Insurance and Security

Creating an effective cybersecurity plan

Review these essential areas and understand how to factor them into your cybersecurity plan.

Published: October 04, 2018

Creating a cybersecurity plan for your business is the first step you can take to help mitigate your cyber risk. While there isn’t one plan that will work for every business, there are some basic security principles that any business can follow, no matter its size.

Small business leaders are often held back by the amount of time it can take to develop a cybersecurity plan. But waiting to respond to a hack can be even more devastating. To take the first step toward protection, develop a cybersecurity plan that accounts for the following:

Business information

  • Document all physical assets, such as computers and servers, and catalog who has access to each.

  • Log digital assets, such as customer records and intellectual property, and track where information is stored.

  • Once everything is documented, identify potential risks to the most important assets.

Vendor standards

  • Verify vendors are compliant with regulatory requirements and other emerging standards, such as American National Standard for Information Systems and National Institute of Standards and Technology, commonly cited as ANSI/NIST, and Payment Card Industry Data Security Standard (PCI DSS).

  • Review vendor practices regularly to ensure continued compliance.

  • Draft service-level agreements in vendor contracts that address security concerns.

Employees and access

  • Establish standards for password complexity and frequency of change.

  • Implement strong authentication measures. If it’s feasible for your business, consider two-factor authentication and single sign-on (which unifies login information with the various third-party software portals your company may use) to lessen the odds and impact of a compromised account. To explore these features, you can either download a free authentication generator or purchase a package.

  • Devise a tiered/limited system for assigning administrative rights to users.

  • Train employees and contractors to recognize, avoid, and report suspicious activity.

System tools

  • Define and implement core protections such as anti-virus, firewall, and anti-malware tools.

  • Implement software to monitor network traffic and identify suspicious behaviors — both free tools and more multifaceted purchasable packages are available, depending on your business needs.

  • Explore whether your business may be able to protect and isolate sensitive data within your network using multi-layered encryption. Approaches to encryption vary in complexity from business to business, so consider which elements may make most sense for your business to encrypt.

  • Decide when and how the system will receive software updates and patches.

  • Pursue third-party security certifications and standards for your services and products.

  • Back up local data to the cloud, and other local storage, to preserve access in case of an attack.

  • Use proper settings for encryption on Wi-Fi routers.

  • Provide separate networks for guest access.


  • Leadership: Determine who is responsible for reviewing and updating the cybersecurity plan, and how often.

  • Implementation: Determine who is responsible for training users, enforcing standards, and managing/monitoring installed software.

  • Response: Determine who would be responsible for responding to an attack, and how. This procedure should include provisions for straightforward incidents as well as those that require an escalated response. It should also include a provision for declaring that an incident needs to be resolved.

Physical and digital protection

  • Digital: Make it a habit to encrypt data, and install and maintain anti-malware programs.

  • Physical: Keep computers and servers with sensitive information in a secure office location.

Leverage all this information for the creation of a digital and hardcopy cybersecurity plan you can reference as needed. You may consider using a tool like the Federal Communications Commission’s Small Biz Cyber Planner 2.0 to make sense of these elements and develop a cybersecurity plan.

Once you have a plan in place, it’s important that you update it regularly. It’s even more important to put it to use by training your employees according to it.