Small Business Cybersecurity Activation Plan

IN PROGRESS

This guide is intended for small businesses that have a pretty straightforward setup - eg you do not have a server in your back room, you use cloud services by default, and do not do any custom software development.

(If you have a server, or do custom software development, or are in a highly regulated industry, then read ahead, but there will be more for you to do than is mentioned here).

This is by no means exhaustive, it’s just a tool to ask you some questions so you can start thinking about cybersecurity and can start to talk to your Technical Advisor on how to implement some changes in your business.

There are three levels, each building on the level before:

  • Easy Mode - you don’t have a cybersecurity plan in place, and you and your team don’t know much about cybersecurity, but you want to sleep better at night.

  • Get it Done - you just need to get better and more rigorous at doing cybersecurity in your business.

  • The Journey - your business has some cybersecurity in place and you are on the way to becoming certified by an external audit program like ISO27001.

Step 0 - The 6 Knows

Telstra has a great methodology called The Five Knows. I will add one more.

Know why you are embarking on this journey:

  • How does having good cybersecurity fit into your business values?

  • What benefit will good cybersecurity have for your business? Eg will it be that you are 20% better than your competitors, or just that you can sleep better at night?

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

Think about who, what, why, when:

  • What data do you store?

  • What data do you collect from your customers?

  • Where do you store that data? (Paper? Laptop? Cloud?)

  • Who in your business has access to that data?

  • What do you do with that data?

  • Where do you send that data?

Make lists of data, people, software, logins, hardware, devices:

  • Answer the Five Knows in notes to yourself.

  • Tip: If you have a Password Manager, use that as the list of Software, and make notes about what the software does, who accesses it, how much it costs, when is it due for renewal.

  • Check your Router for which devices are connected to it, as the starting point for which hardware you have. Don’t forget backup / redundant devices.

Start some Registers:

  • A Register of Software used

  • A Register of all Laptops, Phones, iPads, and any device connected to the internet. Include your home if you do a lot of work at home.

  • A register of all places data is stored, and what data is stored there Eg Dropbox, Google Drive, Xero…

  • Keep these registers in a place and format that can be easily updated.

  • You will want a tool that will scan your network to show all the devices connected.

Think about what would you like to be doing better?

Write down something about what being better at cybersecurity will look like.

Plan how you are going to bring your staff along on this journey.

Step 1 - Knowledge

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

Read the Australian Government Small Business Cybersecurity Guide.

  • Identify the areas you really don’t understand.

  • Ask for some help.

Decide if SMB1001 Gold self attestation may be good fit for your business.

  • Get your Technical Specialist onboard with your plan.

Heading for ISO27001? Wanting to do more government Work?

  • Decide which level you would like to get to, and within what time frame.

Have a read of your current Policies and Procedures.

  • Does anything stand out as needing to change?

Gather all your current policies and procedures in one place, as you will be updating them.

Think about having a centralised place to store and maintain policies and procedures. There are many options.

Think about risk in your business.

  • What keeps you up at night?

  • What would you do if something happened to a key piece of software or hardware?

  • What if you lost your phone? Can you even pay payroll?

Start to write down some of the risk scenarios you may face as a business.

  • Things going wrong

  • Key people not being available

  • What happened during the pandemic?

Plan to implement a risk register in the business, along with all that entails (eg updating it regularly). There are great apps to help with this.

What regulations does your business have to follow?

What parts of the Privacy Act scare you? What parts don’t you understand? What do you need to ask your Technical Specialist about?

How are you staying up to date with legislation that may affect your business?

What other regulations are impacting you, eg your Suppliers or people you supply to may be subject to regulations that affect the way you do business with them.

What parts of the new Cybersecurity Legislation Package (2024) do you need to be factoring into your business?

You are going to need to start maintaining Supplier Agreements, and managing your supply chain, along with being responsible for understanding and complying with all the legislation and regulations that impact your sector.

What help do you need to get this done?

Step 2 - Passwords

Your passwords are the keys to your kingdom. It’s time to stop with the Admin/12345. Start with the passwords that need to be most secure.

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

As you go through your day, think about your passwords.

  • What is this password protecting? (your banking, payroll, client documents).

  • Is it a good password?

  • When did you last change it?

  • How did you know this password? (eg memory, stored in your browser, written on a post it note).

  • Is it unique? (yes, really unique!).

  • Who else, apart from you, uses this same login and password? (eg do staff members who have left the business still know this password?).

  • Does this login also have Multi Factor Authentication?

  • What type of MFA (eg sends a text message, uses an authenticator app).

  • Change any passwords that are not unique.

  • Change any passwords that have not been changed in 12 months.

  • Turn on MFA everywhere you can. If there is an option for MFA that is not text or email based, then choose that first.

  • Ensure all Social Media accounts, and your main Email / Office account has MFA.

  • Make a note in your password manager for those passwords where you can’t use MFA (eg banking), but what protection do they have (eg text message for new suppliers).

It may be time to start setting up Single Sign On (SSO) for your main systems. Both Microsoft and Google can be set up for SSO.

  • Also think about hardware keys (eg Yubikey) for your main accounts rather than push or authenticator based MFA on your phone.

Start using a Password Manager, even the free version of LastPass.

  • Think about getting a team plan of LastPass or 1Password and get your whole team, and even family onboard.

  • Set up a long passphrase for logging into your Password Manager - but don’t forget it! There is no way to re-set your password for a Password Manager if you don’t already know your existing password.

  • Ensure passwords are not saved in your browser anymore (the setup for the password manager should help with this).

  • Set up your Password Manager to be on your Phone and in your Browser.

  • When you need to share a password with someone, how do you do it?

Get onto the team plan of LastPass or 1Password.

  • Ensure no passwords are saved in your browser.

  • Use the change password feature of your password manager to update passwords.

  • Shared logins are marked as such, and shared with only the team members that need them.

  • Each team member should have their own logins to all services.

  • Get the family onto a Password Manager also.

  • Keep business and personal passwords separate (eg LastPass for personal and family sharing, 1Password for the team).

  • Who has access to your business passwords in case of your death or incapacitation - especially the passwords that are needed to have the business run in your absence.

    • Eg if you are the only one who can release payroll, then you may need to have someone designated and approved by your bank to release payroll in your absence.

  • Store backup login codes separately to your logins.

  • Set up Time Based Authentication (TOTP) separately to your Password Manager.

  • Eliminate Shared Logins where possible.

  • Ensure Logins and Passwords are disabled as soon as a team member leaves.

Step 3 - People

Yes, I put People behind Passwords. The first part of educating People will be to talk about Passwords.

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

Just as you have had to check what you didn’t understand and ask for help, start this process with your team also.

https://www.cyber.gov.au/learn-basics

  • No question is too silly,

  • No one will be penalised for asking a question about something that looks strange,

  • Let the team know that you are all together embarking on a journey to get the business better at cybersecurity.

  • Talk about what ideas they have, and what areas they see as needing improvement.

  • Come to an agreement on some baseline rules:

    • No more hidden data - eg spinning up a spreadsheet and then maintaining it weekly forevermore.

    • No more signing up to a new online service without approval.

    • No more emailing documents and spreadsheets to anyone, including another team member.

    • No more taking data home on USB sticks.

  • Take the Quiz, share the results with the team, and talk through the answers.

  • Talk them through the next steps.

    • Passwords

    • Access Control

    • Application Control

  • When they groan, and complain, remind them what you discovered in Step 0 - how does getting better at cybersecurity fit with your business values?

You may want a few key team members to become “cyber wardens” but take the course yourself first. Be aware that this is not everything you need to know, and it can be a bit too simplistic at times.

Talk to your IT specialist about what cybersecurity training they recommend.

Never recommend training that shows your team as the “weakest link” or the “first line of defence” or any other scare tactics. It’s your job to get your business to a position that a team member clicking on a link does not grind your business to a halt.

Training must also include Data Privacy and your obligations under the Privacy Act.

Cybersecurity training is a core part of your business.

Your team has cybersecurity training as one of their measurable points.

You may have cybersecurity training included as part of some of the software you have already.

But just watching a few videos per year, or watching a video if you happened to click on a phishing test that your IT provider sent out, is not enough.

Cybersecurity and data privacy is a key part of business as usual for you and your team, and it is a key part of your business values, and therefore you are helping your suppliers and customers with their cybersecurity challenges also.

 

Step 4 - Email and Websites

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

  • I have an email scanning tool linked to my main email account. I use Guardz, which is great, and cost effective. Bleach Cyber is another similar tool.

  • Your email may have some built in settings to help reduce spam that gets to your inbox. Check with your Technical Advisor.

  • Training for your team must include topics on best email practices. At a minimum, the ACSC website has some great content. Cyber Wardens is a good program to enrol your team in, and my email scanning tool, Guarz, has cybersecurity awareness training built in.

  • If you want to buy additional email training, there are some great options out there, Huntress, My Business, and Cyber Eclipse but remember, we don’t blame team members who click on links, we educate.

  • You have your DMARC, DKIM, and SPF settings all set on all the domains your business uses for email.

  • Your Email Marketing tool has those settings verified and you can send your bulk emails without half of them bouncing.

  • You will have up to date, or automated patching of your email software.

  • You will have a vulnerability scanner for your email (and other business systems software).

    • Your Technical Adviser can suggest some advanced settings on your M365. (And no, the Australian Government’s Essential 8 does not give advice for any other platform than Microsoft 365, so talk to your Technical Advisor if you use Google Workspace. But Google has some documentation and here is an easy to read guide.

Who looks after your Website?

  • Set up website scanning tool to monitor your website and ensure it is free from malware and other issues. I use Sucuri - Complete Website Security, Protection & Monitoring but your website hosting provider may have it included also.

  • Think about the difference between data and content. Data does not belong on your website. Data you collect should be removed as soon as practical after you have done something with it. Many forms tools have an auto delete function.

  • Who else has Admin access to your Website?

    • Your Website Host

    • Your Website Developer

    • Your SEO specialist

    • Your Shopping Cart specialist

    • Your Integration Specalist

  • What level of access to your website do you staff have?

    • Why do they need Admin access?

  • Where is your website hosted?

    • Does your hosting provider provide details of when their systems have last been updated and patched?

    • Do you have a dedicated server? Do you know what the hosting company does for patching and updates, or do you have to look after some aspects of this yourself?

  • Do you have someone actively looking after your website, and ensuring it is regularly updated and all the plugins updated and working smoothly?

  • Is there a way you can have your SSL certificate updated automatically so it doesn’t expire?

If you are at this level, your website is most likely a key part of your service delivery, and is not treated differently from any of your other critical business systems.

  • See my page on Websites and Salesforce for more technical details as to how a website can work as the basis for your whole business systems.

Your Domain Name is the gateway to your business.

  • Who is the Domain Reseller?

  • Is the Domain contact details up to date (and in your name).

  • What is the expiry date of the Domain?

  • Do you have the domain set to auto renew? And is the credit card up to date?

  • Who do the important domain related emails come to? How do you ensure they don’t get missed?

  • Do you own the domain names for every aspect of your business (eg every trading name).

  • Do you own the domain names for miss-spelling or similar names? The ACSC has some good advice.

  • Do you own the .au domain for your business?

  • Is your personal email sent to your business domain? (A friend recently retired and gave up her registered business name. Unfortunately that meant she could no longer keep her .com.au domain that she had been using for 20+ years as her only email address. Don’t let this have to be a thing you have to think about changing in your elderly years!

  • Who hosts your DNS?

    • That may be different from your Domain Registrar, and it even may be different from your Website Host.

    • Know where it is hosted, and know how to update it when needed.

  • Are your DNS records correct?

    • After many years there may be A records, or TXT records that are no longer in use. Ensure they are updated to be relevant for your business now.

    • My security scanning tool, Guardz tells me about random DNS records that may need looking into.

  • Are all your domains redirected to your main website?

There are many more considerations for Domains as your business gets larger or more technically complicated. Your Technical Advisor will be able to help. Here is a good guide for DNS related issues.

Step 5 - Business Applications

I’m not going to distinguish between software installed on your PC, Mac, or Laptop from apps installed on your mobile devices, or from any cloud services that you log into from any device. Any application you use for your business (or even home use, if you have a device that does both business and personal) is included in this section.

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

  • Do you know all of the devices on your business network?

    • This includes desktops, laptops, mobile phones, game devices, TVs, thermometers, fridges, coffee machines, robovacs, door locks - anything connected to the internet.

  • Implement an Asset Register to record details of every device connected to your network, especially if they hold client data.

  • You may want to have some form of MDM (Mobile Device Management) solution to remotely update and / or wipe business owned devices.

    • Both Apple and Google have solutions, but you may need a third party solution if you have a mix of devices in your business.

  • You will want an auto discovery tool on your network to tell you every device that is connecting to your network.

  • Do you know all the applications your business uses?

    • You would have already done this when you looked at your passwords, but there are other applications that may not need a password, eg applications installed on your device.

    • Which applications do you think are “mission critical”, or really important for your business.

  • Which applications can you delete?

    • Old software that is not in use anymore.

      • Do you need to export data from it before you delete it?

    • Trial versions that you never used.

  • What is installed on other users' devices?

    • Is there anything on there that you didn’t know they were using?

    • Is it something to delete, or make a part of the standard business systems for your business?

  • Which applications store business critical data?

  • Which applications store client data?

  • Are all these applications up to date for the latest versions, or if you have chosen to not upgrade to the latest version, are there any security patches from the vendor that they require or recommend?

  • For all those applications you discovered, especially the ones that are business critical or hold client data, add them to a register of digital assets for your business.

  • For mobile devices, the applications should only be from what is available on the app stores, rather than being installed directly on the device.

  • For Application updates, If you choose to not update an application to the latest version, or can not update it for some reason, document the reasons why.

 

  • You will want to implement some form of automated Application Control for all your PCs, and devices.

  • What happens if you lose your phone?

  • Have automatic updates turned on for all key business applications on your mobile devices.

 

  • Do you need to think about a separate Work phone and Personal phone?

    • Android 15 has a new feature called Private Spaces that may be useful if you use the one phone.

Step 6 - Data, Privacy, and Confidentiality

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

  • Is the data in your key business applications backed up?

    • What would happen if you lost access to or something happened to your Xero file for example

  • Is your business email backed up? Yes, I know you probably keep key data “filed” in your email.

    • What about your Files?

  • Consider investing in an automated cloud backup solution for your key business applications, and files.

    • There are tools that backup Google Workspace and Microsoft 365 that also do CRM systems, File platforms etc.

    • There are specialist tools that will back up Xero, and they even have an option to do a once off backup, or continuous backups.

  • Also backup to physical storage in case the Cloud backup is inaccessible.

  • Remember to test restore of your backup, especially for key business systems.

  • Check that the privacy policy on your website is accurate and reflects what your business does and how it actually handles data.

  • Update your Privacy Policy at regular intervals to reflect the changes in your business.

  •  

  • Privacy Impact Analysis is a key part of your business as usual whenever you are making changes in your business.

  • Think about the data you store in your business and which staff have access to it.

  • Staff should have access to the minimum data they need to do their job.

  • Think about access to your business systems, as well as file access and access to emails.

  • When staff leave, do you have a process for removing their access to devices, business systems, emails, and files?

  • Documenting what access levels each staff has to each business application and file folder is a good idea.

  • Have a documented process for onboarding and offboarding staff so that staff are not given the “keys to the kingdom” in their first few days.

  • Minimise the number of people with full Admin access to your business systems.

  • Setting up Single Sign On for business systems, or automated policies that can be applied to restrict or grant access to staff may be the best way to take the headaches out of the minutia of dealing with access.

Data needs to have a life cycle where the capture and storage of data is only part of the story. Destruction of data when it is no longer needed is important too.

  • How do you destroy data?

  • When do you destroy data?

  • How do you destroy files?

  • How do you retire devices?

  • How many old devices do you have hanging around with business applications or business data on them?

  • Have a documented policy on data retention and secure data destruction (this is extending from the documented list of what data you hold, in Step 0).

  • Have a documented policy on how to retire and dispose of devices in a secure way, ensuring the device is wiped before sale or destruction.

  • Use Secure shredding facilities for paper and physical media destruction.

  • Automated systems that flag when data should be reviewed for destruction or archive may be useful.

  • Also think about destruction of that data from your backups if necessary.

Step 7 - To Infinity and Beyond!

Easy Mode

Get it Done

The Journey

Easy Mode

Get it Done

The Journey

  • What else about the cybersecurity in your business is keeping you up at night?

    • What advice do you need or what steps do you need take?

  • Ensure you have a Trusted Advisor that is helping your business with all things IT and Cyber.

    • They don’t have to be the same people or same company. Cybersecurity is not solely and IT thing and IT is not all about cybersecurity.

  • You have a Trusted Advisor that is a key member of your business team.

    • The Trusted Advisor works with your business proactively, and are on hand for any key decisions and changes in business processes.

  • AI?

    • This is a whole other topic.

    • If you are using any of these new Generative AI tools in any way, stop and think what data you are feeding it.

    • If you would not put that data on your public website, don’t give it to an AI engine.

  • Have an audit of your business usage of Generative AI (and other AI tools). See if you can turn it off until you decide what the risks and ramifications are for your business using it. The ACSC has some good AI documentation.

  • AI is used where appropriate and only where approved.

  • AI usage is monitored and the business responds to the rapidly changing technology by continuing to evaluate if the usage fits within your business risk profile.

  • What happens if you have a cybersecurity incident?

    • Do you know who to turn to, what the first steps are, and then what the next steps are?

  • Incident Response Plans are tested.

    • Incident Response Plans are kept in up to date hard copy form, and all staff know what their roles and responsibilities are if an incident happens.

  • Who has access to your physical premises?

  • What can visitors see or hear when they are wandering around?

  • Have a visitor register so you know who comes into your premises and when.

    • Have a visitor badge to identify that this person is a visitor.

    • Let staff know what is expected of them when there are visitors in the premises.

  • Do you want a “clean desk policy” so nothing is visible when the cleaners come through at night?

  • Are visitors (eg trades, repairs) escorted within your premises at all times?

  • There may need to be a policy to do Police vetting on any staff member or contractor that has access to the premises, or who has administrator privileges to your business applications.

  • All of the tech things! Yes, the things that you don’t want to know about or think are too hard. If that is the case, find someone who can explain it until you understand it, and why it is important for your business.

  • Challenge your Technical Advisor and ask good questions. But that does need to be balanced with knowing when to take advice from them.

  • What are the technical things in your business that you don’t understand? Here are a few examples:

    • Multi Factor Authentication - MFA

    • Encryption including Encryption at Rest and End to End Encryption

    • Transport Layer Security - TLS

    • Secure Sockets Layer - SSL (the s in https:)

    • Antivirus

    • Firewall

    • etc

  • Some more advanced technical concepts that may be needed for your business as it grows.

    • DKIM, SPF, DMARC for email

    • Single Sign On - SSO

    • Identity and Access Management - IAM

    • Virtual Private Network - VPN

    • Remote Desktop Protocol - RDP

    • etc

  • Even more advanced topics of technology to understand more about how they are used in your business.

    • Asset Discovery

    • Application Allowlisting

    • Penetration Testing

    • Threat Intelligence

    • Vulnerabilities

    • Hardening (eg in regards to Browser, Email, Software, Hardware).

    • Privileged Access

    • Break Glass

    • Logging and Monitoring

    • Network Security

    • Cryptography

    • Audit

    • Data Classification

    • etc

  • Talk to your Business Insurance Broker about whether you may need Cyber Insurance.

    • There is a lot to know and the terms and restrictions are difficult to understand, but if your broker recommends, it is worthwhile to understand what Cyber Insurance can do for you.

    • Cyber Insurance is unlike other Insurances - it is not going to repair your business back to the way it was before (like rebuilding a house after damage). Cyber Insurance is not a substitute for actually doing the hard work to improve your business' cybersecurity practices.

  • Understand all the terms and conditions of your Cyber Insurance

  • Have a good dialogue with your Insurance Advisor so they really understand your business and the cyber risks your business faces.

  • Ensure your insurance gives you access to a team that will help your business manage a significant incident.

  • A lawyer specialising in cybersecurity recommended that I talk to a lawyers on their panel, to understand what they do in case of an incident, and that is something she regularly does with the insurance companies she works for.

  • Legal and Insurance is a key part of your business as usual and you have a trusted Legal Advisor and a trusted Insurance Advisor along with your trusted Technical Advisor.