Cyber security checklist and essential controls for SMEs

Irish businesses are facing the growing problem of cybercrime. Cyber attacks can seriously harm an organisation, especially for smaller companies that may lack the expertise and resources to prevent attacks. Implementing essential cyber controls as part of a cyber security checklist can help protect your organisation, reduce downtime, and protect valuable data.

Regardless of the size of the business, cybersecurity has become a critical element of the Irish business landscape. While cyber attacks on large organisations make national headlines, a security breach can threaten the existence of a smaller business that may lack the necessary damage control resources. Recent research found that 95% of Irish small and medium-sized businesses had experienced a cyberattack in 2021, meaning that SMEs should take extra steps to secure their data, networks and IT equipment from unauthorised access.

Adopting the essential cyber controls and implementing security solutions as a small business can help minimise the risks of cyber attacks.

cyber security risk assessment checklist - 2FA


Why put essential cyber controls in place?

The Irish government’s National Cyber Security Strategy is designed to tackle the challenge of cybercrime. It aims to secure information networks, systems and infrastructure to minimise the risk of cyberattacks and seeks to raise the cybercrime awareness among businesses.

By bolstering their cybersecurity, businesses can reduce the threat of compromised data and systems. Recent threats, such as ransomware attacks, can result in companies paying cybercriminals to release scrambled data and inaccessible systems.

Cyber security meshes behaviour and IT solutions. Behaviour includes ensuring staff are actively trained in data security and that there are clear security policies. In contrast, IT solutions include deploying technologies such as firewalls, two-factor authentication (2FA), and network monitoring software to detect and stop attacks.

Our Cyber Essentials certification process audits your organisation to demonstrate to stakeholders and business partners that you take cyber security seriously and have adequate measures to protect data and systems.

Looking to ensure your business meets GDPR requirements? Read our guide to who is responsible for demonstrating GDPR compliance.

Essential cyber controls – security checklist

Here is our cyber security risk assessment checklist of issues SMEs should consider addressing to help improve cyber security.

Keep equipment up to date

Conduct a comprehensive inventory of equipment connected to your network, including any BYOD equipment staff use. This should include desktops, laptops, mobile devices, and routers. Older legacy equipment may no longer be supported with security updates, while other cloud-based devices such as network printers can be attack vectors for hackers.

Ensure that the latest software updates are installed, as this can help minimise the risk of a cyber attack. Ensure that firmware updates are applied to networked IT equipment such as printers, routers, NAS drives and servers. Updates often patch security vulnerabilities, closing security holes that hackers can exploit.

Consider reusing older equipment that is no longer updated into non-network tasks or recycling components.

Employees and training

Implement regular security and data processing awareness training for employees, contractors and others who access business networks. Many cyber attacks are socially engineered, such as spear phishing, where an individual in a business is targeted with convincing emails designed to deploy malware or provide access to a network by cybercriminals. Regularly remind employees of the protocols they must follow and encourage the immediate reporting of any suspicious activity.

cyber security risk assessment checklist - passwords

Access control

Not every employee in an organisation needs access to all of its data.

Review account permissions, restricting access to the lowest level required for employees to perform their duties. Ensure every employee has a separate account with unique log-in credentials and allow remote access only through a virtual private network (VPN).

Enforce password policies for all employees, ensure each password is different for various accounts/sites, and incorporate multi-factor authentication (MFA) for sensitive accounts or those using remote access. A good example is a password and biometric (fingerprint) or a code sent to an email or phone number. Remember to delete employee accounts when an employee leaves the organisation.

Cyber security defence

Assess your need for cyber security solutions for small businesses, such as:

  • Firewalls.
  • Anti-virus software.
  • Anti-malware software.
  • Network monitoring and alert systems.

These systems recognise unauthorised attempts to gain or hack information and can block access or quarantine malware. Systems to monitor networks can alert you of suspicious activity and potential threats. Monitoring can help catch security breaches quickly before too much damage is done.

Ensure malware and security software is updated, ideally daily or hourly.

Bolster email security

Email attacks are one of the most significant security vulnerabilities for smaller businesses. Cybercriminals use phishing scams to deliver malware payloads such as ransomware or fool employees into sharing passwords and access credentials. Email security can be a particular issue for SMEs that use many different and sometimes older email protocols such as SMTP, POP, and MIME servers. Web-based mail can offer more robust security features such as message encryption, malicious email filtering, and detecting hijacked email accounts.

Segment the network

Assess your network topology, and build or restructure networks into manageable subnets with access control between different network layers or subnets. As part of a cyber security checklist, examine and limit access to different subnets, and limit mission-critical data or processes to specific and highly restricted subnets.

cyber security solutions for small business

Data recovery plan

Ensure your business has a data recovery plan and that it is well-rehearsed to minimise downtime and test protocols.

Protecting data from unauthorised access is paramount, but you should also have a disaster recovery plan in place should your organisation face a data breach or find its data held to ransom by cybercriminals. Ensure that data is backed up regularly. Backups should be encrypted, and more than one backup method used, such as an onsite server and cloud backup, to ensure additional protection.

Supplier security

Many businesses rely on a supply chain for their products or services. If a cyberattack happens to any of your suppliers, your business could also be at risk. Sensitive information, data, customer information or access to essential areas could become available if there are security breaches down the chain.

To minimise the risk of this happening, ensure transparent relationships with your suppliers and encourage robust cyber security with suppliers.

Ask for their cyber security policies and if they’re certified in Cyber Essentials, ISO 27001 Information Security Management Systems, or ISO 27701 Privacy Information Management Systems, for example.

Need to demonstrate your IT security systems are robust and fit for purpose? Our Cyber Essentials with expert support is a great starting point to reduce harm to reputation and enhance data security processes.


Get a quote

cyber essential controls - main image
Holly Fitzpatrick
Holly Fitzpatrick

Keep up to date with our latest news!


Related ISO Certifications

ISO 9001 - Quality Management

ISO 9001

Quality Management System ISO 9001 is the internationally recognised global standard for Quality Management Systems. It confirms an organisation’s commitment

ISO 14001 - Environmental Management System

ISO 14001

Environmental Management System ISO 14001 standard is the global standard for organisations wanting to demonstrate their environmental credentials. It

ISO 45001 - Occupational Health and Safety

ISO 45001

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for an occupational health and safety

ISO 50001 - Energy Management Systems

ISO 50001

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve their energy management

ISO 27001 - Information Security Management Systems

ISO 27001

Information Security Management Systems ISO 27001 is the international standard for managing risks related to the security

ISO 22301 - Business Continuity Management Systems

ISO 22301

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. It provides a framework that

ISO 20000-1 - IT Service Management Systems

ISO 20000-1

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality management specifically focused on IT

ISO 13485 - Medical Device

ISO 13485

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements of a quality management system

ISO 27701 - Personal Information Management System

ISO 27701

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as

Personal Information Management System - BS 10012

BS 10012

Personal Information Management System BS 10012 provides a framework for a Personal Information Management System standard, helping you maintain

ISO 27017 - Clour data protection

ISO 27017

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection

Cyber Essentials - Certification Europe

Cyber Essentials

Cyber Essentials Cyber Essentials is a globally recognised IT security standard developed by the UK’s National Cyber Security Centre, which is

ISO 20121 - Event sustainability management systems

ISO 20121

Event Sustainability Management Systems ISO 20121 is an internationally recognised standard for event sustainability management systems. It provides organisations


Recent Insights