15 Best Cybersecurity Tips For Small Businesses

Cybercrime is a growing threat to businesses of all sizes, not just large corporations and governments. Small businesses may be even more vulnerable due to limited resources for robust cybersecurity defenses.

A data breach can be devastating, causing financial losses, reputational damage, and even legal trouble. Staying ahead of cybercriminals who are constantly developing new attack methods can feel overwhelming.

However, there’s good news! By implementing some key cybersecurity best practices, you can significantly reduce your risk of falling victim to a cyberattack.

This guide provides a roadmap for navigating the world of cyber threats and protecting your business.

We’ll share a comprehensive list of the most up-to-date cybersecurity tips and best practices you can easily implement. We’ll also keep this list updated to ensure your business stays secure in the ever-evolving cyber threat landscape.

What Is a Cyber Threat and Why Should You Bother?

A cyber threat is an attempt to maliciously steal data and cause disruption. In 2019, the number of data breaches in the United States amounted to 1,473, with over 164.68 million sensitive records exposed, according to Statista.

Awareness of cyberattacks has certainly increased. As individuals and businesses become more conscious of the need to protect their devices and data and take measures to secure what they can, cybercriminals have stepped up their game significantly. Cyber threats have escalated in number, complexity, and sophistication.

Cyber threats may or may not happen, and the fear of the unknown continues to pervade most organizations. However, taking precautions after a breach has occurred may be a little too late. PayPal CEO Dan Schulman is quoted as saying that in the cyber community, there are two types of companies: those who have been hacked and those who do not know they have been hacked.

Types of Cybersecurity Threats for Small Businesses

The ways in which cyber threats infiltrate small business devices and networks continue to increase. Some of the tried and true, such as phishing, still plague organizations of all sizes. Here is a look at a few cyber threats small businesses need to be aware of.

Phishing

A phishing attack usually targets users directly through email, although other forms of communication, including text messaging, have been used for phishing. Social engineering is at play in a phishing attempt, as attackers disguise themselves as trusted contacts or sources to get victims to part with personal data such as passwords or banking/credit card numbers.

For small businesses, phishing can have far-reaching consequences. If a single cyber criminal can gain entry to just a single device used by a business or its users, that cybercriminal can gain access to the entire network of devices, leaving the organization vulnerable to lose. 

Watering Holes

Though not the most common cyberattack, in a watering-hole attack, the cybercriminal targets a specific group of individuals or businesses that share the same interests and frequent the same website types. It will then infect one of those sites with malware. The idea is that if one of the individuals or businesses visits the website and gets infected, then all of the others will as well.

As with phishing, social engineering is at work in this type of attack. Since the individuals or small businesses in the group trust each others’ choice of websites, there is no reason not to visit them—unknowingly downloading malware to their devices at the same time.

Drive-by Downloads

Drive-by downloads occur when a user downloads software to their computer inadvertently. Many times, the software might not be malicious, but other times, the download is intended to do one or more of the following:

1. Spy on activity, such as recording keystrokes to capture passwords
2. Hijack the device by exploiting security flaws
3. Infect the device by downloading even more software or files that ultimately render the device useless

Drive-by downloads often occur when operating systems have not been updated or software patches have not been installed.

Malware

Malware is an umbrella term for any form of malicious software. Viruses are the most common, but malware also includes spyware, ransomware/hostageware, malvertising, worms, and Trojans. Many businesses are unaware that malware has been installed on one or more of their devices, or even on their entire network. 

Why Do Small Businesses Need Cybersecurity?

Cyber criminals are well aware that small businesses might not have the resources to spend on security staff and software as would a much larger enterprise. This is what makes them a prime target, as hackers see small businesses as particularly vulnerable, especially those without even basic security measures like antivirus software in place.

Cyber criminals are also aware that many small businesses work with large companies, so access to a small business’s network might mean access to that of a larger corporation. Further, small businesses, including restaurants and franchises, store vast amounts of bank account and credit card information, so a hack into a small business could prove valuable for those with malicious intent.

The Cybersecurity Risks Involved for Small Businesses

Money is behind the vast majority of cyberattacks. According to the 2020 Verizon Data Breach Investigations Report, 86% of the 3,950 breaches last year were financially motivated. For businesses, cyberattack risks include:

1. Compensating customers for theft of banking or credit card information
2. Losses due to business disruption (i.e., shutting down operations while an investigation is underway)
3. Costs related to adding new security systems and software or replacing devices
4. Reputation damage, including informing customers of the breach and losing potential new business

The Impact of a Cyberattack on Small and Midsize Businesses (SMBs)

Losses to the business can vary. In a review, the U.S. Securities and Exchange Commission estimated that half of small businesses that suffer a cyberattack go out of business within six months. A small business may not have the time or resources to address the fallout from the breach—paying for customer losses, litigation, or upgraded systems—and so will have to shut down.

15 Essential Cybersecurity Practices For Small Businesses

Small businesses should implement a variety of cybersecurity practices to protect themselves from cyberattacks, including:

Practical Step1: Train your employees

Employees can leave your business vulnerable to an attack. While precise statistics vary by country and industry sector, it is unquestionably the case that a high proportion of data breaches are caused by insiders who either maliciously or carelessly give cybercriminals access to your networks.

There are many scenarios that could result in employee-initiated attacks. For instance, an employee might lose a work tablet or disclose login credentials. Employees may also mistakenly open fraudulent emails, which can deploy viruses on your business’ network.

To protect against threats from within, invest in cybersecurity training for your employees. For example, teach staff the importance of using strong passwords and how to spot phishing emails. Establish clear policies describing how to handle and protect customer information and other vital data.

Practical Steps 2: Carry out a risk assessment

Evaluate potential risks that might compromise the security of your company’s networks, systems, and information. Identifying and analyzing possible threats can help you devise a plan to plug security gaps.

As part of your risk assessment, determine where and how your data is stored and who has access to it. Identify who may want to access the data and how they may try to obtain it. If your business data is stored in the cloud, you could ask your cloud storage provider to help with your risk assessment. Establish the risk levels of possible events and how breaches could potentially impact your company.

Once this analysis is complete and you have identified threats, use the information you have collated to develop or refine your security strategy. Review and update this strategy at regular intervals and whenever you make changes to information storage and usage. This ensures your data is always protected to the best of your ability.

Practical Steps 3: Deploy antivirus software

Choose antivirus software that can protect all your devices from viruses, spyware, ransomware, and phishing scams. Make sure the software not only offers protection but also technology that helps you clean devices as needed and resets them to their pre-infected state. It’s important to keep your antivirus updated to stay safe from the latest cyber threats and patch any vulnerabilities.

Practical Steps 4: Keep software updated

As well as antivirus, all the software you use to keep your business running should be kept up-to-date. Vendors regularly update their software to strengthen it or add patches that close security vulnerabilities. Bear in mind that some software, such as a Wi-Fi router’s firmware, may need to be manually updated. Without new security patches, a router – and the devices connected to it – remain vulnerable.

Practical Steps 5: Back up your files regularly

Does your company back up its files? If a cyberattack happens, data could be compromised or deleted. If that happened, could your business still run? Don’t forget to consider the amount of data that may be stored on laptops and cell phones – without this, many businesses wouldn’t be able to function.

To help, make use of a backup program that automatically copies your files to storage. In the event of an attack, you can restore all your files from your backups. Choose a program that gives you the ability to schedule or automate the backup process so you don’t have to remember to do it. Store copies of backups offline so they don’t become encrypted or inaccessible if your system suffers a ransomware attack.

Practical Steps 6: Encrypt key information

If your business deals with data relating to credit cards, bank accounts, and other sensitive information on a regular basis, it’s good practice to have an encryption program in place. Encryption keeps data safe by altering information on the device into unreadable codes.

Encryption is designed with a worst-case scenario in mind: even if your data is stolen, it would be useless to the hacker as they wouldn’t have the keys to decrypt the data and decipher the information. That’s a sensible security precaution in a world where billions of records are exposed every year.

Practical Steps 7: Limit access to sensitive data

Within your business, restrict the number of people with access to critical data to a minimum. This will minimize the impact of a data breach and reduce the possibility of bad-faith actors from within the company gaining authorized access to data. Set out a plan that outlines which individuals have access to certain levels of information so that roles and accountability are clear to all involved.

Practical Steps 8: Secure your Wi-Fi network

If your business is using the WEP (Wired Equivalent Privacy) network, make sure you switch to WPA2 or more later, as these versions are more secure. It’s likely that you’re already using WPA2 but some businesses neglect to upgrade their infrastructure – so it’s worth checking to be sure. You can read more about WEP versus WPA in our guide.

You can protect your Wi-Fi network from breaches by hackers by changing the name of your wireless access point or router, also known as the Service Set Identifier (SSID). You can use a complex Pre-shared Key (PSK) passphrase for additional security.

Practical Steps 9: Ensure a strong password policy

Ensure that all employees use a strong password on all devices that contain sensitive information. A strong password is at least 15 characters in length – ideally more – and contains a mix of upper- and lower-case letters, numbers, and symbols. The more difficult it is to crack a password, the less likely a brute-force attack will be successful.

You should also put in place a policy to change passwords at regular intervals (at least quarterly). As an additional measure, small businesses should enable multi-factor authentication (MFA) on employees’ devices and apps.

Practical Steps 10: Use password managers

Using strong passwords that are unique to every device or account quickly becomes difficult to remember. The need to remember and type out lengthy passwords each time can also slow your employees down. That’s why many businesses use password management tools.

A password manager stores your passwords for you, automatically generating the correct username, password, and even security question answers that you need to log into websites or apps. This means users only have to remember a single PIN or master password to access their vault of login information. Many password managers also guide users away from weak or re-used passwords and remind them to change them regularly.

Practical Steps 11: Use a firewall

A firewall protects hardware as well as software, which is a benefit to any company with its physical servers. A firewall also works by blocking or deterring viruses from entering your network. This is in contrast to an antivirus which works by targeting the software affected by a virus that has already gotten through.

Ensuring a firewall is in place protects your business’s network traffic – both inbound and outbound. It can stop hackers from attacking your network by blocking certain websites. It can also be programmed so that sending out sensitive data and confidential emails from your company’s network is restricted.

Once your firewall is installed, remember to keep it up-to-date. Check regularly that it has the latest updates for software or firmware.

Practical Steps 12: Use a Virtual Private Network (VPN)

A Virtual Private Network provides another layer of security for your business. VPNs allow employees to access your company’s network securely when working remotely or traveling. They do this by funneling your data and IP address through another secure connection between your internet connection and the actual website or online service you need to access. They are especially useful when using public internet connections – such as in coffee shops, airports, or Airbnb – which can be vulnerable to hackers. A VPN gives users a secure connection which separates hackers from the data they are hoping to steal.

Practical Steps 13: Guard against physical theft

While you need to be mindful of hackers trying to breach your network, don’t forget that your hardware can be stolen too. Unauthorized individuals should be prevented from gaining access to business devices such as laptops, PCs, scanners, and so on. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft. Ensure all your employees understand the importance of any data that might be stored on their cell phones or laptops when out and about.

For devices used by multiple employees, consider creating separate user accounts and profiles for additional protection. It’s also a good idea to set up remote wiping – this allows you to remotely delete the data on a lost or stolen device.

Practical Steps 14: Don’t overlook mobile devices

Mobile devices create security challenges, especially if they hold sensitive information or can access the corporate network. Yet they can sometimes be overlooked when businesses are planning their cybersecurity. Ask your employees to password-protect their mobile devices, install security apps, and encrypt their data to stop criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen phones and tablets.

Practical Steps 15: Ensure third parties who deal with you are also secure

Be wary of other businesses such as partners or suppliers who may be granted access to your systems. Make sure they are following similar practices to you. Don’t be afraid to check before you grant access to anybody.

Implementing Cybersecurity Solutions for Small Businesses

Cloud-based Cybersecurity Platforms

Cloud-based cybersecurity platforms offer a variety of security services, such as email filtering, web content filtering, and data loss prevention (DLP). These platforms can be a cost-effective way for small businesses to improve their cybersecurity posture.

Managed Security Services Providers (MSSPs)

MSSPs provide outsourced cybersecurity services, such as vulnerability assessments, penetration testing, and incident response. MSSPs can be a valuable resource for small businesses that lack the in-house expertise to manage their cybersecurity infrastructure.

Cybersecurity Insurance

Cybersecurity insurance can help to protect businesses from the financial consequences of a cyberattack. Cybersecurity insurance can cover costs such as data recovery, legal fees, and lost revenue.

What to look for in a cybersecurity company

For many small businesses, cybersecurity is not necessarily their core focus. It’s understandable if you need help with cybersecurity – after all, you have a business to run. But how do you know what to look for in a cybersecurity company? Here are some key attributes to look out for:

Independent tests and reviews:

A cybersecurity company could dazzle you with technical jargon and an impressive marketing campaign, so looking at independent tests and reviews is important. The best cybersecurity firms want their products tested and are happy to share the results.

Avoid cheap options:

You want to avoid a company that comes in, installs software, and then disappears. Additionally, a company claiming to specialize only in one field without offering additional products or support can’t provide the protection you need.

Extra support:

Whether a threat has been detected or you are having trouble backing up your files, you want a company that offers a decent level of support. Choose a company that helps you navigate threats, finds solutions, and takes the hassle out of cybersecurity.

Growth potential:

As your business grows, you need a cybersecurity company that can grow with you. Focus on companies that offer a full range of security systems for businesses, including those you may need in the future.

Small business owners have always had long to-do lists, but now, cybersecurity is at the top of the list. Fortunately, there are steps you can take to protect your small business, and the right cybersecurity company can help mitigate your risks.