Tips
Small Business Cybersecurity: 6 Basic Safety Steps
PNW Cybersecurity
Ready to get started?
Secure your home today
Small Business Cybersecurity: 6 Basic Safety Steps
Did you know? Nearly 70% of small businesses face cyberattacks, and 60% of those that experience a breach shut down within six months. Protecting your business doesn’t have to be overwhelming - start with these 6 essential cybersecurity steps:
Train Employees on Security Basics: Teach your team to spot phishing scams and use strong passwords with two-factor authentication.
Secure Your Network: Lock down your Wi-Fi with strong encryption, set up firewalls, and monitor network activity.
Control Data Access: Limit who can access sensitive information and secure physical devices.
Install and Update Security Tools: Use antivirus software and keep all systems updated.
Back Up Data Regularly: Follow the 3-2-1 rule: 3 copies of data, 2 different formats, 1 offsite backup.
Create a Security Plan: Document how to handle incidents, assign roles, and test your response strategies.
Quick Tip: Start with small steps like enabling multi-factor authentication and training employees on phishing awareness. These simple actions can drastically reduce your risk of cyber threats.
Protect your business by acting now - cybersecurity is not optional for small businesses in today’s digital landscape.
Cybersecurity Basics for Small Businesses | Quick Tips to ...
Step 1: Train Staff on Security Basics
Employee training is key to defending against cyber threats. In 2021, 83% of organizations reported experiencing phishing attacks [5], and nearly 25% of data breaches were linked to phishing [4]. Teaching your team the fundamentals of security can make a big difference.
Start by focusing on how to spot phishing attempts and enforcing strong password habits.
Spot and Stop Phishing Attacks
Phishing tactics are becoming more advanced, with Google identifying 75 times more phishing websites than malware sites [4]. Teach your employees to recognize these common warning signs:
Urgent or threatening language: Messages that demand immediate action.
Suspicious sender addresses: Look out for slight misspellings like 'companyrn.com' instead of 'company.com.'
Unexpected requests for sensitive information: Be cautious if someone asks for confidential data out of the blue.
Grammar and spelling errors: These often point to fraudulent messages.
For instance, in 2021, scammers posed as HR representatives, using fake surveys to steal login credentials [4].
Once phishing awareness is in place, focus on securing accounts with strong passwords and two-factor authentication (2FA).
Set Up Strong Passwords and 2-Factor Authentication
Combining strong passwords with 2FA significantly reduces risks. Since 61% of breaches involve stolen credentials [6], implementing strict password policies is a must.
Password Requirements | Best Practices |
|---|---|
Minimum Length | 14+ characters |
Character Mix | Use uppercase, lowercase, numbers, and symbols |
Uniqueness | Avoid reusing passwords across accounts |
Updates | Change passwords regularly with meaningful differences |
"Every site we use, every application should have a unique password... A long, strong password is a good thing too... You're going to want these to be 12 to 15 or more. I like them longer. A password manager makes that doable." - Heather Noggle [6]
Encourage the use of password managers, enable app-based 2FA, set up regular password updates, and keep an eye on access logs.
"Adding MFA is adding a layer of defense to your systems and to your network... having multifactor authentication will make it more difficult for attackers to gain access to the system." - Bruno Aburto [6]
Reinforce these practices with regular training sessions and phishing simulations. This not only strengthens security habits but also ensures employees report suspicious activity quickly.
Building employee awareness and enforcing strong password policies lay the groundwork for securing your network and devices in the next steps.
Step 2: Lock Down Your Network
Securing your network is one of the most effective ways to protect your business from cyber threats. With 72% of business data breaches linked to unsecured wireless devices [7], taking the right precautions can make all the difference. Once your team is well-trained, a secure network adds another layer of protection against potential attacks.
Set Up Secure Wi-Fi
Follow these steps to secure your Wi-Fi network:
Security Feature | How to Implement |
|---|---|
Network Name (SSID) | Choose a unique name that doesn’t reveal your business identity. |
Encryption | Enable WPA3 encryption (or WPA2 if WPA3 isn’t available). |
Password | Use a strong password with at least 20 characters, mixing numbers, letters, and symbols. |
Guest Network | Create a separate network for visitors to limit access to your main system. |
Physical Security | Place your router in a locked, secure location to prevent tampering. |
It’s also a good idea to turn off your Wi-Fi during non-business hours, such as nights and weekends [7]. This simple step reduces your network’s exposure to potential attacks. After securing your Wi-Fi, focus on strengthening your network perimeter with a properly configured firewall.
Install Firewalls and Update Network Security
A firewall acts as a critical barrier between your business and cyber threats. The stakes are high - data breaches can result in 60% of small businesses shutting down within six months [1]. Here’s how to ensure your firewall is set up for maximum protection:
Establish Basic Protection
Update your firewall’s firmware and use unique administrator credentials. Disable public access to administrative settings, and add a "deny all" rule at the end of your access control list to block unauthorized traffic.Monitor Network Activity
Set up logging to track and review suspicious network behavior. As Ian Thompson points out, "A good firewall is important not only to protect your information but also your reputation" [8].Keep Everything Updated
Regular maintenance is key. Make it a habit to:Change passwords frequently
Keep firmware up to date
Review and adjust configuration rules
Scan for vulnerabilities
"Keeping your systems patched is one of the most cost-effective practices to improve your security posture." – CISA [9]
Enable automatic updates whenever possible to stay ahead of emerging threats [9].
Step 3: Control Data Access
Keeping your business data secure starts with managing who can access it. Poor access control can lead to breaches, financial losses, legal trouble, and harm to your reputation [12].
Set Employee Access Levels
Follow the principle of least privilege: give employees access only to the data and systems they need for their specific roles.
Access Level | Permissions | Example Role |
|---|---|---|
Full Access | All systems and data | IT Administrator |
Department Level | Specific department data | Department Manager |
Limited Access | Task-specific resources | General Staff |
Read-Only | View-only permissions | Temporary Workers |
To tighten security, define clear roles, require multi-factor authentication for sensitive data, regularly audit access permissions, and log all changes.
"The principle of least privilege suggests that users should have only the minimal access necessary for their jobs. This approach reduces the risk of unauthorized data access or data leaks significantly." - Keri Bowman, CISA-certified GRC expert [11]
Secure Physical Devices
Data security isn’t just about software - it also applies to hardware. The Cybersecurity and Infrastructure Security Agency (CISA) highlights the importance of securing physical devices as part of a broader cybersecurity strategy [13].
Secure Storage
Store devices containing sensitive data in locked areas. For servers and network equipment, use a dedicated secure room and maintain a complete hardware inventory.Device Protection
Protect company devices by enabling features like:Full disk encryption
Auto-lock after 15 minutes of inactivity
Limited login attempts
Remote wipe capabilities
Remote Work Security
For remote employees, implement these precautions:Use data blockers when charging devices in public
Avoid leaving devices unattended
Use a VPN when connected to public Wi-Fi
Ensure devices are password-protected and encrypted
"Physical security best practices are crucial for your cybersecurity, too." - CISA [13]
The Equifax breach [10] serves as a reminder of how critical access controls are. When disposing of old devices, use specialized software to wipe data or physically destroy the hardware - simple file deletion isn’t enough.
Finally, keep your security tools updated to stay ahead of potential threats.
Step 4: Install and Update Security Tools
Once you've secured your networks and data access, the next step is to equip your systems with the latest security tools.
Security software is your frontline defense against cyber threats. With 43% of breaches targeting small and medium-sized businesses (SMBs) [14], having reliable tools in place is non-negotiable. Regular updates are essential to keep these tools effective.
Set Up Auto-Updated Antivirus
Antivirus software is designed to combat a wide range of threats. According to AV-Test, over 450,000 new malicious programs and potentially unwanted applications are detected daily [14].
When choosing antivirus software, look for these key features:
Feature | Benefit to Your Business |
|---|---|
Real-time Monitoring | Stops threats before they can cause harm |
Multi-device Support | Secures all business devices (computers, phones, tablets) |
Ransomware Protection | Blocks attempts to encrypt and hold data hostage |
Easy Management | Simplifies security settings across all devices |
Minimal Performance Impact | Ensures scans don't slow down operations |
"Investing in a reliable antivirus solution is not just a smart business move, but a necessity in today's digital landscape." - John Smith, Cybersecurity Expert [14]
Don't forget mobile devices! Enable features like real-time scanning, web protection, and app scanning to ensure they're covered. Once installed, keep your antivirus software updated to maintain strong defenses.
Keep Software Current
"The best defense against online attackers is to keep your software up to date and replace any hardware or software that is 'end of life,' or no longer supported." [15]
Set up weekly system checks and schedule device restarts during off-hours to install updates. Always download updates from official sources, and conduct quarterly audits to confirm that automatic updates are working as expected.
"Think of software updates as your digital immune system - they protect your devices from security threats and improve performance." - National Cybersecurity Alliance [16]
The risks are real: 60% of small businesses that suffer a cyberattack shut down within six months [3]. Keeping your security tools up to date isn't just about staying safe - it's about ensuring your business can thrive.
Step 5: Create Data Backups
Losing data can be a major blow to small businesses. Around 70% of businesses face data loss, with ransomware incidents costing an average of $100,000 each [20]. Having dependable backups is critical to avoid such setbacks.
Use the 3-2-1 Backup Method
The 3-2-1 backup rule is a well-established approach recommended by the Cybersecurity and Infrastructure Security Agency (CISA) [17].
Component | Requirement | How to Implement |
|---|---|---|
3 Copies | Original + 2 backups | Store on separate systems |
2 Types | Different storage media | Combine local and network storage |
1 Offsite | Remote or cloud storage | Use encrypted cloud backups |
"While my focus has been primarily on digital media, the 3-2-1 principles are pretty universal... Over nearly 20 years, 3-2-1 has been a great tool to evaluate data risk exposure."
Peter Krogh, U.S. photographer [18]
The 3-2-1 method is only effective if the backups are regularly tested to confirm they work as intended.
Set up automated backups based on how critical the data is to your business:
Data Category | Backup Frequency | Retention Period |
|---|---|---|
Email/Exchange Servers | Hourly | 5 days |
Critical Business Data (e.g., financial and customer records) | Daily | 2 weeks |
System Files and Configurations | Weekly | 1 month |
Check Backup Recovery
Nearly 39% of organizations don't have an incident response plan [19]. To ensure your backups are reliable, take these steps:
Schedule Regular Tests: Run recovery drills every month to confirm backups can be fully and quickly restored.
Monitor Backup Success: Review backup logs daily to catch errors. Set up notifications for failed backups or storage issues.
Validate Data Integrity: Scan backups for malware before storage. Use software with built-in verification tools to prevent data corruption.
"As frequently as necessary to ensure that, if data is lost, it is not unacceptable to the business."
Ready.gov [19]
"As technology advances and businesses evolve, it is increasingly important to have dependable backup solutions in place. The 3-2-1 backup rule can help you know how to protect your essential data and ensure you have a solid backup plan."
Since small businesses are targeted 15 times more frequently [21], consider keeping an air-gapped backup - one that’s isolated from your network. This can help protect your data from cyberattacks. Incorporate these backup practices into your overall security measures to keep your business running smoothly.
Step 6: Write Your Security Plan
A written security plan protects your business and ensures a structured approach to handling security incidents. The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that an Incident Response Plan (IRP) is essential for managing security events effectively at every stage - before, during, and after they occur [9]. This plan establishes clear roles and detailed procedures for your team.
Access Planning Tools
Leverage free resources to build a comprehensive security plan:
Resource | Provider | Key Features |
|---|---|---|
Small Biz Cyber Planner 2.0 | FCC | Templates and risk assessments |
Cybersecurity Framework 2.0 | Implementation guides | |
Cyber Resilience Review | DHS & CERT | Operational assessments |
Small Business Toolkit | Security resources |
Your plan should cover:
Defined roles for the response team
Emergency contact details (stored offline)
Step-by-step response procedures
Communication protocols
Backup and recovery processes
This document ties together earlier preparations into a cohesive response strategy.
"The IRP is your action plan before, during and after a security incident. Give it the attention it deserves in 'peace time,' and involve leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident." - CISA [9]
Update and Test Your Plan
Keep your security plan relevant with regular reviews and updates. Schedule quarterly reviews and revise the plan after any incidents or near misses [9].
Quarterly Tabletop Exercises: Simulate attack scenarios to practice and refine response procedures.
Review and Update:
Train staff on new protocols and assess incident responses.
Address technical vulnerabilities and adjust controls.
Reevaluate access permissions.
Verify network configurations.
Test backup systems by performing restore exercises.
When combined with earlier steps, a well-maintained security plan strengthens your business's defenses. Regular updates ensure your cybersecurity strategy stays effective and aligned with evolving threats.
Next Steps: Put These Security Steps to Work
Cyber attacks hit 43% of small businesses, leading to damages of over $2.2 million annually [22]. To protect your business, it’s time to act on the security measures outlined earlier.
Start by conducting a NIST Cybersecurity Framework risk assessment to identify your most urgent vulnerabilities [6].
Here’s a practical timeline to help you implement these steps based on risk levels:
Timeframe | Priority Actions | Key Focus |
|---|---|---|
Week 1 | Password Management & MFA | Set up a password manager and enable MFA for critical accounts |
Week 2 | Network Security | Configure firewalls and create a secure guest Wi-Fi network |
Week 3 | Data Backups | Use the 3-2-1 backup strategy (3 copies, 2 formats, 1 offsite) |
Week 4 | Staff Training | Hold initial security awareness sessions for employees |
Month 2 | Security Tools | Install antivirus software and create a patch management schedule |
Month 3 | Security Plan | Document security procedures and assign responsibilities |
This timeline serves as a guide to help you integrate these measures into your daily operations.
"Most SMBs are probably not focused on security. They're more focused on profit and just developing their business. And now we, as cybersecurity professionals, need to translate the risk of cybersecurity and get small business owners to understand that there's a financial impact that could happen if they do have to, or if they realize a risk and suffer a data breach or a cyber attack." [6]
Set up quarterly reviews to test and refine your incident response plans. If your IT team is stretched thin, consider working with a cybersecurity expert to handle routine tasks.
"Humans need to be the first and last line of defense, especially in small businesses."
John Arledge, Vice President, Akamai Technologies [2]
Stay on top of security with weekly patches, daily backups, and monthly reviews. Begin with basics like strong passwords and multi-factor authentication, then expand your efforts over time. Consistently following these steps will help your business stay ahead of cyber threats.
FAQs
×How can I train my employees to identify and respond to phishing attacks effectively?
Training your employees to handle phishing attacks is essential for protecting your business. Start by teaching them to identify common phishing signs, such as suspicious email addresses, unexpected requests, or grammatical errors. Encourage them to double-check any emails asking for sensitive information.Reinforce awareness with regular training sessions that include real-world phishing examples. Foster a culture of cybersecurity by reminding employees to report suspicious messages immediately and follow established protocols. Consistent education and vigilance are key to minimizing risks.
×What steps can small businesses take to keep their data backups secure and recoverable after a cyberattack?
To keep data backups secure and recoverable, small businesses should use strong encryption both during transfer and while the data is stored. Regularly test your backups to ensure they can be restored successfully when needed. It's also critical to store backups in a secure offsite location or use a trusted cloud service to protect against physical damage or theft.Integrate backups into a comprehensive disaster recovery plan that outlines clear steps to follow in the event of a cyberattack or other emergencies. By combining encryption, regular testing, and a well-thought-out recovery strategy, you can minimize downtime and protect your business operations.
×Why do small businesses need a written cybersecurity plan, and what should it include?
A written cybersecurity plan is essential for small businesses to protect their operations, secure sensitive data, and comply with legal requirements. It helps identify potential threats, establish clear security policies, and assign responsibilities for responding to incidents.A strong plan should include key elements like guidelines for using strong passwords, steps for securing customer and business data, protocols for managing employee access, and procedures for updating software and systems regularly. It’s also important to review and update the plan regularly to address new risks or changes in your business. Having a clear plan not only safeguards your business but also builds trust with clients and partners by showing your commitment to data security.
