Many community pharmacies are small organisations with limited time, limited budgets, and staff who wear many hats. That is exactly why cyber hygiene matters. The good news is that you do not need complex systems or expensive tools. A small number of well-chosen actions will dramatically reduce your risk.

What follows is a realistic, high-impact, low-effort cyber hygiene checklist, designed specifically for small organisations like pharmacies.

1. Assign clear ownership

Someone must be responsible — even part-time. You do not need a full-time IT or security manager. You do need one named person who is accountable.

Assign a security owner (for example, the pharmacy manager, an internal IT contact, or your MSP [Managed Service Provider or outsourced IT support]):

• Be clear about who makes decisions and who to contact if something goes wrong;
• Keep policies short and practical (two to five pages, not a novel); and
• Make a simple list of what matters most (staff data, patient data, financial systems).

This avoids the classic problem: “I thought someone else was handling that.”

2. Lock down accounts and access

This is where most small organisations are caught. If you do only one thing, start here:

• Enable two-factor authentication (2FA) on:
  • Email;
  • Cloud systems; and
  • Remote access and admin accounts.
• Use a password manager with strong passwords or passphrases (10 characters minimum);
• Remove shared accounts — every login should belong to a named person;
• Review user access quarterly; and
• Disable accounts immediately when staff leave

This delivers huge risk reduction for very little effort.

3. Get the basics right on devices

Laptops, desktops and phones must be predictable and secure:

• Automatic updates for Windows, macOS and apps must be turned on;
• Use antivirus — built-in tools like Microsoft Defender are fine if kept updated;
• Enable disk encryption:
  • BitLocker (Windows); and
  • FileVault (Mac).
• Set automatic screen lock after five to eight minutes;
• Lock the screen whenever you step away; and
• Enable remote wipe for lost or stolen devices (you only wipe company data, not personal data).

This is essential if staff use devices at home or access pharmacy systems remotely.

4. Keep everything updated

Out-of-date systems are easy targets. You do not need complex patching tools:

• Ensure auto-updates work for:
  • Operating systems;
  • Browsers;
  • Office software; and
  • Zoom and other common tools.
• Set a monthly reminder to check anything that does not auto-update; and
• Replace unsupported systems — this matters more than fancy security tools.

Unsupported software is one of the easiest ways in for attackers.

5. Backups are non-negotiable

This is what keeps ransomware from becoming a disaster. Follow the 3-2-1 rule:

• Three copies of critical data;
• Two different storage types; and
• One offline or immutable copy.

Back up:

• File servers;
• Pharmacy systems; and
• Cloud data (do not rely only on Microsoft or Google).

Test restoring backups at least twice a year. If you cannot restore data, the backup does not count.

Many small businesses have closed because they could not recover data. Good backups change everything.

6. Email and phishing awareness

Email is still the number one attack route:

• Enable spam and phishing filters;
• Disable macros in documents by default;
• Train staff to:
  • Be suspicious of urgency;
  • Verify unexpected requests by phone or text;
  • Confirm payment requests verbally;
  • Never share passwords — ever; and
  • Report suspicious emails as junk or spam.

Simple awareness often beats expensive tools.

7. Keep the network simple and clean

• Use a supported, business-grade firewall/router;
• Change all default passwords;
• Separate Wi-Fi:
  • One network for pharmacy systems; and
  • One for guest or personal devices.
• Use VPN access for remote administration where needed.

This prevents personal devices from becoming a gateway into pharmacy systems.

8. Have a simple incident plan

Two pages is enough. You do not need a war room — you need clarity. Your plan should say:

• Who to contact (internal and external);
• How to isolate infected devices;
• When to shut systems down;
• How to communicate with staff and suppliers; and
• When to involve insurers or legal advisers

Stressful moments are not the time to improvise.

9. Be realistic about vendors and cloud systems

You rely heavily on third parties. Be intentional:

• Use reputable providers;
• Turn on the security features they already include;
• Give vendors only the access they actually need;
• Keep a list of vendors and what data they can access; and
• Review this annually.

You inherit some of their security posture — make sure you are comfortable with it.

10. Keep It alive (lightweight and practical)

No audits. No heavy frameworks. Once a quarter, spend 30 – 60 minutes reviewing a short checklist and learning from any incidents or near-misses.

Consistency beats perfection.

Your spring clean cyber hygiene checklist

• 2FA enabled on all email and cloud accounts;
• Password manager in use (no sticky notes);
• Automatic updates and regular reboots;
• Encrypted laptops and desktops;
• Tested backups;
• Staff aware of phishing risks; and
• A named owner for cybersecurity.

If you have these in place, you are already ahead of many organisations your size — and some much larger ones.

For more information visit bhconsulting.ie and there are IPU supports on ipu.ie > Supports > Cybersecurity.