Small Business Internet Security Planner 2015

Ensure that your business is safe from cyber threats with this helpful guide from Ticking the boxes on each page will reveal your overall ‘Security Score’.

How will this guide help my business?

  • Helps assess your business’ current internet security measures

  • Scores your business so that you can learn what actions still need to be completed

  • Serves as a useful and thorough reference for business owners and managers

Who has this guide been created for?

  • Small business owners

  • Managers

  • IT staff

Privacy & Data

0 out of 6 points completed

  • Conduct an inventory

    What should I include?

    What should I include?

    It’s important to simply categorise your data initially. This will allow you to assess the overall situation. Later sections of the guide will explain how to act on this information.

    Customer Data

    • Account records

    • Transaction accountability

    • Financial info

    • Contact info

    • Purchasing history

    • Buying habits

    • etc.

    Employee Data

    • Payroll files

    • Social security numbers

    • Address info

    • Email addresses

    • etc.

    What else should I include?

    • Data storage - Find out if the data is on a network. Is there any time that the data leaves the network?

    • Data protection - establish if there is any security software used to protect the data e.g. a firewall.

    • Employee access – determine which staff members require access.

  • Categorise sensitive data

    How should I categorise my data?

    How should I categorise my data?

    There are three commonly used classifications:

    • Highly confidential - Highly confidential - if made public, this data could seriously impede the organization's operations e.g. accounting, banking, investment, etc.

    • Sensitive - only authorised staff should have access to this data e.g. procedures, project plans, designs, etc.

    • Internal Use Only - this data poses no risk of loss of credibility or finances, but should remain internal e.g. meeting minutes

    This will allow you to judge what level and type of protection should be in place.

  • Create layers of security

    How do I create layers of security?

    How do I create layers of security?

    • Control access to data - the three main categorisations above will help you to assign access rights and privileges.

    • Create a set of guidelines regarding data access - this will help your business to maintain strict access controls moving forward.

    • Secure your data - the two primary methods are as follows:

      • Passwords - consider two-factor authentication

      • Encryption - use FIPS-certified encryption

    • Back up your data - it's always best to have a backup to rely on, just in case. Backup to an external drive or an online service.

  • Protect data collected on your website

    What data should I be protecting?

    What data should I be protecting?

    It's vital to make sure that any data collected by your site must be properly protected. This includes the following...

    • Purchasing history

    • Newsletter signups

    • Online enquiries

    • etc.

    Make sure that your hosting provider is reputable and takes the necessary steps to protect your data.

  • Create a privacy policy

    How do I create a privacy policy?

    How do I create a privacy policy?

    This is a promise to your customers. It's a clearly written state that will be published on your website. It conveys what data you store, how it's protected and your intended use for that data. Your business is accountable for the claims made in your policy.

    The Better Business Bureau offers some great advice on this topic: Better Business Bureau - Privacy Policy: Sample, Best Practice & Tips

    There are also tools that help you to create a privacy policy, such as: Free Privacy Policy Generator

  • Prepare a plan for data breaches

    How do I prepare for a breach?

    How do I prepare for a breach?

    Even with all the correct preventative measures, it's important to plan for the worst case scenario. The Online Trust Alliance have a great resource on data breaches.

Network Security

0 out of 6 points completed

  • Secure your internal network

    How do I secure my internal network?

    How do I secure my internal network?

    Your internal network should be separated from the public internet. Each boundary point on your network should be considered and adequate security should be deployed.

    • Border routers should only route traffic to and from your company's public IP address.

    • Firewalls should resist traffic only to and from the necessary services.

    • Intrusion prevention systems should monitor suspicious activity across your network.

  • Secure your cloud service provider

    How do I secure my cloud services?

    How do I secure my cloud services?

    It’s important that your cloud service provider upholds the same security standards that you install in place on your network.

    Make a conscious effort to fully understand the SLAs (service level agreements). You should evaluate if the provider can deliver a service that is suitable for your company’s security requirements.

  • Secure your wifi access

    How do I secure my wifi access?

    How do I secure my wifi access?

    • Wireless Encryption – ensure that you’re using Wi-Fi Protected Access 2 (WPA2) encryption only.

    • Internal WLAN – limit the amount of devices/users to strictly only those who need access. Users should have unique access logins, which should also expire on a certain date.

    • Customer & Visitor WLAN – if you do have a WLAN for customers, it’s vital that you keep it completely separate from your main network.

  • How do I encrypt my business' sensitive data?

    • OpenPGP – ensure that any encryption complies with the OpenPGP standard. Both PGP and GnuPG comply to the standard, for example.

    • Portable data – this can also be encrypted, so offer this option to your staff.

    • SSL certificate – an SSL certificate is needed for secure transactions and is now even commonplace for non-retail sites. If you need an SSL Certificate, then check out our range.

  • Employ a strong password policy

    How do I employ a password policy?

    How do I employ a password policy?

    • Two-factor authentication – investigate two-factor authentication. If this is a practical possibility for your company then it’s definitely worthwhile.

    • FIDO alliance – this organisation provides a standard for two-factor authentication, so seek out products and software that display the FIDO Ready logo.

    • Password checkerMicrosoft’s handy tool determines the strength of your password.

  • Regularly update all systems and software

    How do I ensure my software and systems are up to date?

    How do I ensure my software and systems are up to date?

    • Automatic updating – take advantage of automatic updating, especially for services such as anti-virus, malware, etc.

    • Networking equipment – don’t forget to update/patch with any security updates.

  • How can I ensure my staff use a safe browsing strategy?

    • Proxy server – configure your network so that your staff can only access the sites that they require access to.

    • Safe browsing – utilise the safe browsing features that are included with modern browsers.

  • Ensure your remote access is secure

    How can I ensure this?

    How can I ensure remote access is secure?

    If you want to provide remote access then you should use the two following options in conjunction with each other:

    • VPN

    • Two-factor authentication

Website Security

0 out of 6 points completed

  • Ensure your web hosting is secure and safe

    How do I choose a secure web host?

    How do I choose a secure web host?

    Most small businesses will rely on a web hosting provider to manage their server. If you require more freedom and customization then you can manage your own server, but it does mean more responsibility and you will have to hire a ‘web server administrator’.

    • Managed hosting - the provider performs system administration and management activities.

    • Dedicated hosting - a professional system administrator or a staff member with relevant technical know-how is required to perform administration and management activities.

    • Self-hosting - Similar to 'dedicated hosting' except that you house and run the server yourself.

  • Ensure your web server meets your security standards

    How do I ensure my web server meets my security standards?

    How do I ensure my web server meets my security standards?

    • Research your web hosting provider - spend some good time researching your provider before starting a contract. Ask them to assess your site from a security perspective.

    • Managing your own server - make sure your ‘web server administrator’ does the following to the operating system and web server application:

      • Patch and upgrade

      • Configure user authentication

      • Perform security testing

      • Change the default passwords

      • Remove/disable unnecessary applications

      • Configure resource controls

      • Install additional security controls

      • Properly implement your SSL certificate – test your certificate with Qualys' handy tool

  • Protect your web content from unauthorised access

    How do I prevent unauthorised access?

    How do I prevent unauthorised access?

    • Web hosting provider – this will be the host’s responsibility, so if you think someone has accessed your site then you should investigate and consider changing your hosting provider.

    • Managing your own server - the Apache server software is the world’s most popular, so check out their security tips for either version 2.2 or 2.4. If you’re using different software then do some appropriate research.

  • Manage the security behind your active content

    What's the difference between active and static content?

    What's the difference between active and static content?

    Active content on a website is content that is either dynamic or interactive. A few examples are weather maps, stock tickers, gifs, polls, streaming audio/video, JavaScript apps, etc.

    This type of content is great for users, but it does open up vulnerabilities that don’t exist with static content. So you should research the risks associated with active content, and speak to your web host or IT staff. Only use active content on your site once you’ve weighed up the risk against the benefit.

  • Avoid posting sensitive information on your site

    What counts as sensitive information?

    What counts as sensitive information?

    Never publish the following information on any area of your site:

    • Medical records

    • Classified business information

    • Business security information (cyber and physical)

    • Any sensitive information relating to individuals which might be subject to privacy laws

    • Network and information system infrastructure

    • Detailed maps, plans, architectural drawings etc. of business buildings

    You may have a restricted area of your website, but be careful as some criminals may still be able to hack it.


0 out of 6 points completed

  • Filter out malicious emails

    How can I avoid dangerous emails?

    How can I avoid dangerous emails?

    Emails are often attacked by hackers trying to spread viruses, but thankfully blocking malicious emails is fairly straightforward.

    • Email filtering - your email service or hosting provider will offer an email filtering service, and you should definitely use their service.

    • Local email filter application - many anti-virus applications will include local email filtering or offer it as an extra service, it should be used in conjunction with the email filtering offered by your email/hosting provider.

    • Staff training - Employees are the last line of defence against many malicious attacks. Individuals who are less tech savvy could benefit from email security training, including how to judge risks and how to act. Security training should include how to judge risks and how to act to different situations.

  • Ensure sensitive information is not sent via email

    How do I ensure sensitive information is not sent via email?

    How do I ensure sensitive information is not sent via email?

    Email has not been designed to be secure, so it’s easy for confidential information to end up in the wrong hands.

    it’s easy to send an email to the wrong individual or type the wrong address. In these cases encryption will prevent the recipient from opening the email.

  • Employ an email retention policy

    What is an email retention policy?

    What is an email retention policy?

    Many businesses adopt a 60-90 day retention standard for emails, but you should check that a law doesn’t require your business to adopt a longer standard. The nature of your business may dictate that you have to retain emails for longer anyhow.

    • Mandatory archiving – automatic archiving will allow you to fulfil your retention standard, and you can set up a deletion date.

    • Personal email folders – within an email client you can configure personal folders, but this can cause complications so staff should be discouraged from using this functionality.

  • Employ an email use policy

    What is an email use policy?

    What is an email use policy?

    In your policy, you should determine your company's stance on the following:

    • What type of data can be sent/received

    • Privacy

    • Acceptable and proper usage

    • Email monitoring

    • Business and user rights

    The SANS institute have a great sample policy that is available to the online community. It can be used by any organisation.

Scams & Fraud

0 out of 6 points completed

  • Provide 'social engineering' training

    What is 'social engineering'?

    What is 'social engineering'?

    Social engineering is a modern term, but many people would simply use the word ‘con’ in its place.

    It usually occurs over the phone, but it does also happen online. Tricksters convince unsuspecting victims to install malicious software, such as a fake anti-virus. The victim believes that they are doing something positive, but the fake software has been designed to steal sensitive information.

    Some simple staff training could keep con-men away from your business.

    TechTarget provide a more in-depth definition of social engineering.

  • Protect against online fraud

    How do I do this?

    How can I protect my customers from online fraud?

    A consistent approach to communicating with your customers will help to prevent online fraud. There are two simple rules that should be followed -

    • Information requests - never request personal information from customers through email, social media, or any other online messaging.

    • Inform customers - let your customers know that you will never request personal information through email etc. This will help to prevent others from successfully impersonating your company.

  • Protect against phishing

    How do I protect against 'phishing'?

    How do I protect against 'phishing'?

    Phishing is an attempt by a con artist to gather sensitive information by masquerading as a legitimate organisation.

    Con artists often cruelly take advantage of current events, posing as a fundraiser for a natural disaster campaign for example.

    • Inform customers - it will be embarrassing if you’re business is used in a phishing con of some kind, so inform your customers that you will never request personal information via email.

    • Staff training - informed employees are far less likely to be victims of phishing.

    • Organization or EV SSL - increase your credibility and help combat phishing by using an SSL with organization verification. Check out our range of Organization Validation SSL Certificates.

  • Avoid fake anti-virus software

    How can I avoid fake anti-virus software?

    How can I avoid fake anti-virus software?

    Some malicious software masquerades as genuine anti-virus software, once installed it can gather sensitive data.

    • Admin access - most members of staff shouldn't have admin access. This means that they will be unable to install malicious software.

    • Staff training -employees should know how to respond to a virus threat, and they should also be able to determine whether it's a legitimate threat.

  • Protect against malware

    How can I spot malware?

    How can I spot malware?

    Malware can infect your computer through a variety of channels, such as email attachments, downloads, etc.

    There are three main things that will keep malware at bay -

    • Anti-virus software

    • Double-check using different software - no single antivirus will catch everything.

    • Keep software updated

  • Protect against spyware and adware

    How can I protect against spyware and adware?

    How can I protect against spyware and adware?

    Spyware and adware is a type of software that gathers information about individuals and organisations without their knowledge. Such software can also assert control over a computer without the consumer's knowledge-

    There are several ways to protect your business against spyware and adware.

    • Standalone software - programs such as Malwarebytes should be used alongside anti-virus software.

    • Cookies - limit cookies in your browser preference and encourage your staff to clean their browser history regularly.

    • Training staff to never click on ads or links in pop-up windows

Mobile Devices

0 out of 6 points completed

  • Activate security software for smartphones

    What security software should I install?

    What security software should I install?

    If smartphones access your network then it’s vital that you insist on security software. As a minimum the following should be maintained:

    • Anti-virus software

    • Malware software - One software program will often cover both anti-virus and malware. Although using a second program to double check is advisable.

    • Update software - automatic updating should be enabled.

    • Encryption - If a device has been lost or stolen then data can be easily accessed, encryption will prevent this.

  • Prevent installation of malicious apps

    What malicious apps should I be cautious of?

    What malicious apps should I be cautious of?

    Many apps gather personal information and are even aware of your location via GPS.

    OnGuardOnline provide a great overview of apps and privacy.

  • Ensure your staff use strong passwords on smartphones

    How can I ensure strong passwords?

    How can I ensure strong passwords?

    • Strong passwords – prevent thieves from accessing your data, use Microsoft’s Password Checker to help create strong passwords.

    • Keep your password secret – remain vigilant and be aware of others sneakily looking as you enter your password.

  • Ensure a strong messaging strategy for SMS, email and social network usage

    What should I include in a messaging strategy?

    What should I include in a messaging strategy?

    • Unknown senders – be cautious of unsolicited messages to avoid viruses and other security threats.

    • Email filtering – avoid spam by setting up email filtering.

  • Create a policy for lost and/or stolen equipment

    What should I include in this policy?

    What should I include in a lost and/or stolen equipment policy?

    It’s important to create a clear policy for lost and stolen equipment, managers should be aware of the protocol and act accordingly.

    These services allow you to track and remotely wipe stolen devices:

  • Employ a policy for device disposal

    What should I include in this policy?

    What should I include in a device disposal policy?

    Always follow these two rules before disposing of mobile devices:

    • Factory reset - most mobiles have a reset function, utilise this to wipe the device.

    • SIM cards - remove from the phone and destroy before disposal.

Payment Cards

0 out of 6 points completed

  • Conduct an inventory of payment data

    What data should I include?

    What data should I include in a payment data inventory?

    Make an inventory of the data you actually store, which could include -

    • Addresses

    • Names

    • Payment card numbers

    • Magnetic stripe data

    • Bank account details

    • Social Security numbers

    • Identification information

    • Anti-virus software

  • Organise and evaluate payment data

    How do I organise payment data?

    How do I organise payment data?

    • Delete unused data - it's best practice to securely delete card and customer data, unless it's really vital that you keep the data.

    • Payment tokenization - there might be occasions where you use stored card data for other purposes, such as a loyalty scheme. Payment tokenisation is an alternative method which means that you don’t need to store these details.

  • Ensure your businesses withholds to PCI security standards

    What are PCI security standards?

    What are PCI security standards?

    It’s important that your relevant hardware, software and service providers have all been approved by the global PCI council.

  • Ensure the security of your payment systems

    How do I ensure the security of my payment system?

    How do I ensure the security of my payment system?

    • Isolate your payment system - don’t use the same computer to process payments and use other less secure programs, such as web browsers.

    • Remote access - ideally, you should not use remote access for processing payments, if it is absolutely necessary then be sure that it’s securely set-up.

    • Employees - strictly limit access to those who really need it.

  • Keep up to date with the latest security tools and methods

    How can I keep up to date?

    How can I keep up to date?

    Keep in regular communication with your bank or card processor, as they will provide information about the latest anti-fraud measures and relevant tips. This currently includes:


    • CVV2 code - three digit code that authenticates physical possession.

    • Address verification service - ensures that the billing address is associated with the card.

    • Card/Bank Verification - many banks and card providers offer a password verification.


    • Signature - be vigilant when checking signatures

    • Terminal– ensure that the terminal hasn’t been tampered with


0 out of 6 points completed

  • Create a secure hiring process

    How do I create this?

    How do I create a secure hiring process?

    Security should be considered when hiring. The ESR have produced a 30 hour course which is a great training tool for employers and HR staff.

  • Perform concise background checks

    What information should I check?

    What information should I check?

    It’s advisable to hire a professional screening company. In the US, the check should include –

    • Employment verification

    • Education verification

    • Criminal records

    • Sex offender registries

    • Social security traces and validation

    • Criminal records

    • Drug testing

    • The U.S. Treasury Office of Foreign Affairs and Control

  • Create an employee access control policy

    How should I set up an employee access control policy?

    How should I set up an employee access control policy?

    Best practice is to have a system in place and create a policy for access control. Read 'Privacy & Data' if you haven’t already.

    If you don’t have a system in place then you should at least follow these rules –

    • Client data – access should be on a need-to-know basis.

    • Confidential data – employees should only provide data to fellow staff and outside parties when they can be sure of the need and authority of that individual.

    • Training, testing and development – never use client data. Instead, invent fictional information.

    • Email and file transfer – always be sure that the transfer is secure.

    • Physical media – use encryption for CDs, DVDs, USB pens, etc.

    • Desks – ensure that staff keep their desks tidy so that it’s harder for files or devices to be misplaced or stolen.

    • Data storage – securely dispose of confidential data as soon as possible.

    • Data disposal – ideally, use approved disposal services, or ensure that hard copies are shredded and that data is wiped securely.

  • Set up security training for staff

    What should I include in training?

    What should I include in training?

    You should create a comprehensive training program, using reliable resources and gathering professional security advice. The training should address these core points -

    • Security policy – employees should understand and comply with the policy.

    • Systems and applications – staff should receive security training for the systems they have access to.

    • Updates – staff should keep all software and applications updated, if required.

    • Security actions – any actions which staff must undertake must be addressed (backups, password policy, incident reporting, etc.)

  • Introduce an employee departure policy

    How do I introduce an employee departure policy?

    How do I introduce an employee departure policy?

    Immediately upon their leaving, all devices and drives owned by the employee should be completely deleted.

  • Click 'finish' to learn more about your ‘security score’ and be sure to check out the useful resources and links.

Your Final Score

Your final security score:

Total tasks completed:

out of

You receive the Golden Award!

Congratulations! You’ve completed all the tasks in our guide! But don’t get lazy. Good security needs to be maintained and constantly improved.

You receive the Silver Award!

You’re providing decent security, but there’s room for improvement. Head back to the tasks you haven’t completed yet.

You receive the Bronze Award!

Your business could have some serious security vulnerabilities, so go back over the tasks you haven’t completed yet.