The noise around cybersecurity is deafening. Everywhere you turn, someone, somewhere, is talking or writing about it. And for good reason – a lot of businesses still do not have the appropriate cyber security measures in place.

However, all this noise can have the opposite effect – instead of taking action, we become complacent. The more you hear about it, the more desensitised you become. Not to mention, it’s hard to get the right information.

That’s a problem.

Did you know only three in every 10 business leaders believe their company faces a very high risk of having a cybersecurity issue? That’s despite a cyber security incident being reported every 6 minutes in FY22-23, up 14% from the previous year.

These incidents are now costing small businesses an average of $46,000 per report and medium businesses over $97,000 per report.

The harsh reality is we live in a ‘not if but when’ environment when it comes to cyber-attacks and breaches. Every business needs to know their risks and what level of security is required to enable them to keep operating BAU.

The first step is having a realistic idea of where you sit right now. But it can be difficult to know where to start. That’s why we’ve put together a check-list of what we would consider basic, bare minimum cybersecurity measures all businesses should have in place. If you would like to discuss this checklist or get advice on improving your company’s cyber security, reach out to us here.

The best-practice cyber security checklist

These are 16 of the key foundational cyber security measures we recommend all businesses implement, divided into four core categories. How many can you tick off?

Protecting against external threats

• Every employee uses Multi-factor authentication (MFA) to access all applications.
• You keep your email security up to date with anti-spam, anti-phishing protection and Domain Name System (DNS) authentication methods..
• You limited access to your systems (geo-blocking) to only authorised locations and individuals.
• All devices have a monitored and managed antivirus software (and, ideally, advanced threat detection and response solutions).
• If your business operates in-office, your network is behind a managed, advanced firewall to protection and monitor all network activity.
• Internet access controls and web filtering have been implemented to reduce online threats.

Limiting attacks 

• Software and system updates are regularly checked, managed, and installed in a timely manner.
• Role based access controls (RBAC) are implemented, meaning that all users only have the necessary level of access privilege necessary to perform their job.
• Security controls are in place to protect data at rest (data that is not being accessed/used) or in the cloud.

Organisation standards

• You have employee education and training in place and have made cyber security awareness a focus of your operating culture.
• Password management tools (such as LastPass) are being used to securely store and access passwords.
• You have IT policies and procedures in place that cover all items on this list, and are regularly referenced and updated.

Proactive governance risk and compliance

• Systems that audit, log and alert on security compromises are in place. At a minimum, you are receiving alerts and managing them, ideally through a security information and event management (SIEM) platform.
• You have a business continuity and recovery plan in place in the event of a breach, including regular, managed disaster recovery compliant backups for all data, which are being regularly tested.
• You conduct regular security audits, vulnerability scans and penetration tests to validate your IT security
• You keep up-to-date with the latest threats and security controls.

Why is cybersecurity still a challenge for some businesses?

While it might sound logical to make cybersecurity a priority, the reality doesn’t always match.

We recently worked with a business that was keen to strengthen its cyber security measures. As part of the consultation, we tested their employee cybersecurity awareness and behaviour, which included sending a fake phishing email to the entire company.

50% of employees who received the email clicked on the link, and 25% entered their username and password when prompted. These huge numbers are alarming, especially considering how often real phishing emails land in employee inboxes.

It was a no-brainer to suggest ongoing employee training as a low-effort, high-impact solution. But the business leaders didn’t think employees would get on board with it, so they decided against it.

In our experience, many businesses are serious about cybersecurity until they’re required to change how they do things. Cyber security is not just about the changes you make to systems and technology but a culture and attitude shift.

Customised ongoing support is your best cyber defence

Cyber security is a journey, not a destination. The IT and technology world is always changing, and while there will always be some bare minimum measures everyone should have (MFA is a good example), ‘good’ cybersecurity requires constant reviewing and testing. It’s not a once-off, and you’re never done with it.

Secondly, it’s important to remember there’s no one-size-fits-all with cyber security. What’s right for your neighbouring business might not be right for you. Your business, employees, customers, and goals will all influence your risks and where you should focus your attention.

That’s why the right support – that’s customised to you and is continuously reviewed and updated – is the only way to ensure cybersecurity that works with and for your business.

At Bigfish, our Managed IT services include cyber security measures customised to each business and continually monitored by our team. If you’re not meeting the foundational security measures in the checklist, or you’re looking to further improve your cyber security practices, get in touch for some expert advice.