According to the National Cyber Security Centre (part of GCHQ) if you’re a small or medium-sized enterprise (SME) then there’s around a 1 in 2 chance that you’ll experience a cyber-security breach.

Here are four steps to begin building a cybersecurity strategy that keeps hackers out of your business.

A. Define your company's current cybersecurity status.

Get together your senior leadership team, board of directors and investors/trustees to conduct an informal audit of the business. Get a sense for the level of security you have today.

Questions to ask: Is anyone in charge of our cybersecurity? What defences do we already have in place? Is our strategy all-inclusive and coordinated? If not can we identify our weak spots and ‘gaps’?

B. Identify the key person accountable for your cybersecurity.

Engage leaders from across the organisation—remember cybersecurity is much more than just IT. Include people from different functional areas, such as human relations, marketing, operations and finance. Other players essential to this conversation are your lawyers, insurance broker and your accountant/auditor.

Questions to ask: Who should be answerable or responsible for our cybersecurity? What process can we implement to ensure accountability? How can we communicate and increase awareness about cybersecurity in our different departments and teams?

C. Take an list of your assets, determine their value and prioritise your most critical assets.

Identify the "crown jewels" in your company, whether those are employee records, intellectual property or customer data. Recognise that you will never be 100% safe from an attack, so prioritising areas of defence is important.

Questions to ask: What are the most important assets we need to protect? Customer data? Intellectual property? Employee records? Can we measure the degree of confidentiality, integrity, availability and safety of our most critical assets?

D. Decide what business capabilities and cybersecurity measures you want to manage yourself and those you can outsource.

Consider whether it makes sense to subcontract certain aspects of your business to a cloud-based system to increase your security. At the same time, consider whether it makes sense to engage a cybersecurity expert or provider. Decide whether you want to work with a consultant to figure out your cybersecurity plan or if you want to outsource your cybersecurity entirely.

Questions to ask: What aspects of our business , such as order fulfilment, should we handle internally versus outsourcing to a third party (e.g., Amazon, Cisco, Google)? Should we outsource our cybersecurity to a third-party service? Should we use a fractional CIO model and seek out cybersecurity consulting? Or should we handle the entire process ourselves?

If you don’t know what the status of your security is today you can’t plan how to provide for it. The best defence is a good offence. Make it a priority to protect your data for the benefit of your employees, your customers and the long-term health of your business.