top of page
Search

How to create a cyber security audit for your business

ree

When was the last time you checked how secure your business is online? If you’re like most small business owners, the honest answer is probably: “Er… never?” Or maybe you did something once, ages ago, and haven’t thought about it since. 

 

Unfortunately, cyber criminals are constantly looking for easy targets and they often use the same public information you and I can see to figure out where to poke. A cyber audit is your way of seeing what they might see and fixing it before they get in. 

 

The good news is you don’t need to be an IT genius or know a bunch of technical jargon to do one. And you can get started for free! 

 

Use the free NCSC cyber security check 

The UK’s National Cyber Security Centre (NCSC) has a brilliant free service called Check your cyber security

 

Here’s how it works: 

 

  • It runs a bunch of simple online checks on your business. 

  • You don’t have to install anything or give them access to your systems. 

  • It uses the same kind of public information criminals use to look for weaknesses. 

 

It looks at three main areas: 

 

  1. IP address and website – Can your systems be attacked via the internet? 

  2. Email – Are your emails secure, or could they be intercepted or forged? 

  3. Web browser – Is your browser up to date, or is it vulnerable? 

 

At the end, you get a simple traffic-light rating for each so you know what needs immediate attention. 

 

Map out how you handle customer’s data 

Sounds boring, but stick with us! Think about the journey your customer takes, so things like: 

 

  • They visit your website. 

  • They fill in a form or make a payment. 

  • You send them something or email them. 

 

At each step, ask yourself “Where’s the risk?” Is their info safe? Who can see it? Could someone get hold of it if they really tried? If you’re not sure about these areas, it’s worth talking to professionals (like us!) who can help you ensure that your customer’s data is secure. 

 

Check the boring-but-important stuff 

 

Passwords 

Are they strong? Are they different for each system? Do you use two-factor authentication (that code you get by text or app)? Use our handy password guide to make sure your passwords are strong enough and following best practices. 

 

Backups 

If your main system died today, could you get everything back? Do you know how long it would take? 

 

Continuity plan 

If something went wrong, who does what? Is that written down anywhere? (If not, that’s a problem.) For more help on creating a disaster recovery plan, you can check out our guide. 

 

Make cybersecurity a team thing 

Cyber security shouldn’t just be one person’s job, your whole company should be clued up on the dos and don’ts!  

 

Here’s a really practical exercise you can run through with your team and build into your audit: 

 

Scenario run-through

Pick a few common risks and run a quick “what would you do?” session with your team. For example: 

 

  • “You get an email from a supplier asking you to change their bank details — what’s your first step?” 

  • “You lose your work phone — what do you do?” 

  • “The website is suddenly offline — who do you tell?” 

 

Document the answers

Write down what people say, and compare it to your actual processes. 

 

Close the gaps 

If what people think they should do isn’t what’s in your policy, or worse, you don’t have a policy, that’s a gap you need to close. 

 

Make it muscle memory 

Just like a fire drill, you want the right responses to become habit. The more often you walk through them, the more likely your team will get it right under pressure. The aim here isn’t to catch anyone out, it’s to make sure everyone knows their role and has the confidence to act fast when something’s not right. 

 

Tie it all together with a framework 

Rather than ending up with a messy to-do list, link your findings to something like the NCSC’s Cyber Essentials framework. It covers: 

 

  • Firewalls 

  • Secure settings 

  • Access control 

  • Malware protection 

  • Software updates 

 

That way you’re not just fixing random problems, you’re covering all the important bases. 

 

Keep it up 

Cyber criminals aren’t going away and the tools they use change all the time. It’s a good idea to do a quick check every few months, and a proper audit once a year. The first one’s the hardest. After that, it’s just keeping things in good shape. 

 

 

According to the Cyber Security Breaches Survey 2023, 32% of UK businesses reported a cyber attack in the past year. That’s nearly one in three. A simple, free audit could be the thing that keeps you out of that statistic. Contact us today to find out how we can support your organisation’s cybersecurity. 

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Cyber Essentials Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

WMCRC Logo New white.webp

The Cyber Resilience Centre for the West Midlands is a trusted resource for  support to protect businesses and third sector organisations in the West Midlands region.

USEFUL LINKS

Home

About Us

Contact Us

Privacy Policy

Terms and Conditions 

Legal Disclaimer

CONNECT WITH US

  • Facebook
  • LinkedIn
  • X

© 2024 The Cyber Resilience Centre for the West Midlands

bottom of page