AVG Small Business IT Security Health Check

What are the questions that you need to consider regarding the state of your IT Security?

Small Business IT Security Health Check

How well protected is your business from cyber threats?

Click to take the AVG Health Check

Start

Research shows that cybercriminals target businesses because they’re seen as easy targets for stealing customer or employee data and bank details.

Small businesses can’t afford to ignore these cyberthreats, but how at-risk is YOUR business? And what can you do to tackle specific vulnerabilities?

The 17-step AVG Health Check will help assess how secure your business is against online threats, and what actions you can take to secure weak links.

AVG Business

1 Company policy

1 2 3 4 5
Yes
No
Don’t know

Do you routinely destroy unneeded information: shredding old paper files, physically destroying old hard drives, wiping portable devices, removing and destroying memory and SIM cards, etc?

Do you have a policy to ensure that strong passwords are used across the business?

Do you limit access to data within your company and adopt a strict need-to-know policy?

If you have a Bring Your Own Device (BYOD) policy, do you have the ability to remotely manage and wipe company data from each employee’s device?

Next

2 Compliance

2 3 4 5
Yes
No
Don’t know

Do you know the law on data security and when to notify customers about a breach?

Have you created an internal incident response plan for dealing with data breaches?

Have you created a Data Breach Notification Policy, which is a document you provide to all of your customers, telling them how your business will notify them should a data breach occur?

Have you ensured that third-party partners and vendors are compliant with data security laws?

Next

3 Employee knowledge

3 4 5
Yes
No
Don’t know

Do you educate employees on data security policies and procedures, including the need for strong passwords?

Have you determined which members of staff should be trusted to possess administrator privileges?

Have you informed employees about the dangers of accessing cloud-stored data through unsecured wireless networks in public places such as airports and cafes?

Do your employees know to accept all software updates when prompted?

Next

4 IT infrastructure

4 5
Yes
No
Don’t know

Are all the devices in your business running on the latest available operating system?

Have you installed firewalls, antivirus, and anti-spyware programs on all devices in your business?

Is your network configured to automatically install security updates?

Does your email provider offer virus and phishing scans?

Are your all servers, hard drives, data storage devices, folders and files encrypted?

Have you reduced to the necessary minimum the number of devices that have administrative access to your company’s servers?

Results

5 Your results

5

You scored: /17

0-5Must do better

You know security is a serious issue, but you’re just starting to deal with it. Treat our questions as action points to improve security. Come back and use the AVG Health Check to assess your progress.

6-10Room for improvement

You have started to put the training, processes and IT infrastructure in place to keep data secure. But there’s more to do. Review the questions you’ve answered and begin to address the “no” and “don’t know” answers.

11-15Pretty good

You have a good grasp of security issues and have taken steps to keep data secure. But more can be done to train employees, improve IT infrastructure or put policies and procedures in place. Don’t be complacent.

16-17Top of the class

Do you work for AVG? You understand online threats and how to keep your business secure. But threats constantly evolve. Keep your processes and training under review and ensure your IT infrastructure has the best security.

How to improve your score

Small businesses can’t afford to ignore the danger of cyberattacks. All the research points to bad actors targeting businesses they see as an easy target for stealing customer or employee data and bank details. Our IT Security Health Check is a starting point for small businesses to gauge how prepared they are – and here are our best practice answers to each of the 17 basic questions.

Download the complete guide:

Download as PDF

Improve your business security:

Buy now

Small business managers need good information to move their company forward. The Health Check should be used as a general good practice guide only.

Priority

Needs attention

Best practice guidelines

Company Policy: Routinely destroy unneeded information

Take stock of the data you routinely gather and accumulate – both analogue and digital. Retain only the information you actually use or are required to hold by law. Shred old paper files, physically destroy old hard drives, wipe portable devices, remove and destroy memory and SIM cards.

Company Policy: Password policy

  • With more of our communication and transactions stored online, access has serious security risks, so a strong password policy is essential. Some best practise policy guidelines include:
    • Passwords must be at least 8 characters long
    • Should not contain any personal information (real name, username, company name)
    • Must be very different from previous passwords
    • Do not use any complete, correctly spelled words
    • Use uppercase and lowercase letters, numbers and characters.
  • It is essential to communicate this to your teams, check it regularly and support members who may need further guidance.
  • Click here for our password protection FAQ.

Company Policy: Need-to-know access policy

Only give administrator privileges to those who need them to reduce the risk of cybercriminals getting access to your systems. It’s tempting to allow access to systems and software to anyone in your business who requests it, allowing them to do their job. But each new person in the loop brings additional security risks as any compromised device they have may now give access to any other system or software they log into. By limiting access and making a finite number of administrators responsible for certain systems you limit this risk – especially as there is also a risk of internal espionage/sabotage if employees become disgruntled and seek revenge later in their careers. Another way to tackle this is by regular changing of passwords

Even with limited access, you should still train every employee in safe computing practices.

Company Policy: Bring Your Own Device (BYOD) policy

  • Many companies encourage the use of personal devices, especially so the business does not have to spend on and support devices. But this has its own set of dangers as individuals’ devices and behaviours are harder to monitor and control. This is an issue if they are accessing sensitive data as well as downloading suspicious apps and attachments without protection.
  • Here are some basic steps to building a BYOD policy:
    • Define:
      • which web browsers should employees use
      • which security tools you recommend
      • what level of support your IT team provides
    • All employees should sign up to your BYOD policy explaining their rights and responsibilities, and allowing you to remotely wipe and monitor the device if needed.
    • Find a good Mobile Device Management solution to help you manage the data and devices.
    • Offer BYOD to the employees who will get the most benefit and return out of it. It doesn’t have to be company-wide if you don’t need it to be.
    • Build a secure network. If your network is secure to begin with, it becomes much harder to hack. Limit remote access to your network and data: give permission on a need-to-know basis and only to relevant data, at the appropriate time.
    • Include and implement your password policy [see above].
    • Encrypt your data using cloud-based services to store data and back it up.
  • Click here for more information on BYOD policies for SMBs.

Compliance: Know the law on data security

It is important to know what your legal obligations, especially when to notify customers about a breach.

  • Consult with a specialist law firm to ensure your internal policies and procedures are compliant, as regulations change and case law evolves.
  • Budget for a yearly review of your policies.
  • Educate employees on data security policies and procedures.
  • If your country/state/region has regulations (e.g. GDPR for businesses operating in Europe), comply with required training and education.

Compliance: Create an internal incident response plan

  • Many companies don’t have official guidelines on what employees and business owners should do in case of cyberattacks or data loss.
  • In addition to a Data Breach Notification Policy, create an internal incident response plan for dealing with breaches and post-breach notification. Identify what staff should do if they suspect they are subject to an attack or breach. Define who will be responsible for liaising with customers, communicating with employees as well as ensuring that the breach has been fixed.
  • Consider including the following content in your response plan:
    • If you detect a breach, fight the urge to panic and, whatever else you do, do not even think of ignoring the incident.
    • Gather all the facts of the incident – is a breach confirmed, suspected, or potential?
    • Notify relevant financial institutions, starting with the bank or company that manages your credit card or other online payment processing.
    • Notify your data breach insurance carrier.
    • If your insurance carrier does not furnish legal counsel, secure outside qualified legal assistance to help identify what laws may be involved and whether the incident warrants or requires consumer and/or government notification.
    • Notify affected customers in accordance with the terms of your Data Breach Notification Policy.
    • Ensure that you have fully addressed the breach itself so that no more data is being lost and no more data is at risk. If necessary, consult with a cyber security expert.

Compliance: Create a Data Breach Notification Policy

  • Many businesses hold vast amounts of sensitive, private and personal data suppliers, employees, customers and other groups. As such, theft or unauthorised disclosure of even non-confidential this data can cause real damage to individuals and companies alike. It is therefore important to create a Data Breach Notification policy and issue it to all your customers, telling them how your business will notify them should a data breach occur.
  • In it you should address:
    • The scope of the policy – what does the policy cover?
    • Define the data – what data does it cover?
    • Define your reconciling goals – what are your goals as relating to compliance and risk management? And what work are you doing to achieve these?
    • Statutory reporting obligations – explain what you are obligated to report and when.

Compliance: Ensure third-party partners and vendors are compliant with data security laws

  • This is a much-overlooked area of cyber security and risk reduction. Many organisations with poor security put their partners at risk. This can happen through shared systems that become breached or weak third-party email systems that allow phishing/social engineering emails. While your partners may put you at risk, if you are found to have been the source/cause of a data breach at another company, you can be held responsible and liable for damages. Vendors, in particular, have been implicated in at least a third of serious data security incidents.
  • It is therefore essential to work closely with all third parties to ensure proper security procedures are employed after data leaves your immediate control.

Employee knowledge: Educate your employees

  • You are only as strong as your weakest link, so it is essential to educate employees on the risks to small business, data security policies and procedures and the need for strong passwords.
  • Do not just instruct your staff, inspire and empower them. Educating employees about security is an opportunity to make everyone feel like a member of a team on which the welfare of one is the welfare of all. By educating your employees, equipping them with the knowledge and tools to stay protected, and communicating that they have an important role in protecting themselves and the company, they are more likely to act responsibly and with the care, caution and attention needed to avoid cyberattacks.

Employee knowledge: Appoint system administrators

Determine which member(s) of staff should be trusted with administrator privileges (the level of access that allows the installation of new software and the changing of configuration settings). By limiting such privileges to the smallest number possible, businesses can reduce the risk of individuals who might – accidentally or purposely – upload malicious software, configure a system to reduce its security or compromise the security of the system itself.

Employee knowledge: Be public wi-fi aware

As part of your training programme, inform employees about the dangers of accessing cloud-stored data through unsecured wireless networks in public places such as airports and cafes.

Employee knowledge: Hardware

  • Create crystal-clear policies on the use of laptops, tablets and mobile devices outside of the office.
  • Restrict the use of flash drives and other portable storage devices. Stolen portable devices are a leading cause of critical data breaches. For employees who travel, provide laptops or tablets loaded with the bare minimum of data-if any at all. Employees can access needed data files in the cloud, without having to download or retain anything.

Employee knowledge: Stay up-to-date

Ensure your staff accept all software updates when prompted. Many staff see software updates as an irritation, especially when the reasons for updates aren’t known. Many software updates – especially endpoint protection – will include security patches that help keep your machines protected against new and emerging threats. By denying updates, your employees may be opening up the business to the latest cyberattack methods.

IT infrastructure: Update your operating systems

It may sound obvious, but it is essential to ensure that every device in your business is running the latest available operating system versions. A key vulnerability to 2017’s WannaCry ransomware attack was old versions of Windows. As app and software developers react to emerging and existing cyberthreats, devices running old versions of software may not be included in essential updates and become vulnerable to attack.

IT infrastructure: Endpoint protection

Install firewalls, antivirus, and anti-spyware programs on all devices in your business and configure them to automatically update. Antivirus software is the best defence against cybercrime and data breaches as software developers such as AVG Business have large teams of threat trackers who spend their lives detecting new threats, creating solutions and rolling them out to their customers’ devices t keep them protected. In buying antivirus, businesses not only buy software, but they are also buying a team of experts to continually keep them and their data secure.

IT infrastructure: Automatic updates

Though mentioned in two of the above points, it is essential to configure any software to update automatically, where possible. This is to ensure that security patches are up to date and all aspects of your business remain protected as new threats emerge. All it takes is a cybercriminal to find one weakness in one piece of out-of-date software on an employee’s computer to compromise the whole network.

IT infrastructure: Secure your email

Ensure your provider offers virus and phishing scans of your emails. Email remains a key point of entry for cybercriminals – especially ever-complex social engineering scams that can involve criminals pretending to be trusted sources and attaching viruses that look like PDFs or other files.

IT infrastructure: Get encrypted

Make sure that all your servers, hard drives and data storage devices are encrypted. As well as encrypting certain critical hardware encrypt key folders and files on devices. Use strong passwords to support encryption protection – your encryption isn’t worth much if access to the password is readily available!

Small Business IT Security Health CheckAVG Business
Skip to content Skip to menu