There’s no shortage of opportunities for small- and medium-sized businesses (SMBs) to tighten their IT security infrastructure — and no lack of reasons they should.
Only 35 percent of Chief Information Security Officers surveyed this year said they were comfortable with their organization’s ability to identify, contain and correct a security compromise. Nearly 30 percent also said they suffered from “cyber-fatigue,” the hamster-wheel exhaustion of responding to the seemingly mounting list of cybersecurity threats while still feeling exposed.
With IT departments so often siloed, security best practices must balance users, networks, data, apps and endpoints. It’s no small undertaking, but it’s essential in guarding an organization’s reputation.
We’ve compiled what should be on an IT security checklist for small businesses — the core practices moving IT teams off the hamster wheel and into proactive, not reactive, IT enterprise security.
Business IT Security Checklist: What Are the Top Network Security Concerns Facing Organizations?
Business IT security checklists aim to address these top malicious cybersecurity incidents and attacks before they become mission-critical, non-recoverable breaches.
Downloading malicious software is one of the most common user behaviors at fault for enterprise data loss and system attacks. Malware wreaks havoc when users mistake computer apps, programs, links, files or entire websites as their benign versions. In reality, these applications are corruptions, designed to look and even act like the real thing. Employees, unaware of all this, then conduct regular activity on or through these programs, providing an opening for the malware to infect desktops, laptops, mobile devices and even the entire network.
2. Phishing Schemes
Phishing schemes target organizations via email. They attempt to mimic important organizational stakeholders — upper management, other team members, business vendors, etc. — to elicit sensitive or personal information. Employees untrained or not fluent in identifying phishing red flags pose a severe threat to enterprise data and access control security.
Spyware is a type of malware specifically designed to enter devices and track internet usage, account usernames and passwords. Cybercriminals use the information gleaned from tracking to hack business accounts or pose as prominent organization members, often to extract further sensitive enterprise data.
Ransomware takes extortion tactics digital. Entering a network through traditional malware — clicked links, downloadable attachments, newly installed software, etc. — ransomware can shut down or block access to essential files or systems until an organization pays a ransom or hands over demanded data.
5. Mobile Malware
Mobile malware are a type of malware virus-coded to infect mobile devices such as smartphones, tablets and tech wearables. This IT threat continues to mount as more and more organizations grow lenient with their bring-your-own-device (BYOD) policies yet increase their dependency on mobile- or remote-device infrastructure. Plus, with the inevitability of the Internet of Things, mobile devices pose a higher security risk in their very interconnected nature — even for businesses with thorough network and device defenses.
6. Improper File Sharing
While not a cybersecurity threat in the traditional sense, business network leaders have identified careless file sharing as a core concern underpinning several of the direct attack categories above. Many organizations struggle to standardize acceptable use policies or internet access policies, which are meant to curb file-sharing and file-access risks — if they have these policies at all.
What Are IT Security Best Practices?
While there are numerous approaches to small business network security best practices, their guiding philosophy remains the same: Institutionalize a series of practical, everyday activities and technologies that position a business to identify and handle cybersecurity threats in their infancy, before they become existential business failures.
For the majority of SMBs, this philosophy breaks down into five main practice categories.
- 24/7/365 monitoring
- Threat Detection
- Backup recovery and data reinstation
Note: IT security best practices do not mean avoiding all breaches or attacks. That is an impossible goal, one likely to result in cyber-fatigue. Likewise, a small business’ security checklist can’t implement everything at once, even if strategic goal alignment and enterprise resources are there. That, too, leads to IT employee burnout and the increased chance of skipped or forgotten best practices.
Talk to a Cybersecurity Expert
Business Risk of Not Instituting a Cyber Security Checklist
There is a myriad of risks organizations expose themselves to without diligent IT infrastructure security.
1. Financial Loss
Nearly 47 percent of cybersecurity breaches will end up costing a business around $500,000 to remedy. What’s more, cybersecurity incidents force one out of every two SMBs to permanently close its doors, the financial toll too steep to overcome.
2. Operational Halts
Security breaches can shut down “business as usual” while teams and IT departments scramble to mitigate the damage. From receiving a security alert to manually reviewing, escalating and addressing its source, turnaround times for business IT security can be a few hours to a few weeks, depending on the severity and type of cyberattack. Can your business afford to halt operations that long?
3. Lost Customers and Clients
Seven out of 10 consumers say they would stop doing business with a company that misused or under-protected their data. With the recent — and significant — user data mismanagement examples of major organizations like Facebook and Equifax, businesses today must prove their customers’ data is a priority, not an afterthought. Neglecting to do so risks losing your very customer base.
4. Culpability With Investors and Shareholders
Companies must balance consumer trust as well as stakeholder trust. A cybersecurity incident can shake stakeholders’ confidence, with investors, shareholders, partners and any other parties that hold a vested interest in the company’s future needing assurance that IT infrastructure does indeed uphold contemporary best practices.
5. Damaged Reputation
Operational disruptions, investor dissatisfaction and loss of customer trust will ultimately take a toll on a brand’s perception. Cybersecurity negligence defines, if not taints, company reputations. It can take years — and massive PR work — to overcome the negative perceptions and turn a new branding chapter.
6. Regulatory Retaliation
Depending on the scope of a cybersecurity breach and the industry your organization is in, network security negligence can open the doors to regulatory fines. If they are severe enough, government agencies may even press for legal repercussions for culpable parties.
Guide to Small Business IT Security
What should be on an IT infrastructure security checklist for SMBs — or any-sized organization seeking bolstered network security management? We’ve outlined practical, actionable suggestions for sharpened business network security.
1. Perform a Critical IT Assets Audit
Before any official security checklist can be drafted, SMBs must first take inventory of its most critical IT assets. This includes analyzing its:
- People: The knowledgeable and dedicated staff that makes up all the teams and domains of your IT department, as well as who those teams report to within the larger organizational structure.
- Processes: The daily roles, procedures, responsibilities and initiatives helmed by your IT personnel and utilized by all across the SMB.
- Technology: The physical infrastructure of your network ecosystem, accounting for all pieces of hardware, software, storage methodologies, files, applications and more.
Performing an IT asset audit presents visibility over your business’ entire IT environment. It leaves no stone unturned, providing a guiding compass that’ll steer your ultimate security best practices checklist.
2. Research Leading Security Solutions Providers
Researching industry security leaders is the second step for SMBs and other organizations to begin their network and IT security checklist. Organizations will use their critical IT asset audit to begin vetting security partners with products and services fitting their exact needs.
Today, companies like Cisco make and manufacture leading networking hardware, software, tech security systems and other products related to enterprise IT infrastructure. By partnering with a comprehensive computer networking partner, like Cisco, SMBs can consolidate their security support through a single, convenient vendor — so long as that vendor delivers the range of security mechanisms required of their critical assets.
In other words, partnering with a leading security solution provider like Cisco provides a “one-stop security shop” for business network security, offering products like:
- Advanced malware protection
- Advanced firewall defenses
- Phishing, spoofing and ransomware business email security
- A central breach alert system
- Network visibility and segmentation features
- Secure remote network access solutions
- Multi-factor authentification technology
- Cloud security solutions
- And more
3. Prioritize Patching Outdated, Out-of-Sync Software
Infrequently updated operating systems and software create vulnerabilities across an SMB’s IT mechanisms. This incongruent patchwork stack is ripe for attackers, who can write code to exploit vulnerabilities when devices are not routinely kept up to date.
For software and desktop security, ensure your business network security checklist contains:
- Audits that inventory all operating systems and versions used in your business — including those that enter your network through BYOD — as well as their physical hardware, locations and IP addresses. The goal in these audits should be to consolidate the number of operating systems and shadow IT in use.
- Operating system reviews, ensuring you’re using the latest version to remove bugs and vulnerabilities
- Regularly updated, dynamic anti-virus software
- Contemporary security controls in your firewalls and routers
- Frequently refreshed, effective email filters defending employees against spam, phishing and malware
4. Deploy Data Recovery (DR) and Business Continuity Solutions
Regularly backing up enterprise data is an SMB IT best practice, yet over half of SMBs admit they are unprepared for even a minor data-loss incident, from hard-drive malfunctions to an outsider breach.
Whether cloud-based, on-premise or both, data recovery should include standardized efforts like:
- Regularly performed recovery tests.
- Weekly tested backup systems.
- Data categorize into business-critical or strategic, then backed up accordingly. Business-critical data pertains to any information required to keep daily operations running, whereas strategic data is essential to the enterprise as a whole but not accessed or updated daily. It is an industry best practice to have three backup systems for business-critical data, one centralized on site and one backed up remotely every night. Plan semi-regular backups for strategic data.
- Off-premise data backup, either into the cloud or onto external hard drives not permanently connected to the devices they back.
5. Review External Vendor Relationships
From sourcing raw materials to hiring contractors to maintaining utility contracts, third-party services are a fundamental part of a fully functioning modern business. They’re inevitable, not extraneous.
However, a growing body of research indicates SMBs with fewer external vendors experience fewer security alerts, meaning reduced instances of perceived network threats or inappropriate access. Over half — 63 percent — of organizations with one to five vendors saw fewer than 5,000 alerts a year, as well as remediated 42 percent of those alerts on their own. Only 42 percent of organizations with five to 10 external vendors cited the same alert-remediation flows, indicating that streamlining vendors is an IT network best practice for organizations to consider seriously.
6. Set up Access Controls
Network access controls tier what programs and applications employees can log into, as well as when and how. Employees with “normal” user privileges can only access fundamental programs and must go through a multi-verification approval process for others. Those with “advanced” user privileges can use a broader range of applications while undergoing continuous security training.
Access control best practices include:
- Setting up unique, single-employee user accounts for all systems, programs and apps — never shared accounts
- Installing a central login management program, which tracks and logs all program user history
- Using only one remote-access portal or program, tightening endpoint security for remote or out-of-office workers
- Automated monitoring of user server use, flagging strange or irregular usage for manual review — g., logins outside of business hours
7. Integrate Security Into Human Resources Operations
Human resources departments can be powerful defenders of your small business network security checklist. Their daily touchpoints with current employees, as well as onboarding and interactions with new and prospective ones, positions them as a critical resource to instill safer technology users throughout the office.
Too often, IT security remains the siloed responsibility of the IT department. While this is understandable, there are many ways HR operations can bolster technical infrastructure with safer human protocols.
- Draft and maintain an acceptable use policy for office hardware, including desktops, laptops, smartphones and telecom devices.
- Draft and maintain explicit confidentiality agreements between third-party vendors, freelancers and contractors.
- Draft and maintain best-practice password rules and procedures. At the bare minimum, employees should be updating passwords every 90 days.
- Implement mandatory two-factor authentification for certain program logins beyond simple usernames and passwords.
- Create overall network privacy policies for employees to sign.
8. Review Network Connections, Activity and Configurations
Threat detection begins with basic network monitoring capabilities. SMBs — and businesses of any size — must deploy technology allowing connection activities across all servers, maintaining a clear view into who’s on your network, where they’re accessing it from, when and even why.
- Review all current network configurations, meaning the connections between business hardware, software and operating systems. Ensure each has a static IP address, a dedicated domain name server (DNS) and even a WINS name if using Windows.
- Instate an official BYOD policy. Have employees register those devices with your DNS list using out-of-band management best practices.
- Conduct training on proper email and communications activities, especially to help employees identify spam, malware and more business network threats.
- Outline acceptable device use and internet access policies.
9. Revamp Remote Network Policies
Better control of remote endpoints is growing more and more critical for today’s SMBs. Whether those endpoints are freelancers working from home, customers ordering online or third-party vendors interfacing with some aspect of your internal network, businesses now court more entry points for malicious cyber-activity.
Luckily, as the need for tighter remote network controls and access has increased, so have the defenses:
- Use a set virtual private network for remote employee access.
- Employ LAN or wireless LAN authentication technology — Cisco’s Wireless Security Suite — to allow only approved devices to connect to your wireless internet.
- Install firewall intrusion detection software for all web connections and portals.
- Compile secured wireless access connections and modems into your DNS list, ensuring no unauthorized connections pop up.
10. Adopt Data Encryption
Data encryption works by translating stored plaintext information into a new pattern, called ciphertext, according to an encryption key. Only people who have the key can unscramble the data, adding an extra layer of defense against data thieves.
Data encryption is particularly important to protect customer information. Not only is there a growing movement for tighter regulations of consumer PII, but companies have their very reputation to protect when guarding sensitive data, such as:
- Customer financial information, like credit, debit cards and bank accounts
- Social Security numbers
- Medical history
- Intellectual property or confidential business data
- Financial reports
11. Institutionalize a Formal Incident Recovery Plan
As a final security measure, businesses must establish an intra- and inter-department plan in the event of a major cybersecurity incident. These are known as incident response and recovery plans, and they are a keen indication of the stability of a business’ overall IT infrastructure management — plus its continuity abilities when incidents do strike.
Response and recovery plans should be fully integrated across systems. The best include continual plan audits, complemented by frequent vulnerability tests aiming to identify systems backdoors and weaknesses well before outsiders can.
Learn More About IT Security Managed Services for Your Small Business
Morefield Communications has been arming best-of-class IT solutions across client networks, IT support, IP telephone systems and premise security for decades. We partner with some of the world’s leading network security providers to bring businesses — like yours — peace of mind.
Reach out online or give us a call at (717) 761-6170 to create your business’ IT security checklist today.