AWS Smart Business Blog

A Checklist for Assessing the Cybersecurity Needs of Your Small or Medium Business

If you’re like most small and medium businesses (SMBs), you need to split your attention each day and cybersecurity isn’t often one of the most pressing topics. For SMBs, the topic that is often taken for granted is the one that could have the biggest impact on business continuity. Without a dedicated Chief Information and Security Officer (CISO) or security team, it can be easy for SMBs to overlook this critical part of the business. As businesses digitize their operations, cybersecurity becomes more than ensuring passwords aren’t left out in the open—it becomes about protecting all of the internet-connected devices in your organization and the data, files, and apps stored in the cloud.

Want to boost the security efforts of your SMB? We’ve developed a checklist you and your fellow leaders can you use to address common concerns. Read on to see what you should include.

But first, why are security assessments necessary for your SMB?

The data is concerning: 43 percent of data breaches involve SMBs, but 83 percent of SMBs are not financially equipped to recover from a cybersecurity issue. Here at Amazon Web Services, we repeatedly witness our SMB customers kickstart discussions on how to build up defenses after a security issue has been reported. Rather than waiting for a security issue to occur, we recommend a proactive approach of continuously monitoring security infrastructure and workloads. Because you aren’t a venture-backed company or large enterprise, it can be difficult to absorb financial losses associated with fraud or system downtime.

The challenge for SMBs is that every dollar counts, especially in an uncertain economy. Investing in security can seem daunting and sometimes unnecessary, in spite of being a critical aspect of operations. We need a mind shift to realize security is a continuous journey, not a one-time purchase. In a landscape where threats are constantly evolving, awareness and action are necessary for continued protection. There are many security tools available, making it critical to understand how to evaluate your cloud security posture, streamline your operational efficiency, and allocate your budget effectively.

Banner driving to our interactive assessment tool

Cybersecurity checklist for SMBs working in the cloud

[] Understand the value of protecting your business data on AWS Cloud:

The AWS Security Maturity Model, is an simple guide to helping non-technical SMB leaders understand the value of investing in security procedures over time.

[] Automate security with management tools:

Because security is an ever-evolving field, it’s important to use a security tool that can continuously evaluate your environment for issues, misconfigurations, and more. If your SMB outsources its IT management or is fortunate enough to have someone in-house, the following services can be turned on with just a few clicks: AWS Security Hub, Amazon GuardDuty, and Amazon Inspector. Together, these automate the tedious tasks associated with monitoring the cloud. We also offer a recommended template to automate the ongoing security assessment of your AWS accounts.

Cost shouldn’t be a barrier to protecting your business—many of these services have a free trial period, which makes it easy to understand what your projected usage and cost would look like over time. The AWS Trusted Advisor dashboard is provided to AWS customers at no cost. It’s designed to reduce costs, improve performance and improve security. The value of AWS Cloud is that you pay-as-you-go rather than maintain the expenses of on-premises IT security.

If you aren’t a technical expert, but work closely with one, show them how AWS solutions, AWS Partner Network solutions, and purpose-built AWS Services are designed to reduce downtime during a security event.

[] Secure your foundation:

Because security and compliance on AWS operate on a shared responsibility model, it is important to understand and implement foundational security best practices. As you begin, familiarize yourself and implement the Top 10 Security Improvement Tips from Stephen Schmidt, CISO for AWS. These topics can help you be intentional about data security policies.

[] Secure remote workers and workstations:

While the height of the pandemic has passed, the effects of it have permanently changed the way businesses operate, communicate, and work. According to a study by the US Labor Department, nearly one-third of today’s workforce operates from remote locations. Consequently, internal teams are spread out across the globe—traditional networks and perimeter security can no longer keep up.

To ensure users have secure and timely access to data, drive towards a Zero Trust Model. In this approach, both users and mobile devices undergo continuous authentication, with no assumptions of trust. Whether your team uses laptops, tablets, mobile phones, or other internet-connected devices, health should be assessed regularly for security issues. Learn how to get started with your Zero Trust journey on AWS.

[] Backup your data and infrastructure as code:

With ransomware and natural disasters, it is imperative to have a business continuity plan. Take inventory of all your data in the cloud and create backup plans to minimize downtime. Completely isolate your backups so that you can start from the ground up (if need be) and remain certain that there is no damage. Watch why SMB, Group Landmark, moved more to the cloud after its physical data center caught fire.

[] Plan for security issues:

Because security issues do happen, it is important to plan for them. Auditing and logging user actions—and resource behavior—will help you gain a greater understanding of your cloud environment. Amazon Security Lake can help you setup a security data lake, pulling in logs from your AWS environment (or even from on-premises locations for hybrid cloud). If an event occurs, you can use the tool to take immediate action.

Preparation is key when it comes to managing security events. Similar to how many schools and buildings conduct fire drills, your team should know what to do when an event happens. Get your team trained on the steps to take in case a triage is needed. Depending on your SMB’s approach to cloud IT, the security tools should be accessible to you, your managed service provider, and/or in-house IT staff. Logs and environment traffic should be monitored and alert notifications should be sent out if any anomalies are discovered.

[] SMBs with tech developers should integrate security into the development process:

If you’re fortunate enough to have in-house technical staff, another way to protect your organization is by integrating security into your development practices. Learn more about Developer Security Operations and encourage them to enhance their security standards.

[] Invest in security training and enablement:

Create a culture of security in your organization by embedding it into every business process and making it the job of every employee. Practice thinking about security at the beginning of projects, enable regular training programs, and encourage employees to complete certifications as security knowledge evolves. If you’re looking for educational information, AWS offers a broad range of security training and certification programs covering everything for novice or advanced users.

Next steps

In modern, smart businesses, cybersecurity must be adopted by every employee and should be incorporated into all stages of your product or service. It can prevent unnecessary downtime, financial loss, or other significant issues.

As cloud experts who devote time to SMBs, we know the beginning of the process can be daunting. The checklist above is a good start, but if you’re still unsure how to assess your security or have questions about securing your business, AWS can also support you in a few more ways:

Krati Singh

Krati Singh

Krati Singh is a Senior Solutions Architect at AWS specializing in SMBs. In the past, she has led teams of 25+ software engineers and technology analysts, providing leadership in areas of design, business analysis, and solution needs, including developing new revenue-generating solutions. Krati is based in San Jose (US).

Vaishnavi Ganesan

Vaishnavi Ganesan

Vaishnav Ganesan is a Solutions Architect at AWS who works directly with SMB customers to enable strategic use of cloud services. Vaishnavi is a well-rounded and collaborative team player with the ability to build trust and deliver high-performance results. Vaishnavi holds a master's degree in technology management from UC Santa Barbara and is based in the San Francisco Bay Area (US).