Cybersecurity Tips for Small Business

By Scott Dawson
January 31, 2020

The risk of cyber-attack in small businesses increases with each passing year. As we make our way into the new decade, it’s no longer optional to employ security practices for your networks and data – it’s now a requirement of the times. A recent report by CNBC exposed that 43% of all cyberattacks were aimed at small businesses in 2019. And of those targeted, just 14% were prepared for the breach.

There is no business that is immune to cyberattacks. While your small business may not make headlines for a billion-dollar loss, you could find yourself in a position where your brand and company are irreparable. In fact, CNBC reports the average cost of a cyber-attack on a small business to be $200,000 – enough to prevent many small companies from recovering.

Setting up defenses for your company’s technology and digital connections doesn’t have to be overly complex, but it does need to be intentional. Without adequate protection, the information critical to your business – from personnel information to proprietary data to customer contact – is all at risk of being targeted by cyber criminals.

Take action to protect your company. While a full and effective cybersecurity strategy should takes be strategically planed and implemented, you can get a jump start with these quick tips:

Know where you stand

The first step to knowing how to set up your cybersecurity strategy is to outline two things: What do you need to protect and what are you currently doing to protect it.

Examine the information that lives in your business and its networks, then determine what information would put your company as risk should it fall into the wrong hands. Next, take an inventory of how you protect that vital information.

Highlight the areas where you see the most immediate need for action and take it. Once you’ve done an overarching sweep, you can dig deeper and start laying out a true strategy.

Build awareness of risk on your team

Your own personal knowledge of the risk of cyber threats isn’t enough. You must work with your team to build a genuine understanding and sense of responsibility in regard to the information you work with.

Start talking about it now. Find ways to encourage your team to be more proactive and highlight that it’s not just their work information that is at risk. It’s their personal contact information, their financial data, and even, potentially, their medical information. Without the direction to refrain from accessing that information or storing it on workplace devices, they put themselves at risk.

With 90% of cyberattacks the result of human error, each individual in you organization is responsible for taking cybersecurity seriously. It takes a lot of time to shift company culture surrounding this issue, so don’t wait to get started.

Be diligent about BYOD (Bring Your Own Device) policies

In our connected society, the physical and technological security of company devices are no longer the only concern. You must now also take into consideration the devices your team brings from home.

Whether connecting an external device to your network or using a personal machine to complete company tasks, the sensitive information that isn’t directly controlled by your hardware poses another level of risk to your company.

Set parameters about minimum security measures on personal devices and encourage your team to be mindful of how accessible their devices are – both in the cyber world and from a physical standpoint.

Educate your team about Phishing scams

Designed to infiltrate your network and systems via team email (though they can also come through text, phone, and social media), phishing scams arrive in your employees’ inboxes from addresses they will likely recognize. They include links to external sites that then ask for personal information or download malware on their machine, and those who divulge information unknowingly grant hackers access to your networks.

Be sure your team knows how to spot a phishing scam and encourage them to never give personal or login information unless explicitly told by HR or leadership. Train them on how to spot phishing schemes, and set policies and protocols surrounding information sharing.

Enforce strict network password protocols

In our world where there is a log-in for everything, managing passwords is a challenge. Setting up a stringent password protocol for your network is key to keeping sensitive information protected.

Encourage your team to keep passwords private, utilizing a trusted third-party password manager to help them maintain unique login credentials for each account they access. Further, set up a system that requires passwords to be updated periodically, and set strong requirements surrounding character use. Lastly, and most importantly, never allow team members to keep passwords physically written down.

Companies can take the extra step by requiring two-factor authentication on accounts, adding an extra layer of security that enforces the practice of receiving a code via phone or text message to be entered before gaining access to the account in question.

Delete Any Unused Accounts

With team member transition or growth into new platforms, you may have accounts hanging in cyberspace that are no longer serving a purpose. Often, these old credentials give attackers the perfect in to your company information as they work to breach an unmonitored account. Create an offboarding process to ensure all unused accounts are removed or locked down.

Keep software up to date and back up information regularly

Program and system maintenance is critical to strong cybersecurity. Often, software companies will roll out their own security updates designed to help keep your information safer.

Be sure to be diligent about installing software updates as soon as you receive notifications. Turn on automatic updates for your operating system, search from browsers like Chrome or Firefox that receive frequent security updates and keep plug-ins like java and flash up to date. Have an update that keeps popping up that you continuously ignore? Take a break and run it now.

Further, it’s important to get into the practice of backing up the sensitive data for your company at regular intervals. If you were to fall victim to an information security issue, you will likely only be left with the information that was secured on your server. By backing up data, you create a useable and secure copy that you will be able to reference and re-install in the event of information loss.

Running a small company is all about risk management – how you approach and capitalize on opportunities, and how you protect yourself from potential negative risk implications. Be intentional about developing programs and systems to manage important information and make cybersecurity a priority in 2020.

Cybersecurity Tips for Small Business Handout

If you are interested in exploring certification for CMMC/DFARS Compliance (Formerly NIST 800-171) or ISO 27001, please contact us at

Related Articles:

Cybersecurity Checklist

Cybersecurity Checklist

Small Business Cybersecurity Today’s cyber threats can impact any company, regardless of size or industry. But did you know that 43% of cyber-attacks are aimed at small businesses, according to...

Cyber Hygiene Practices for Every User

Cyber Hygiene Practices for Every User

What is Cyber Hygiene? Cyber hygiene refers to the practices and measures individuals and organizations take to maintain good digital health and security. Just like personal hygiene routines keep us...

ISO 27001:2022 Is Here

ISO 27001:2022 Is Here

ISO 27001:2022 The latest version of ISO 27001 has arrived. Published on October 25, 2022, the new version (ISO 27001:2022) brings important updates to the standard. Initial ISO 27001 audits...