Home·Privacy

Small business cybersecurity checklist

This page summarises key practices that reduce cyber risk for smaller organisations. It is informed by common small-business security checklists (including NCSC-style guidance). It does not replace legal, insurance, or sector-specific requirements. Northbrik Systems Ltd (Northbrik) publishes it for general awareness; questions about our own security practices should go to legal@northbrik.com.

For official, in-depth UK guidance and certification schemes, see the National Cyber Security Centre: Cyber Essentials resources.

Introduction

Small businesses face material cyber risk, but a short set of consistent, low-cost measures usually reduces exposure sharply. The sections below outline five foundational practices: backups, malware defence, mobile devices, passwords, and phishing awareness.

1. Back up your data

Protect against loss from theft, damage, hardware failure, or ransomware by keeping regular, tested backups of data essential to operations. Store copies separately from live systems (reputable cloud backup is a common approach). Automate backup jobs where possible so recovery is predictable.

2. Protect against malware

• Use reputable antivirus/endpoint protection where appropriate.
• Keep operating systems and applications patched and current.
• Restrict installation of unapproved software.
• Control use of removable media (e.g. USB) and enable firewalls on networks and endpoints.

3. Secure mobile devices

• Require PIN, password, or biometric unlock on phones and tablets.
• Enable remote lock / wipe for organisation-managed devices.
• Keep OS and apps updated; replace devices that no longer receive updates.
• Avoid untrusted public Wi‑Fi for sensitive work; use VPN or cellular where needed.

4. Use strong passwords and multi-factor authentication

• Protect accounts, especially email, banking, and admin consoles, with unique, strong passwords (a password manager helps).
• Enable two-factor authentication (2FA/MFA) everywhere it is offered.
• Change default credentials on routers, printers, and appliances.

5. Defend against phishing

Phishing is pervasive and increasingly convincing. Limit over-broad access privileges, train people to recognise unusual requests, and encourage a culture where suspicious messages are reported without blame. Have a simple incident path: report → verify → reset credentials if needed → record what happened.

How we apply security practices to Northbrik

The checklist above is generic. Below is how we operationalise comparable controls for the Northbrik platform (marketing site, API, database, Northbrik OS, and browser runtimes). This is a high-level summary, not a penetration test report.

• Hosting and transport: Production traffic uses TLS; nginx terminates HTTPS; session and OS entrypoints may be gated for private preview. Application secrets and provider keys (database, AI, listing-provider API keys, Stripe, Resend, OAuth client secrets, OS bridge secrets) live in server-side environment configuration, not in public client bundles.
• Data storage: Account and product data primarily in PostgreSQL via Prisma; backups and retention follow our Privacy Policy. Ephemeral browser state in streamed OS sessions is designed to minimise leakage to our core datastore.
• Dependency and malware risk: CI runs automated checks; production dependencies are pinned and reviewed; we do not encourage ad-hoc installs on production hosts.
• Access control: Role separation between deploy, database, and day-to-day admin; production access via individual accounts with MFA where available; least privilege for OS instance and agent bridges.
• Abuse resistance: API rate limiting and auth gates on sensitive routes; monitoring of anomalous usage patterns as we mature operational practices.
• Incident response: Suspected credential compromise or data incident is triaged under internal playbook, with regulator and data-subject notifications where UK GDPR requires.

For procurement or DPIA questions, contact legal@northbrik.com. This description is not contractual; see your order form or data processing terms where applicable.