugging in your external drive to transfer backup files, unplugging it, and then storing it somewhere safe.
If you ever find it tricky to configure your backups, a Google search can help. Search "technology name" and "backup configurations" and you’ll most likely find some helpful advice. If you still feel a bit lost, speak to your IT provider.
Once you’ve got your backups in place, set aside a few hours once every few months to check on them. Here are some things to look out for.
- Are they actually running? Check your backup storage (whether that’s in the cloud or a physical drive) to see if the files in there are as recent as you expect them to be.
- Are they running as often as they should be? If you’ve set up automatic backups, make sure they’re running on the schedule you expect.
- Are all your files there? Sometimes there might be errors that mean not all your files are being transferred to the backup storage.
- Do your files restore like you’d expect them to? You can test this by copying a few files back on to your device, opening them, and seeing if they work.
Backups are great. Not only do they let you sleep peacefully at night, they also reassure you that you can spend your work days making your business even more awesome, instead of fretting about your files.
Can you believe it? We’re only one step away from the end of our cyber security journey together.
Step six: Understand your risks and come up with a cyber security incident response plan
Even with everything we’ve put in place to make our organisations safer, we’re still mere mortals, and we make mistakes. Maybe you leave your laptop in a taxi or somehow end up with malware on your server. It happens. So, what should you do when something goes wrong?
What’s most important is to (a) not panic, and (b) have a plan in place, so everyone knows what to do and we’re not cut off for too long from the technology we need to get our jobs done.
Before making an incident response plan, you’ll need to understand your cyber security risks — specifically, what might leave your business open to an attack?
Ask yourself what your organisation’s environment is like. For example, does your team use outdated technology that’s no longer supported by the people who made it?
Think about the nature of your business. Depending on what you do and how you do it, your organisation could be attractive to particular attackers. For example, if your website processes credit card payments, it could be a prime target for an attacker with financial motivations.
Once you have a clear idea of your organisation’s cyber security risks, work through a process with your team of deciding which ones you’ll eliminate, which ones you’ll manage, and which ones you’ll accept.
This will put you in a much better position to be prepared for what could go wrong.
On to the cyber security incident response plan: this is your go-to document when something goes wrong. Good news: it doesn’t need to be complex. What matters most is that it gives you a clear process to follow and it includes the essential information that makes it actionable and easy to understand for everyone in the organisation.
Start with a contact list of people who can help you manage the situation. This may include your IT support people (whether they’re internal or external), insurance providers, lawyers, and someone to help with communications.
Next, think about how you can categorise different types of incidents and how significantly they could impact your organisation.
Write down who on your team will manage the incident, including the steps they’ll take until everything returns to normal. The rest of your team will be responsible for maintaining business-as-usual as best they can while the incident is being addressed, so make sure to include what steps they need to follow and what roles different people will play.
Finally, spend some time mapping out internal and external communications plans. Proactively getting in touch with everyone affected by an incident goes a long way to making them feel informed and supported, which can take a lot of the stress out of the situation.
Keep your incident response plan simple and check in with your team to make sure everyone knows it exists and what their part in it is. That plan will be worth its weight in gold when you find yourself in Incidentsville.
Want to dive even deeper into incident response? Grab a free Security Awareness trial and check out our Incident Response for Everyone course.
And we’re done
You’ve now taken all the steps for setting up a strong cyber security foundation for your business. Nice one!
Before we leave you, one more reminder: keep updating that asset list of yours as you add new tools, accounts, technology, and systems, or maybe even retire some. It’s a handy resource to keep nearby so you can make sure you’re thinking about cyber security as part of your daily routine.
As you can see, creating awareness and a fear-free culture around cyber security doesn’t have to be a chore. The way we see it, it’s an ideal chance to build up the skills and knowledge of everyone in your team, which in turn makes you and your organisation safer online.
If you want to level up even further and really activate your cyber security superpowers, come check out our Security Awareness programme. It's jam-packed with short, engaging courses on topics like ransomware, phishing, and passwords, and it’s designed for small businesses just like yours.
Our content is easy to follow and action-oriented, and it’s already helped lots of companies become safer and more secure online.
Grab a free trial for 14 days and see for yourself what makes our training different.
We love to hear from you
If you enjoyed reading this blog post or if something sparked an interest, please share it with us. Drop us a line at firstname.lastname@example.org and let us know what you think.