Cybersecurity Checklist

By Scott Dawson
December 12, 2023

Small Business Cybersecurity

Today’s cyber threats can impact any company, regardless of size or industry. But did you know that 43% of cyber-attacks are aimed at small businesses, according to Accenture’s Cost of Cybercrime Study? On top of that, only 14% of those businesses are prepared to defend themselves.

Other Cybersecurity Statistics:

  • 37 percent of companies hit by ransomware had fewer than 100 employees (accenture.com)
  • Globally, the manufacturing sector was the most targeted, representing 20% of all cyber extortion campaigns (Orange Cyberdefense)
  • 55% of people in the U.S. would be less likely to continue doing business with companies that are breached (https://blogs.und.edu)
  • 51% of small businesses have no cybersecurity measures in place at all (https://mytechdecisions.com)
  • 95% of cybersecurity breaches are attributed to human error (https://securitytoday.com)
  • In the U.S., 88 million people have been affected by data breaches of their personal health information, an increase of 60% in 2023 (Chief Healthcare Executive)
  • As of 2023, over 72 percent of businesses worldwide were affected by ransomware attacks. (Statista.com)

Small Businesses are Easy Targets

Small businesses often lack the cybersecurity resources and expertise of larger companies. This makes them easy targets for hackers. As cyber criminals discover new ways to extort and defraud small businesses, the threats continue to evolve and expand. We’re no longer dealing with lone hackers in basements. According to the FBI’s Internet Crime Report, cybercrime has become a multi-billion-dollar industry—and that industry keeps growing.

Cyber attack victim
Not only do companies face risks from cyberattacks, but they also risk compliance failure, losing customer trust, and missing out on contract opportunities.

How Much Importance Should You Place on Cybersecurity?

It’s getting to the point where companies are beginning to add cybersecurity experts to their boards which means cybersecurity protection is becoming more critical to business success. Everybody’s business is different however, it looks like cybersecurity needs to be taken seriously no matter what type of business you are in and no matter what the size of the business is. All-size businesses are being cyberattacked.

These Questions will help you to Assess the Importance of Cybersecurity for your Business:

  • Do you handle critical or sensitive information, such as trade secrets, customer data, research, company financial information, or personally identifiable information?
  • Do your customers ever ask about your company’s cybersecurity practices or include it in vendor surveys? Are you required to meet any laws, regulations, or standards related to cybersecurity (e.g. PCI, DFARS/CMMC, HIPPA, GDPR, or others)?
  • Have you been turned down by an insurance company for a cyber policy?
  • Do employees work at home using their home networks and personal devices?
  • Have you faced a cyberattack in the past year, such as ransomware, computer virus, denial-of-service (DOS) attack, identity theft, or breach?

If the answer to any of the above is “yes,” you have a compelling need for cybersecurity. Failure to comply with cybersecurity regulations can result in lost contracts and costly fines. The rise of remote working also increases the need for cybersecurity: the more devices and networks your company uses, the higher the risk.

Many business owners are not sure how much importance to place on cyber protections.

Cybersecurity Questions to Ask Yourself:

You can use this checklist to better understand where the cybersecurity gaps are in different areas of your business:

Access Control and User Permissions:

  • Have user access levels been defined and limited based on job roles and responsibilities?
  • Are strong authentication measures like two-factor authentication (2FA) in place for sensitive systems?

Data Protection:

  • Is sensitive data encrypted both in transit and at rest?
  • Are there regular backups, and have they been tested for recovery effectiveness?
Cyber Attack

Patch Management:

  • Are all systems, software, and applications regularly updated with the latest security patches?
  • Is there a schedule in place to ensure timely patching?

Network Security:

  • Are firewalls and intrusion detection/prevention systems implemented and regularly updated?
  • Is there network segmentation to isolate critical systems from potential threats?

Security Training and Awareness:

  • Are employees trained in cybersecurity best practices and aware of common threats like phishing?
  • Is there ongoing education to keep staff updated on evolving cybersecurity risks?

Incident Response Planning:

  • Have incident response plans been developed and tested for different types of cyber threats?
  • Is there a designated team and clear communication protocol in case of a security breach?

Vendor Security Assessment:

  • Do third-party vendors who have access to your systems adhere to security best practices?
  • Is there a process to assess their security measures and protocols?

Regular Security Audits and Assessments:

  • Are regular cybersecurity audits conducted to identify vulnerabilities and assess the effectiveness of security measures?
  • Is there a mechanism in place to address findings from these audits promptly?

Compliance and Regulatory Adherence:

  • Are you cybersecurity compliant with industry-specific regulations and standards relevant to your business?
  • Is there a process to ensure ongoing compliance as regulations evolve?
server attack in progress

Monitoring and Logging:

  • Are systems monitored in real-time for suspicious activities, and are logs regularly reviewed?
  • Is there a system to alert for any anomalies or potential security breaches?

Disaster Recovery and Business Continuity:

  • Is there a plan in place for business continuity in the event of a cybersecurity incident?
  • Have you tested the effectiveness of this plan in various scenarios?

Employee Offboarding and Device Management:

  • Are access rights promptly removed for employees who leave or change roles?
  • Is there a policy for secure disposal or wiping of data from devices no longer in use?

Cybersecurity Compliance

Regularly reviewing these aspects of your cybersecurity posture can help identify gaps and ensure a proactive approach to safeguarding your systems and data. If the answer to any of the above questions is “no,” you likely have gaps in your cybersecurity practices.

Cybersecurity Training

Most cyber breaches result from basic human error. This makes employee training a top priority. Without ongoing monitoring, updates, and backups, you leave your technologies open to attack. Review your responses to the checklist questions above. If you find that you have a compelling need for cybersecurity, but you also have gaps in your cybersecurity practices, then your company is at a high risk for cyberattacks.

What are the Most Common Cyber Threats Against Small Businesses?

Small businesses often face various types of cyber threats due to their limited resources and sometimes less stringent security measures.

Some of the most common cyber attacks targeting small businesses include:

Phishing Attacks:

Emails or messages that appear legitimate but are designed to trick individuals into providing sensitive information or clicking on malicious links.

Ransomware:

Malware that encrypts files or systems, demanding a ransom for their release. Small businesses are often targeted because they may be more likely to pay the ransom.

Malware:

Including viruses, worms, trojans, and spyware that infect systems, compromise data, or disrupt operations.

Man-in-the-Middle (MITM) Attacks:

Hackers intercept and potentially alter communication between two parties, gaining access to sensitive information.

Insider Threats:

Employees or individuals with access to internal systems intentionally or accidentally compromise security.

Cyber Attack

Credential Attacks:

Brute force attacks or using stolen credentials to gain unauthorized access to systems or accounts.

Supply Chain Attacks:

Targeting vulnerabilities in third-party vendors or suppliers to gain access to the small business’s network or data.

IoT-Based Attacks:

Exploiting vulnerabilities in Internet of Things (IoT) devices connected to the business network.

Social Engineering:

Manipulating individuals within the organization to divulge sensitive information or perform certain actions. These attacks can lead to financial loss, data breaches, operational disruptions, and reputational damage. Small businesses are often targeted because they may have less robust security measures in place compared to larger enterprises, making them appealing targets for cybercriminals.

How Core Can Help

Core Business Solutions stands ready to help. We offer audits and scans to measure your business against national and industry cybersecurity standards. We’ll help you ascertain your security posture and find gaps. With that information, we can help you build a simple and effective remediation plan. We can even offer training, expert support, and security technologies to fill the gaps in your security. Contact us today to learn how we can help your business achieve cybersecurity industry standards.

Expert Consulting

Need help applying cybersecurity practices to your business? Our solutions include hands-on consulting support from industry experts. We don’t leave you to figure out compliance on your own. We walk you through every step of the process.
Expert Consulting

Our Standards

Core Business Solutions helps small businesses achieve compliance with a number of cybersecurity standards, including:

ISO 27001

Information Security Management Systems

NIST/CMMC

Cybersecurity for DoD

ISO 20000-1

Service Management Systems

CMMI

Capability Maturity Model

ISO 27001

NIST/CMMC

ISO 20000-1

CMMI

Our Solutions

We offer this simple, effective solution to help small businesses meet their cybersecurity needs:

CORE Vault

CORE Vault™

Everything you need for NIST/CMMC in one cloud-based solution 

CORE Vault comes ready-made for compliance with the DoD contracting requirements of DFARS, NIST SP 800-171, and CMMC 2.0.  With CORE Vault™, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts.  CORE Vault™ also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies. 

The CORE Security Suite

Our online platform gives you all the tools you need for ongoing cybersecurity, including:

  • Document and record control
  • User-friendly project dashboards
  • Incident management
  • Security change logs
  • Risk register
  • Asset management

We also provide standard-specific tools depending on your security requirements. For companies who require NIST/CMMC, we provide a simple SSP tool, an automated SPRS score calculator, and customizable policy templates crafted by our own CMMC experts.

Related Articles:

CMMI v3 Update Explained

CMMI v3 Update Explained

What has Changed in CMMI v3.0? CMMI v3.0 brings about strategic changes and improvements to both methodology and approach. These updates include new requirements, existing standards changes, and...

Cyber Hygiene Practices for Every User

Cyber Hygiene Practices for Every User

What is Cyber Hygiene? Cyber hygiene refers to the practices and measures individuals and organizations take to maintain good digital health and security. Just like personal hygiene routines keep us...