Business Resource Center

Cybersecurity Tips for Small Businesses

Shield with dollar sign icon
Triage customers who need to hear from you first, such as those who have an upcoming appointment or anyone awaiting a deliverable.

1. Understand the threats.

Hackers take advantage of small businesses in a variety of ways. some of the most common threats are:

  • PhishingPhishing is one way cybercriminals gain access to devices. It happens when a fraudulent email tricks the recipient into taking a compromising action, like opening a malicious email attachment or responding with sensitive information.
  • Malware: This term refers to any software that was created to cause harm. That harm could include damage or theft. Malware can affect computers, servers, networks, mobile devices, and more.
  • Viruses: A virus is a type of malware that spreads from one device to another. It can destroy or damage files or give cybercriminals access. Devices can become infected by coming in contact with infected removable media (like a flash drive), opening infected email attachments, or visiting an infected website.
  • Ransomware: This type of malware enters a device and locks the owner out of their own files. The cybercriminal then demands a ransom be paid in exchange for releasing the files. Ransomware is often delivered through phishing emails or vulnerabilities in out-of-date software.

2. Evaluate your business's vulnerabilities and needs.

Every business has a slightly different risk profile for cybercrime. Do an assessment of your business to understand your vulnerabilities and create a plan to strengthen them.

You don't have to go it alone. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) offers free Cyber Resilience Review resources3 online. And the Federal Communications Commission (FCC) has a Small Biz Cyber Planner4 to help you create a cybersecurity plan.

3. Craft technology policies and train employees.

Phishing is popular among hackers because human error is a common vulnerability among businesses. Employees should learn to be suspicious of all emails with links, attachments, or requests for information. As the National Cyber Security Alliance's StaySafeOnline initiative suggest, "When in doubt, throw it out."5

That's just one of many technology policies your employees should follow. StaySafeOnline's webinar "Creating a Cyber Aware Employee Culture in Your Business"6 includes many suggestions for training your staff to help keep your small business safe. Create clear technology use policies for employees and train them on how — and why — they should follow them.

4. Secure your network.

Cybercriminals can also harm small businesses through weaknesses in their networks. The U.S. Department of Commerce recommends small businesses enable firewalls on device operating systems or install additional firewall software. You can also protect your wireless network7 by password protecting your router and hiding the Wi-Fi network in your router's settings so the network name is not shared with nearby devices.

5. Invest in antivirus software.

Install strong, reputable antivirus software on all devices in your small businesses and keep it updated. Antivirus software requires frequent updates to stay ahead of the constantly evolving array of cyber threats.

6. Include mobile devices in cybersecurity plans.

Employee mobile devices can be points of entry into your business for cyber criminals. The Commerce Department suggests that all mobile devices be secured with strong passwords and security apps to protect data while employees are on the go.

7. Secure payment processing.

Payment processors are highly regulated to keep consumer payment data safe. Work only with reputable payment processors and follow their prescribed best practices for cybersecurity. The Commerce Department also recommends isolating your payment systems from other devices, such as those your employees may use to browse online.

8. Practice ongoing cybersecurity maintenance.

Once you've established your cybersecurity baseline, the ongoing work begins. This checklist includes regular maintenance practices to help your small business stay ahead of cybercriminals.

  • Keep software up-to-date. Operating systems, browsers, and antivirus software regularly offer updates. Install these promptly to minimize vulnerabilities.
  • Backup data. Regularly backup your business data on devices that can't be accessed through your network, like an external hard drive. Ransomware attacks are ineffective if you have backups to protect your data.
  • Update passwords. All business and employee passwords should be updated every three months. When and where available, add multi-factor authentication for logging into sensitive programs and devices.
  • Test your vulnerabilities. Sign up for CISA's free cyber hygiene vulnerability scanning8 for small businesses. Your system will receive regular scans and you'll get weekly reports.
  • Maintain training and information. Provide employees with regular trainings to keep their cyber knowledge fresh and up-to-date. Keep yourself updated by subscribing to cybersecurity update emails, like StaySafeOnline's mailing list9 or attend ongoing cybersecurity events.10

The basics of cybersecurity for small business aren't that difficult — especially for the DIYers that business owners tend to be. And if your network isn't an easy target, you're much less likely to be targeted at all.

Important disclosure information

This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.

  1. Verizon, "2019 Data Breach Investigations Report," accessed April 21, 2020. Back
  2. Hiscox, "Hiscox CyberReadiness Report 2019," accessed April 21, 2020. Back
  3. CISA, "Assessments: Cyber Resilience Review (CRR)," accessed April 21, 2020 Back
  4. FCC, "Cyberplanner," accessed April 21, 2020. Back
  5. StaySafeOnline, "CyberSecure My Business™ Protect," accessed April 21, 2020. Back
  6. StaySafeOnline, "Creating a Cyber Aware Employee Culture in Your Business – CyberSecure My Business™ Webinar," accessed April 21, 2020. Back
  7. SBA, "Small Business Cybersecurity," accessed April 21, 2020. Back
  8. CISA, "National Cybersecurity Assessments and Technical Services (NCATS)," accessed April 21, 2020. Back
  9. StaySafeOnline, "NCSA Newsletter," accessed April 21, 2020. Back
  10. StaySafeOnline, "Events," accessed April 21, 2020. Back