You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 15
Next »
IN PROGRESS
This guide is intended for small businesses that have a pretty straightforward setup - eg you do not have a server in your back room, you use cloud services by default, and do not do any custom software development.
(If you have a server, or do custom software development, read ahead, and there will be more for you to do than is mentioned here).
There are three levels, each building on the level before:
Easy Mode - you don’t have a cybersecurity plan in place, and you and your team don’t know much about cybersecurity, but you want to sleep better at night.
Get it Done - you just need to get better and more rigorous at doing cybersecurity in your business.
The Journey - your business has some cybersecurity in place and is on the way to becoming certified by an external audit program like ISO27001.
Step 0 - The 6 Knows
Telstra has a great methodology called The Five Knows. I will add one more.
Know why you are embarking on this journey:
How does having good cybersecurity fit into your business values?
What benefit will good cybersecurity have for your business? Eg will it be that you are 20% better than your competitors, or just that you can sleep better at night?
Easy Mode | Get it Done | The Journey |
---|
Think about who, what, why, when: What data do you store? What data do you collect from your customers? Where do you store that data? (Paper? Laptop? Cloud?) Who in your business has access to that data? What do you do with that data? Where do you send that data?
| Make lists of data, people, software, logins, hardware, devices: Answer the Five Knows in notes to yourself. Tip: If you have a Password Manager, use that as the list of Software, and make notes about what the software does, who accesses it, how much it costs, when is it due for renewal. Check your Router for which devices are connected to it, as the starting point for which hardware you have. Don’t forget backup / redundant devices.
| Start some Registers: A Register of Software used A Register of all Laptops, Phones, iPads, and any device connected to the internet. Include your home if you do a lot of work at home. A register of all places data is stored, and what data is stored there Eg Dropbox, Google Drive, Xero… Keep these registers in a place and format that can be easily updated. Investigate getting a tool that will scan your network to show all the devices connected.
|
Think about what would you like to be doing better? | Write down something about what being better at cybersecurity will look like. | Plan how you are going to bring your staff along on this journey. |
Step 1 - Knowledge
Easy Mode | Get it Done | The Journey |
---|
Read the Australian Government Small Business Cybersecurity Guide. | Decide if SMB1001 Gold self attestation may be good fit for your business. | Heading for ISO27001? Wanting to do more government Work? |
Have a read of your current Policies and Procedures. | Gather all your current policies and procedures in one place, as you will be updating them. | Think about having a centralised place to store and maintain policies and procedures. There are many options. |
Think about risk in your business. What keeps you up at night? What would you do if something happened to a key piece of software or hardware? What if you lost your phone? Can you even pay payroll?
| Start to write down some of the risk scenarios you may face as a business. | Plan to implement a risk register in the business, along with all that entails (eg updating it regularly). There are great apps to help with this. |
What regulations does your business have to follow? What parts of the Privacy Act scare you? What parts don’t you understand? What do you need to ask your Technical Specialist about? How are you staying up to date with legislation that may affect your business? | What other regulations are impacting you, eg your Suppliers or people you supply to may be subject to regulations that affect the way you do business with them. What parts of the new Cybersecurity Legislation Package (2024) do you need to be factoring into your business? | You are going to need to start maintaining Supplier Agreements, and managing your supply chain, along with being responsible for understanding and complying with all the legislation and regulations that impact your sector. What help do you need to get this done? |
Step 2 - Passwords
Your passwords are the keys to your kingdom. It’s time to stop with the Admin/12345. Start with the passwords that need to be most secure.
Easy Mode | Get it Done | The Journey |
---|
As you go through your day, think about your passwords. What is this password protecting? (your banking, payroll, client documents). Is it a good password? When did you last change it? How did you know this password? (eg memory, stored in your browser, written on a post it note). Is it unique? (yes, really unique!). Who else, apart from you, uses this same login and password? (eg do staff members who have left the business still know this password?). Does this login also have Multi Factor Authentication? What type of MFA (eg sends a text message, uses an authenticator app).
| Change any passwords that are not unique. Change any passwords that have not been changed in 12 months. Turn on MFA everywhere you can. If there is an option for MFA that is not text or email based, then choose that first. Ensure all Social Media accounts, and your main Email / Office account has MFA. Make a note in your password manager for those passwords where you can’t use MFA (eg banking), but what protection do they have (eg text message for new suppliers).
| It may be time to start setting up Single Sign On (SSO) for your main systems. Both Microsoft and Google can be set up for SSO. |
Start using a Password Manager, even the free version of LastPass. Think about getting a team plan of LastPass or 1Password and get your whole team, and even family onboard. Set up a long passphrase for logging into your Password Manager - but don’t forget it! There is no way to re-set your password for a Password Manager if you don’t already know your existing password. Ensure passwords are not saved in your browser anymore (the setup for the password manager should help with this). Set up your Password Manager to be on your Phone and in your Browser. When you need to share a password with someone, how do you do it? (
| Get onto the team plan of LastPass or 1Password. Ensure no passwords are saved in your browser. Use the change password feature of your password manager to update passwords. Shared logins are marked as such, and shared with only the team members that need them. Each team member should have their own logins to all services. Get the family onto a Password Manager also. Keep business and personal passwords separate (eg LastPass for personal and family sharing, 1Password for the team). .
| Store backup login codes separately to your logins. Set up Time Based Authentication (TOTP) separately to your Password Manager. Eliminate Shared Logins where possible. Ensure Logins and Passwords are disabled as soon as a team member leaves.
|
Step 3 - People
Yes, I put People behind Passwords. The first part of educating People will be to talk about Passwords.
Easy Mode | Get it Done | The Journey |
---|
Just as you have had to check what you didn’t understand and ask for help, start this process with your team also. https://www.cyber.gov.au/learn-basics No question is too silly, No one will be penalised for asking a question about something that looks strange, Let the team know that you are all together embarking on a journey to get the business better at cybersecurity. Talk about what ideas they have, and what areas they see as needing improvement. Come to an agreement on some baseline rules: No more hidden data - eg spinning up a spreadsheet and then maintaining it weekly forevermore. No more signing up to a new online service without approval. No more emailing documents and spreadsheets to anyone, including another team member. No more taking data home on USB sticks.
Take the Quiz, share the results with the team, and talk through the answers. Talk them through the next steps. Passwords Access Control Application Control
When they groan, and complain, remind them what you discovered in Step 0 - how does getting better at cybersecurity fit with your business values?
| You may want a few key team members to become “cyber wardens” but take the course yourself first. Be aware that this is not everything you need to know, and it can be a bit too simplistic at times. Talk to your IT specialist about what cybersecurity training they recommend. Never recommend training that shows your team as the “weakest link” or the “first line of defence” or any other scare tactics. It’s your job to get your business to a position that a team member clicking on a link does not grind your business to a halt. Training must also include Data Privacy and your obligations under the Privacy Act. | Cybersecurity training is a core part of your business. Your team has cybersecurity training as one of their measurable points. You may have cybersecurity training included as part of some of the software you have already. But just watching a few videos per year, or watching a video if you happened to click on a phishing test that your IT provider sent out, is not enough. Cybersecurity and data privacy is a key part of business as usual for you and your team, and it is a key part of your business values, and therefore you are helping your suppliers and customers with their cybersecurity challenges also. |
Step 4 - Email and Websites
Easy Mode | Get it Done | The Journey |
---|
You’ve already ensured that Multi Factor Authentication is turned on for your Email Account, so don’t forget your Website (along with all other apps that you use for business). Your team does not log into another team member’s email. You have procedures in place for dealing with emails while a team member is away, or after they have left. Understand the key terms you need to know to be more secure with your Email. ASD has a great reference page on this topic. The UK Gov has a good page with examples of phishing emails that may be helpful. Don’t click on links from emails you are not expecting. If you are using Chrome, Google should spot a malicious website, but it’s the seemingly legit websites that can be tricky. Use some https://tddprojects.atlassian.net/wiki/pages/createpage.action?spaceKey=CYZ&title=URL%20Tips%20and%20Tricks&linkCreation=true&fromPageId=3011117160 to check the URL if it is something you are not quite sure about but really want to open.
| I have an email scanning tool linked to my main email account. I use Guardz, which is great, and cost effective. Bleach Cyber is another similar tool. Your email may have some built in settings to help reduce spam that gets to your inbox. Check with your Technical Advisor. Training for your team must include topics on best email practices. At a minimum, the ASD website has some great content. Cyber Wardens is a good program to enrol your team in, and my email scanning tool, Guarz, has cybersecurity awareness training built in. If you want to buy additional email training, there are some great options out there, Huntress, My Business, and Cyber Eclipse but remember, we don’t blame team members who click on links, we educate.
| You will have up to date, or automated patching of your email software. You will have a vulnerability scanner for your email (and other business systems software). Your Technical Adviser can suggest some advanced settings on your M365. (And no, the Australian Government’s Essential 8 does not give advice for any other platform than Microsoft 365, so talk to your Technical Advisor if you use Google Workspace. But Google has some documentation and here is an easy to read guide.
|
Who looks after your Website? Does it have the latest version of your website software (eg WordPress) Are all the plugins and themes updated to their latest version? Who checks this at least monthly? Who checks that the website up and working as intended. Who checks that the privacy policy on your website is accurate and reflects what your business does? Does your website have a login function for clients, or a shopping cart, or do you store client data? (if so, the scope of this document is not enough, so talk to your Technical Advisor). Does your website have other apps that link in to it? Like Email Marketing, a Booking System, or similar. These services are just as important as your website, so make sure your Technical Advisor knows about them and how everything works.
| Set up website scanning tool to monitor your website and ensure it is free from malware and other issues. I use https://sucuri.net/ but your website hosting provider may have it included also. Think about the difference between data and content. Data does not belong on your website. Data you collect should be removed as soon as practical after you have done something with it. Many forms tools have an auto delete function. Where is your website hosted? Does your hosting provider provide details of when their systems have last been updated and patched? Do you have a dedicated server? Do you know what the hosting company does for patching and updates, or do you have to look after some aspects of this yourself?
Do you have someone actively looking after your website, and ensuring it is regularly updated and all the plugins updated and working smoothly?
| If you are at this level, your website is most likely a key part of your service delivery, and |
Add Comment