Free Essential Cyber Security Checklist

Every day there are stories in the news about companies that have been ransomed, lost data or been hacked by cyber criminals. The growing threat of cyber-enabled crime means that all organisations must integrate good cyber habits into their businesses.

Good cyber habits do not need to be costly to implement and our free checklist below will guide you as to whether you are safe.

The list below identifies the basic elements of good cyber security. Tick off the elements you have so you can identify and deal with any weaknesses.

The Firewall is your first line of defence against cybercriminals because it acts as a buffer zone between your internal network and the external internet.
HOW IT WORKS: The Firewall inspects incoming and outbound traffic to your network using a set of rules to block threats.
HOW TO GET IT: Many devices come with a firewall already built-in including Mac, Windows, and Linux computers. All you need do is configure the firewall, which is a straightforward task for your IT support / IT manager.

Anti-virus software is another essential part of your security from external threats. Some anti-virus software includes anti-malware and anti-spyware technology whilst others do not. You will need to check what is included with your supplier. It will always be cheaper and easier to install anti-virus software than it is to deal with a virus that gets onto your system.
HOW IT WORKS: The software scans incoming files that are passed through your network traffic and comparing the code against a library of code known to be used in viruses and malware. The software learns how to identify new threats.
HOW TO GET IT: Anti-virus software protection needs to be purchased from a reputable supplier such as Norton, McAfee, Kaspersky etc.

Back up your data regularly to 2 different places away from the original file storage. Many businesses only have one copy, and that single copy can often be compromised in a ransomware attack.
HOW IT WORKS: The backup software takes a snapshot of what has changed on your system since the last snapshot was taken. It permits the files to be reinstated back to the previous uncompromised copy if data is lost, locked, stolen or corrupted.
HOW TO GET IT: Your IT support / IT manager can advise on implementing both the backup software and arranging an additional copy (e.g. to a separate hard disk not connected to the system).

• Make and keep an up-to-date list of all the hardware devices that should be connecting to your system: lots of businesses don’t know how many laptops/mobiles/routers etc are authorised.
• Make a list of all software being used and ensure all software is using the latest version. Ensure all machines are set to auto-update. (However, do not enable Auto-Run or Auto-Play which can enable the installation of unauthorised and malicious software).
HOW IT WORKS: Identifying and keeping an up-to-date list of hardware and software on your system will help you identify unauthorised activity and access.
HOW TO GET IT: For hardware a physical audit is needed to identify every bit of kit that is able to access the system. For software, use the device manager and select ‘show hidden programs’ in the menu.

Maintain a system for creating accounts and permissions for new employees and for disabling accounts and permissions for people leaving the business.
HOW IT WORKS: By managing accounts you ensure that only current employees have access only to what they need to do the job. It is quite common for ex-employees to find that their logins to various parts of the network still work, many months after they have left the business. Those with ill-feeling towards the business can use this to cause harm.
HOW TO GET IT: This can be managed on a simple spreadsheet in Excel or equivalent.

Check which (if any) parts of your internal system are accessible from external connections e.g., a mail server – these types of connections can be used by cyber criminals and need to be properly managed.
HOW IT WORKS: System access permits incoming and outbound traffic to your network, and you have no control over whether the person at the other end has adequate security or is a malicious actor.
HOW TO GET IT: You need to ask the person who configures your system to show you how you are currently securing the access points to your system and make sure you have a list of all external connections.

Check all users’ permission levels: people should only have access and permissions that are necessary for their role.
HOW IT WORKS: This stops employees accessing information, or parts of the system in a way that could accidentally or deliberately disrupt your business
HOW TO GET IT: You need to ask the person who configures your system to show you how to apply the appropriate permissions.

Secure your system from outside unauthorised access implement 2 factor authentication wherever possible. This adds a much more secure layer of security when entering a system than passwords used on their own.
HOW IT WORKS: Users are required to authenticate their identity typically by entering a code sent to a previously registered mobile phone before being permitted to access the system.
HOW TO GET IT: 2FA solutions are available from companies like Google and Microsoft.

Implement a password policy: Tip: Use three random words and include some capital letters and numbers / special characters. (Making them too long and complex risks people forgetting them or writing them down on a sticky note close to their machine).
HOW IT WORKS: Criminals have many techniques for cracking passwords, so it is important that they are strong and periodically changed.
HOW TO GET IT: Passwords are the key to your businesses front door so training your organisation’s users is paramout, as is reinforcing the importance of maintaining security.

DMARC is a protocol that determines the authenticity of an email message. If you adopt the protocol, you will be less likely to receive spoofed emails and bogus invoices.
Quad9 blocks known malicious domains, preventing your computers and IoT devices connecting to malware or phishing sites.
HOW IT WORKS: DMARC checks existing protocols in the email coding to verify their authenticity. Quad9 washes your incoming traffic against a huge library of known malicious IP addresses.
HOW TO GET IT: Effective DMARC & QUAD9 are both available for free from the Global Cyber Alliance.

© Prevention of Fraud in Trade & James Marchant 2021

Useful Links:

About Cyber Essentials – NCSC.GOV.UK

Small Business Guide: Cyber Security – NCSC.GOV.UK

Setting up two-factor authentication (2FA) – NCSC.GOV.UK

Password Guidance – NCSC.GOV.UK

GCA Cybersecurity Toolkit For Small Business – Global Cyber Alliance

GCA Free DMARC Protocol – Global Cyber Alliance

GCA Free Quad9 – Global Cyber Alliance

Cybersecurity for SMEs – Challenges and Recommendations — ENISA (