| Status |
|---|
| colour | Yellow |
|---|
| title | IN PROGRESS |
|---|
|
This guide is intended for small businesses that have a pretty straightforward setup - eg you do not have a server in your back room, you use cloud services by default, and do not do any custom software development.
(If you have a server, or do custom software development, read ahead, and there will be more for you to do than is mentioned here).
There are three sections, each building on the section before:
Easy Mode - you don’t have a cybersecurity plan in place, and you and your team don’t know much about cybersecurity, but you want to sleep better at night.
Get it Done - you just need to get better and more rigorous at doing cybersecurity in your business.
The Journey - your business has some cybersecurity in place and is on the way to becoming certified by an external audit program like ISO27001.
Step 0 - The 6 Knows
Telstra has a great methodology called The Five Knows. I will add one more.
...
Easy Mode | Get it Done | The Journey |
|---|
As you go through your day, think about your passwords. What is this password protecting? (your banking, payroll, client documents). Is it a good password? When did you last change it? How did you know this password? (eg memory, stored in your browser, written on a post it note). Is it unique? (yes, really unique!). Who else, apart from you, uses this same login and password? (eg do staff members who have left the business still know this password?). Does this login also have Multi Factor Authentication? What type of MFA (eg sends a text message, uses an authenticator app).
All of Easy Mode plus… | Change any passwords that are not unique. Change any passwords that have not been changed in 12 months. Turn on MFA everywhere you can. If there is an option for MFA that is not text or email based, then choose that first. Ensure all Social Media accounts, and your main Email / Office account has MFA. Make a note in your password manager for those passwords where you can’t use MFA (eg banking), but what protection do they have (eg text message for new suppliers).
All of Get it Done plus… | It may be time to start setting up Single Sign On (SSO) for your main systems. Both Microsoft and Google can be set up for SSO. |
Start using a Password Manager, even the free version of LastPass. Think about getting a team plan of LastPass or 1Password and get your whole team, and even family onboard. Set up a long passphrase for logging into your Password Manager - but don’t forget it! There is no way to re-set your password for a Password Manager if you don’t already know your existing password. Ensure passwords are not saved in your browser anymore (the setup for the password manager should help with this). Set up your Password Manager to be on your Phone and in your Browser. When you need to share a password with someone, how do you do it? (
All of Easy Mode plus… | Get onto the team plan of LastPass or 1Password. Ensure no passwords are saved in your browser. Use the change password feature of your password manager to update passwords. Shared logins are marked as such, and shared with only the team members that need them. Each team member should have their own logins to all services. Get the family onto a Password Manager also. Keep business and personal passwords separate (eg LastPass for personal and family sharing, 1Password for the team). Who has access to your business passwords in case of your death or incapacitation - especially the passwords that are needed to have the business run in your absence.
All of Get it Done plus… | Store backup login codes separately to your logins. Set up Time Based Authentication (TOTP) separately to your Password Manager. Eliminate Shared Logins where possible. Ensure Logins and Passwords are disabled as soon as a team member leaves.
|
...