How we approach Cyber Security Planning for Small Businesses

Cyber threat volume and sophistication is increasing. We now regularly see, hear or read articles about how a successful breach has significantly impacted another business we use. What's absolutely clear is that no firm is exempt from cyber strike attempts; attackers target large and small businesses alike, seeking exploitable vulnerabilities irrelevant of size or industry. Safeguarding business's digital assets has therefore never been more crucial and a practical and affordable approach more necessary.

Start with an Incident Response and Recovery Plan

If you're a small business owner you might not have the IT resources of larger enterprises but that doesn't mean you can't protect your business effectively. Perhaps a useful way to start thinking about cyber security, albeit slightly gloomy, is to start at the end; assume you are being attacked and your data is being encrypted. What do you do? Go back to that USB stick you used to backup your data five Christmases ago when you changed your laptop?

Developing a plan for how you would respond and recover from such a scenario is not just about preparing for the worst, it's also serves as a reflection of your needs, helping to discover and understand your business's, potentially unique, cyber risks. Those risks can then be used to determine the preventative steps to protect your business and establish a baseline of resilience, as well as help to build a business continuity plan, should it be needed.

A robust plan should provide the confidence to grow your business despite the countless cyber threats that you face, as well as serve as a window to see where your current level of resilience to cyber threats currently stands.

Without a plan, in the event you are successfully attacked you're unlikely to know who you need to inform, what data you'd be recovering, where data was stored, what sensitive customer information you hold or what assets you need to recover, let alone actually have the backup data to be able to recover. Going into a cyber incident without a plan means you're effectively blind, leaving much to chance and, when attacked, you risk severe disruptions that could lead to financial loss, reputational damage and a possibility your business may not recover. We saw this with KNP Logistics Group not long ago.

Thankfully this planning need not be a complex process and the following may be helpful to get started.

1. Assess Risks: The Foundation of Your Plan

This is the most crucial step. You can't protect against what you don't understand.

Identify Your Critical Assets: What data, systems, and hardware are absolutely essential for your business to function? This might include customer databases, accounting software, point-of-sale systems, intellectual property or even specific hardware like a 3D printer or manufacturing machine.

Recognise Potential Threats: What are the most likely ways your business could be attacked? For example:

• Ransomware: A malicious programme that encrypts your data and demands a ransom for its release.

• Phishing: Deceptive emails or messages designed to trick employees into revealing sensitive information like passwords or financial details.

• Malware: General malicious software that can corrupt data, spy on your network, or disrupt operations.

• Physical Theft or Damage: A stolen laptop, a server room flooded by a burst pipe, or a fire.

• Insider Threats: A disgruntled employee intentionally damaging systems or stealing data

Analyse Vulnerabilities: Where are the weak points in your current setup?

• Are your software and operating systems up to date?

• Are your employees trained to spot phishing emails?

• Do you have strong passwords and multi-factor authentication (MFA) enabled?

• Are your backups regularly tested?

2. Response Strategy: Your Script for an Incident

This step turns your risk assessment into a set of actions. For each identified threat, you should have a clear, step-by-step guide on how to react.

• Define Roles and Responsibilities: Who is the first person to be notified? Who is in charge of communications? Who is responsible for technical recovery? For a small business, one person might wear several hats, but it’s still useful to define these roles in advance.

• Isolate the Threat: The immediate priority is to stop the problem from spreading. This might involve disconnecting affected devices from the network, shutting down servers, or disabling user accounts.

• Investigate and Learn: Once the immediate crisis is over, you need to understand how the incident happened. This helps you prevent a recurrence.

• Recover Data and Systems: How will you restore your business to a functional state? This is where your backup strategy becomes critical.

3. Establish Communication Protocols: Keeping Everyone in the Loop

During a cyber incident, clear and calm communication is vital to maintaining trust and managing the situation effectively.

Internal Communication:

• Who needs to be notified and in what order?

• What information should be shared?

• How will you communicate if your primary systems (like email) are down? Do you have an alternative channel like a messaging app or a phone tree?

External Communication:

Customers: Do you need to inform them about a potential data breach? What is the legal or ethical obligation? Craft a prepared statement and keep it as a template.

Partners and Suppliers: Do your business partners or vendors need to know about the incident?

Authorities: Depending on the nature of the incident, you may be required to report it to law enforcement or government agencies like the ICO.

4. Recovery Strategy: The Core of Your Business

Assuming you need to recover business data, once you have contained and mitigated the threat itself, recovery is the next priority. Your plan should address this with a clear, step-by-step process.

• Backup Verification: Before you start a full restore, confirm the integrity of your backups. Are the files clean of any malware? Are they recent enough to be useful? You don't want to restore corrupted data or reintroduce the threat you've just dealt with.

• Backup Hierarchy and Restoration Order: If you have multiple backups (e.g., daily, weekly, and monthly), which one do you use? Your plan should specify the order of priority. It should also outline the order of restoration for your systems. For example, you might need to restore your customer-related data first, then your working documents and then any archived data you held.

• Off-site and Cloud Backups: A good recovery plan relies heavily on backups that are physically and logically separate from your primary network. This prevents a threat like ransomware from encrypting both your live data and your backups simultaneously. Your plan should include the specific steps for accessing and restoring from your cloud provider or an off-site physical location. If you're able to then it's also a sensible idea to make sure those backups are immutable, i.e. they cannot be changed once created, to prevent an attacker from impacting your ability to recover.

• Business Continuity and Minimising Data Loss: Recovery isn't just about getting everything back, it’s about getting the most critical parts of your business back online first. Define your Recovery Point Objective (RPO) or in other words the maximum amount of data you can afford to lose (e.g., 24 hours of data changes). This helps you determine which backup to use and guides your strategy for minimising data loss.

5. Test and Revise the Plan: Don't Let It Gather Dust

A plan is only as useful if it actually works.

• Scheduled Drills: Walk through a simulated incident with your team. This helps identify gaps in the plan and clarify any confusion.

• Simulated Attacks: For a more realistic test, consider a mock phishing campaign to see how your employees react.

• Review and Update: Technology, threats, and your business change. Your plan needs to be relevant so reflect changes to your business circumstances in the document. Review it at least annually, or after any significant change in your IT infrastructure or business operations.

• Confirm your Backups Work: Check your data backups are working correctly and restore one as a test to make sure it contains the data you expect.

Small businesses may not have the time to check everything but if nothing else, as a minimum, read your response plan annually and make sure it still holds up against your current business circumstances. Have conversations with your team about how how they would react if you were to face a cyber attack. If you have delegated roles to specific people then sit down with them regularly to clarify their roles in a cyber incident. When it comes to data recover, as a minimum, set a calendar reminder to go into your backups and make sure they exist and are up to do date and that you can download and access the backed up data.

Back to the beginning: Prevention is the Best Protection

As mentioned, a disaster recovery plan isn't just about reacting; it's also about building a more resilient business from the start. Once you understand your cyber risks, how you would respond to an incident and how you'd recover in a disaster situation, you can work backwards to understand the preventative steps you can take to avoid all of that headache. To summarise, those steps are likely to include these areas:

• Data Backups: This is the most important measure. Keep a copy of your backup data in an immutable storage solution.

• Employee Training: Your employees are your first line of defence. Regular training on common cyber threats, the use of strong passwords and Multi-Factor Authentication (MFA), and follow security protocols is essential.

• Cyber Security Software/Hardware: Invest in good antivirus, anti-malware, and firewall solutions. Consider email filtering services to block malicious messages.

• Regular Updates: Keep all software, operating systems, and firmware patched and up to date.

• Access Control: Check that your business data and any cloud applications are configured with the least amount of access needed for people to carry out their role

As a business owner completing every task yourself is perhaps not an easy ask but necessary to remain secure. Cyber experts like Cyber Ease will help make this easier of course. If you would like to talk more about how we can help then please reach out.