Itag Media Blog | Design, Web, Marketing & Sales Insights

Small business cyber security audit: Protect your business

Written by David Ligtenberg | October 18, 2024

In today’s digital world, even the smallest businesses are targets for cyber-attacks. From data breaches to phishing scams, cyber threats can damage your reputation and impact your bottom line. Unfortunately, many small businesses overlook basic cyber security measures, thinking it won’t happen to them—until it does.

A cyber security audit is a simple but essential way to assess your current practices, identify vulnerabilities, and ensure you’re protected. This guide will walk you through the most important steps, from managing passwords to securing your network, so you can stay one step ahead of those who might do you harm.

1. Password management and access control

Strong password management is the foundation of cyber security, yet it’s often neglected. Weak, repeated or shared passwords leave your business vulnerable to attacks.

Here’s how to audit your passwords:

  • Ensure passwords are unique and updated regularly.
    • Use complex passwords with a combination of letters, numbers, and special characters.
    • A password manager can help generate and store passwords securely.
  • Remove access for former employees.
    • When employees leave, ensure their access to all systems is revoked immediately.
    • Change shared passwords to avoid unauthorised access.
  • Ensure the right people have access to critical accounts.
    • Confirm that the correct individuals have admin privileges for your Google Business Profile and essential accounts.

Best practices for password updates

  1. Critical business accounts (admin, financial, IT systems):
    • Every 3 months, or sooner if suspicious activity is detected.
    • These accounts have high access privileges, so frequent password changes are recommended.
  2. Employee accounts (emails, software logins):
    • Every 6 to 12 months.
    • This helps reduce the risk of compromised credentials over time.
  3. Passwords shared with vendors or temporary staff:
    • Change the password immediately after access ends.
  4. If a data breach or phishing attempt is suspected:
    • Change all potentially compromised passwords as soon as possible.
    • Change your critical business account passwords as well.

2. Software and system updates

Keeping your software updated is crucial in preventing attacks that exploit outdated systems. This can include aspects of your website that you’re unaware of, like Wordpress plugins or third-party software used on your website. 

How to ensure software and systems are updated:

  • Update all devices and software regularly.
    • Focus on operating systems, security software, and any third-party apps you use.
    • It’s a good idea to check any business software that you’re using will work with the latest updates. 
  • Enable automatic updates.
    • This ensures no updates are missed and your systems remain secure.

3. Get a modern, up-to-date website and marketing tools

A secure, well-maintained website and marketing platform not only protects your business but also builds trust with your customers.

  • Install SSL certificates
    • This encrypts data and ensures your website shows as secure (“https://”). Modern browsers will encourage users to leave a website that doesn’t have an SSL certificate installed, resulting in potential lost sales.
  • Secure your web forms
    • Implement CAPTCHA or reCAPTCHA to prevent bots from submitting spam.
  • Regularly update website software and themes.
    • Stay on top of updates to protect your site from vulnerabilities.
  • Choose a CRM and email marketing tool with built-in security features.
    • Keep customer data safe and ensure email marketing systems are protected.
    • Turn on 2FA for all user and admin accounts.
  • Use an email address that uses your domain name, e.g; hello@businessname.com.au
    • Avoid using a @gmail.com, @outlook.com, or other generic email address for your business email. Domain names ensure trust with your customers and can help to keep them from falling victim to anyone impersonating your business.

4. Data backup and recovery plan

Backing up your business data protects you from ransomware attacks, hardware failures, and accidental data loss.

  • Ensure regular data backups.
    • Use a combination of cloud storage and external backups.
  • Test your recovery plan.
    • Confirm you can restore data quickly in case of an emergency. A backup is only as good as your ability to recover it.

5. Employee awareness and training

Employees are your first line of defence, but they can also be a security risk without proper training.

  • Provide regular cybersecurity training.
    • Help employees identify phishing emails and other online threats.
    • The Australian Government provides great resources to begin training with your staff on cybersecurity practices at cyber.gov.au/learn-basics
  • Create a cyber security policy.
    • Outline guidelines for password management, device use, and handling sensitive data.
  • Set up common practices and procedures for your employees.
    • Where possible, ensure every user account has 2FA enabled.
    • Have employees save passwords to a company password manager, to ensure you can access accounts if they’re unavailable.

6. Network security

A secure network ensures that cyber criminals can’t easily access your systems.

  • Secure your Wi-Fi network.
    • Use WPA3 encryption and change default network names and passwords.
  • Set up a guest network for visitors.
    • Isolate business devices from personal and guest devices to prevent unauthorised access.

7. Device security

All devices connecting to your business network must be secured to prevent breaches.

  • Install antivirus software and enable firewalls.
    • Protect devices such as computers, smartphones, and POS systems.
  • Use two-factor authentication (2FA).
    • Add an extra layer of security to your critical accounts.

8. Third-party vendor management

Vulnerabilities can come from the vendors and software providers you work with.

  • Review vendor security policies.
    • Ensure your providers follow good security practices to protect your data.
  • Limit vendor access.
    • Only provide access to systems or data when absolutely necessary.

9. Incident response plan

Even with the best security practices, incidents can still happen. Be prepared with a response plan.

  • Develop a plan for managing cyber incidents.
    • Include who to contact, what steps to take, and how to contain the breach.
  • Assign roles and responsibilities.
    • Make sure everyone knows their role in handling an incident efficiently.
  • Securely store a hard copy of passwords and your plan.
    • If you can’t access your computers or connect to the internet.
    • Plan for no power, access or internet as well as equipment failure. 
Resource: Data Breach Preparation and Response (Australian Government)

10. Regular auditing and monitoring

Cybersecurity is an ongoing process, not a one-time task. Regular monitoring ensures continuous protection.

  • Conduct regular audits.
    • Quarterly or annual reviews can help identify new vulnerabilities.
    • Make this your responsibility or that of someone on your team.
    • If you’re the business owner and have someone on your team managing this, ensure that you’ve invested some time to have a familiar understanding of the processes if they’re unavailable.
    • Schedule this into your calendar as a “must-do”
  • Use monitoring tools.
    • Set up alerts for unusual activity to detect potential threats early.

11. Compliance with legal requirements

Many industries have legal obligations related to data privacy and security.

  • Ensure compliance with relevant regulations.
    • For example, GDPR or the Australian Privacy Act may apply to your business.
  • Consult with legal experts if needed.
    • Stay updated on the latest requirements and changes to avoid penalties.

Build a secure, modern website to protect your business

Cyber security isn’t just about protecting your business from threats—it’s about building trust with your customers through secure, up-to-date systems. A modern or custom website with proper security features ensures that your customers feel safe and can confidently engage with your brand.

If your website or marketing tools are out of date, it’s time to consider an upgrade. We specialise in designing modern, secure websites and marketing platforms that protect your data, safeguard your brand, and provide a seamless experience for your customers.

Get in touch today to learn how we can help you upgrade your website and marketing tools, ensuring your business stays safe, secure, and ready for the future.
View full post