Cybersecurity for Small Business: A Guide to Plans, Cyberattacks & Cyber Insurance

What is a cybersecurity plan?

A cybersecurity plan is a detailed blueprint of an organization’s steps to secure its systems and data and repel the threats posed by online criminals, also known as cyberattacks from cybercriminals. Effective cybersecurity plans require thoughtful technology investments and detailed staff training. Investing in employee training is particularly crucial given the significant role of human error in security incidents.

Modern cybersecurity plans should align with established industry frameworks to encompass best practices and ensure comprehensive coverage. The NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide “provides small-to-medium-sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0.” Other recognized standards include ISO/IEC 27001 for information security management systems and the Payment Card Industry Data Security Standard (PCI DSS) for businesses handling credit card data.

While preventing attacks is the goal, a thorough cybersecurity plan will also inform your strategy for recovering from a data breach if one occurs. In those instances, the objective is to mitigate damage and recover as quickly as possible so your company can return to business as usual.

How do you create a cybersecurity plan?

To create an effective cybersecurity risk management plan, you must identify and address security threats that make your business vulnerable so you can apply the right technological and human patches. Follow the steps below to create a cybersecurity plan that protects your organization from internal and external digital threats.

Step 1: Decide what’s important.

In your initial cybersecurity risk assessment, take these steps:

• Determine which data is essential. Start by identifying and categorizing your organization’s digital assets, including sensitive customer data, financial records and intellectual property. Assess the importance of each data type by determining how your business would be affected if that data were compromised or lost.
• Identify critical systems and assets. Some hardware and software are more important than others. Identify and prioritize these assets, particularly the systems necessary for daily operations, as any breach or unauthorized access could severely disrupt your business continuity.
• Run an impact analysis. Successful cyberattacks can disrupt your business operations for prolonged periods. Evaluate the financial and reputational damage you’d experience from different cybersecurity incidents so you can focus on the areas that would most affect your operations.

During this assessment phase, determine which regulatory requirements apply to your business type. For example: 

• Healthcare organizations must comply with HIPAA to protect patient health information.
• Financial services companies may need to meet requirements under regulations like the Gramm-Leach-Bliley Act. 
• Any business processing credit card payments must adhere to PCI DSS standards. 
• Companies handling personal data from European Union (EU) residents must comply with GDPR, which applies regardless of your business’s location if you process personal data from EU citizens.

Step 2: Identify and fix technical vulnerabilities.

It’s essential to understand your company’s current technical vulnerabilities. You can’t craft solutions until you know where your problems are and why they arose. Take the following steps:

• Check for malware on your network. You may already have malware and ransomware on your network. Identify these intrusions and purge your system as soon as possible using reputable tools like Microsoft Defender for Business or Bitdefender GravityZone Business Security.
• Delete unused software. If your organization no longer uses a specific software program, you’re likely not updating it with the latest security patches. Identify unused software and delete it to eliminate potential threats.
• List every device that connects to your network. Create and continually update a risk register of all devices with network connection permissions. Consider restricting network access to these listed devices; it’s much easier for a hacker to gain entry if any device can log into your network.
• Create a layered network. Generally, desktop and mobile device security is tighter than security levels on printers, security cameras and internet-connected devices. Consider segmenting your network to ensure critical systems are inaccessible from less secure elements.
• Map your data flow. Understand and map how information travels throughout your business. Pinpoint where data is stored after it’s collected, who can access it and what they can do with it, especially if third parties can log in. Mapping your data flow will help you identify weaknesses in your data security processes.
• Conduct regular vulnerability scans. Invest in software that scans for less-secure spots in your corporate network. Tools like Nessus or OpenVAS can identify vulnerabilities across your infrastructure. Pay attention to high-risk issues the software flags, and fix them immediately. Conduct these vulnerability scans at least once a month. You can purchase standalone software for this purpose, although many antivirus apps provide this functionality.
• Review and update system configurations. Data breaches and other cyber incidents are often successful because companies don’t securely configure hardware such as firewalls, routers and servers. If you no longer use an access point, consider removing it. Your IT team should also ensure users’ passwords are strong and unique to minimize the chances of a successful dictionary attack, where a cybercriminal systematically tries a list of common passwords or words — typically from a “dictionary” of known or likely possibilities — to guess a user’s password or encryption key.
• Evaluate third-party security protocols. The Verizon report mentioned earlier found that the percentage of breaches involving third parties doubled to 30 percent in its latest study. If you work with vendors or partners who have access to your systems or data, carefully evaluate their security measures to ensure that poor security on their end doesn’t make your company more vulnerable to potential cyberattacks.

If your business handles sensitive data like protected health information or operates under strict regulations, you may want to consult with cybersecurity professionals. These experts can bring advanced knowledge and implement security solutions beyond basic measures. Consider professional assistance when vulnerability assessments reveal complex security gaps, you have significant compliance requirements or if your organization lacks internal IT expertise.

Step 3: Establish your technical defenses.

To address emerging threats from cybercriminals, your technical defenses should include the following solutions and strategies:

• Decide and set account privileges. Staff members should be able to access only the programs, apps and data they need to perform their jobs. This approach, known as the “principle of least privilege,” is crucial in well-executed cybersecurity plans. For example, an administrative staffer doesn’t need the same access to programs and data as your chief financial officer does. So, if hackers break in via the admin’s credentials, they’ll only gain restricted access, reducing the damage they can do.
• Utilize and update antivirus software. Employees may unwittingly help cybercriminals by downloading a malicious attachment or clicking a rogue link in an email. Business-grade solutions like Microsoft Defender for Business, Bitdefender GravityZone or CrowdStrike Falcon Go can stop ransomware and malware from infiltrating your network. Ensure you use quality antivirus software with automatic updates, and set it to run regular scans.
• Install robust firewalls. Next-generation firewalls (NGFWs) like SonicWall TZ series or Fortinet FortiGate monitor traffic across your computer network and block traffic that fails predetermined security tests. More advanced firewalls learn traffic patterns over time and create additional security rules. For the greatest protection, consider installing hardware and software firewalls.
• Ensure data is encrypted. Encrypt all information transmitted on your network using tools like VeraCrypt for file encryption or implementing the TLS 1.3 protocol for data in transit. If a hacker gets in, the Advanced Encryption Standard, the modern encryption algorithm, makes the data practically unreadable without the proper decryption key. You should encrypt all of your data, whether at rest (the data you’re storing on your network and cloud systems) or in transit.
• Protect your data with backups. Choose a backup service with cloud encryption to protect your data, and schedule multiple daily backups. Solutions like Carbonite Safe and Acronis Cyber Backup provide automated, encrypted backup services suitable for small businesses. Having a backup means that when you regain control of your system after a breach, you can download the most recent database to your system. Test your backup systems frequently to ensure you can access the data you need when recovering from a cyber incident.
• Monitor software update cycles. Sign up for newsletters from your software vendors to get notified of updates and security patches. While many software platforms update automatically, not all do, so check once a month to make sure each program is updated.
• Consider software swaps. If a software package you use has been retired and the vendor no longer provides security patches, swap it for a similar package that’s currently supported. Many software programs, including operating systems, update automatically, but not all do. Patch management apps like ManageEngine Patch Manager Plus can automate this process for you. Business.com also offers a free guide to installing Windows patches with PowerShell.
• Prioritize Wi-Fi network security. If possible, hide your business Wi-Fi network by switching off the beacon frame so others can’t discover it. Ensure your Wi-Fi network also uses the strongest possible encryption (preferably WPA3), and change the default admin password often.
• Implement robust password management. Enterprise tools like 1Password Business, Bitwarden Business and Dashlane Business use 256-bit encryption to store and share passwords securely. These tools help employees and contractors use strong, unique credentials and access only what they’re authorized to.
• Implement two-factor authentication (2FA). For additional security, 2FA — a type of multifactor authentication — requires users to provide two different forms of identification, such as a password and a code sent to or generated on a second device, when logging into a network or program. This is similar to how Google may prompt you to confirm a sign-in on your computer by sending a notification to your mobile phone. Check out our recommendations for the best authenticator apps.
• Protect internet-connected devices. Don’t limit your protection efforts to computers. Cameras, printers and other internet-connected devices are favorite attack points for cybercriminals. However, they’re not actually trying to control those devices; rather, they want to use them as gateways to access your wider network.

Basic technical defenses should be implemented within 30-60 days of developing your cybersecurity plan, starting with the most critical systems. Firewall installation and antivirus deployment can typically be completed within the first week. Password management and 2FA implementation should follow within 2-3 weeks. More complex measures like network segmentation may require 60-90 days, particularly if you need to reconfigure existing infrastructure.

Step 4: Establish your human defenses.

Let your employees know why stopping hackers is vital: All it takes is one big cyberattack to threaten the entire company’s existence — and their jobs. Train them to stay vigilant about suspicious activity, and explain what to do if something potentially harmful happens. Use the following guidance as a starting point:

• Be suspicious of every email and phone call. Train staff to be alert to phishing attempts and common business scams. For example, if someone claiming to be the CEO calls the accounting team demanding that an invoice be paid immediately, require team members to perform safety checks to ensure that your CEO is actually making the demand and the invoice is genuine.
• Consider eliminating BYOD (“bring your own device”) policies. Many organizations don’t allow employees to connect their personal smartphones and tablets to the company’s network because these devices typically have much lower security levels than business devices. If staff members currently use their own laptops to connect to your network, consider purchasing secure business laptops so you can control their security levels. Also, consider adjusting your acceptable use policy to cover mobile device usage issues.
• Don’t connect to public Wi-Fi without a VPN. Even Wi-Fi networks that use modern security protocols like WPA3 can be risky if they are open or shared. To ensure secure remote access, allow employees to connect to public Wi-Fi only if they use an encrypted virtual private network (VPN) platform. Business VPN solutions like NordLayer or Cisco AnyConnect provide secure remote access. For even greater security, require remote employees to connect via 4G or 5G if available.
• Don’t overshare on social media. The more information a person shares on social media, the more likely a hacker is to guess their password. Phishing attacks become harder for staff to detect if cybercriminals reference information they gathered from employees ‘ social media accounts.
• Ask for permission before you allow remote desktop access. Some cyberattackers pretend to be from a company’s IT services team and gain access to a team member’s computer through remote desktop access. Ask staff to check with the business’s IT manager before allowing this type of access.

Initial cybersecurity awareness training for employees should be completed within the first 30 days of employment and refreshed quarterly. Monthly company-wide security awareness updates help keep cybersecurity at the forefront of your team’s mind.

Step 5: Monitor employee performance.

Effective cybersecurity plans require continuous monitoring to ensure employees respond positively to training and put their knowledge into practice. Consider implementing the following best practices:

• Run periodic training tests. Consider testing team members periodically to ensure they’ve retained the necessary knowledge to keep the business safe. Retrain those who need a refresher so they don’t fall further behind.
• Create a culture of cybersecurity communication. A key goal of your cybersecurity plan should be to establish a strong company culture where employees feel comfortable reporting potential threats to management. Cybersecurity leadership starts from the top, so make sure business leaders demonstrate proper behavior and follow protocols.
• Offer continuous cybersecurity training. Cybersecurity attacks are constantly evolving, so plan to provide additional training as new cyberthreats emerge. Update your training manuals and methods regularly to reflect emerging and ongoing threats.

Step 6: Create an incident response plan and response team.

No matter how much you plan, a well-executed cyberthreat may overwhelm your company’s defenses and lead to a breach. Prepare your business for this possibility in the following ways:

• Develop a response plan. Establish how your company will respond to different cyberthreats, including data breaches, ransomware attacks and DDoS (distributed denial-of-service) incidents. Include ways to identify and classify attacks, as well as the necessary recovery steps. Consider setting up a secure communication channel for team members to coordinate their activities.
• Build a response team. Recovering from a cyberattack will require different staffers from across your business to work together. An incident response team should include members of your IT team, legal team (for compliance issues), public relations department (for external communications), internal HR department (for employee-related issues) and C-suite executives (to manage the process). Ensure that everyone’s responsibilities are clearly defined and that they can access the personnel and tools needed to address the attack.
• Involve internal and external stakeholders. To help manage a crisis situation such as a data breach, your response team also may need the services and support of external stakeholders, like investors, cybersecurity consultants, law enforcement contacts, forensic analysts, crisis management experts and insurance brokers. Depending on your cybersecurity budget, consider offering retainers to the most essential external stakeholders to ensure their immediate availability in case the worst happens.
• Prepare a communication plan. In the event of a breach, you’ll need to contact multiple parties. You’ll also have to manage and share information with customers and regulators, as well as prepare press releases and scripts for your customer service team addressing the incident. A robust communication plan should detail who communicates what, to whom, when and how — including designated spokespeople, communication channels, message templates and regulatory notification timelines.

Basic incident response plans should be drafted within 60 days and tested within 90 days through simulated scenarios. Full implementation, including external stakeholder agreements, typically requires 120-180 days.

Step 7: Review security policies regularly.

Protecting your business from threats requires continuous and comprehensive oversight. Consider the following security review best practices as part of your cybersecurity plan:

• Conduct emergency drills. To protect your business from a data breach, practice your incident response plan with internal teams and external stakeholders. Assess how well teams and individuals cooperate, look for opportunities for improvement and identify where your plan needs additional thought. Conduct a drill twice yearly to keep your team sharp and assess your security posture.
• Schedule regular policy reviews. It’s wise to run regular checkups on your security policies to ensure you’re still achieving the required protection levels. Consider running additional reviews if new cyberthreats emerge or you make significant changes, such as adopting new technologies or expanding business operations.
• Update your threat intelligence. Task an IT team member with monitoring cybersecurity news and emerging threats. Staying informed about attack trends and changing data protection regulations will provide valuable insights for your periodic policy reviews.
• Continuously monitor and adapt your plan. Monitor the effectiveness of your technical and human firewalls. Assess the number of security incidents or near misses to look for indications that your business may be becoming more vulnerable. Use this information to update and adapt your security programs to ensure the highest level of protection.

Security policies should be formally reviewed quarterly, with annual comprehensive assessments. Emergency response capabilities should be tested every six months through simulated scenarios.

What are the common types of cybersecurity attacks?

Common cybersecurity attacks include phishing attacks, identity theft, DDoS attacks and malware. According to the Identity Theft Resource Center’s 2023 “Business Impact Report,” 73 percent of small businesses were targeted in a cybersecurity incident in the previous 12 months.

Here’s a detailed look at the most significant cybersecurity risks that threaten businesses today:

• Phishing attacks: Phishing attacks fool people into revealing sensitive data such as account logins, credit card numbers and passwords. Most phishing attempts utilize email, phone calls and text messages. For example, a spoofed email claiming to be from your company’s IT department may urge employees to “reset their password immediately,” while a fake invoice from a known vendor may direct your finance team to update payment details to a fraudulent bank account.
• Identity theft: Identity theft is the theft of personal or company financial details to set up loans, credit cards and trade accounts in someone’s name. The criminal gets the money or goods, while the victim is stuck with the bill.
• DDoS attacks: DDoS attacks overwhelm websites, email servers and internal computer networks by sending millions of near-simultaneous access requests. To regain control, companies may have to pay a ransom.
• Software vulnerability exploitation: Software vulnerability exploitation occurs when hackers access computer networks that haven’t applied software patches. It’s easier to gain entry when there are security holes. Unsupported software is another vulnerability point for this threat.
• Malware: Malware damages computer networks, servers and individual terminals in numerous ways. This threat may involve cryptocurrency mining, keystroke logging and the creation of system “backdoors” that allow hackers to load more malware later.
• Cyber extortion: Cyber extortion is when hackers copy sensitive or commercially valuable data stored on your system and threaten to sell it to a competitor or widely distribute it if a ransom isn’t paid.
• Data diddling: Data diddling involves altering data as it’s input into a computer system to create a financial benefit. Payroll, credit records and inventory records are vulnerable to this type of attack. Some hackers change the altered numbers after stealing your money to make detection harder.
• Internet of Things (IoT) hacks: Cybercriminals use IoT hacks to access a corporate computer network via poorly protected security cameras, printers and other connected devices.
• Man-in-the-middle attacks: Victims of man-in-the-middle attacks are fooled into thinking they’re communicating with someone they trust. For example, a hacker may intercept an email exchange between a company executive and their finance team and pose as the executive to request a wire transfer to a fraudulent account. These attacks often go undetected until the funds are lost or reconciliation flags the discrepancy. This technique is also used in business email compromise fraud.
• Password attacks: Hackers use password attacks to access individuals’ or companies’ computer networks and online accounts. They may use brute-force attacks, where millions of passwords are tried simultaneously in the hope that one is correct, or they may troll social media and websites to gather information about unsuspecting victims and guess their passwords.

What does your business have that cybercriminals want?

Cybercriminals are looking for specific information when they hack businesses, including the following:

• Sensitive commercial data: Cybercriminals know the market value of the data stored on a business’s computer system, and many gangs offer industrial espionage as a service. Instead of sending thieves to break into competitors’ physical premises, companies can pay hackers to break in electronically to get copies of rivals’ customer databases, research details, development projects and more.
• Customer databases: Information about your highest-spending customers can be sold on the black market or to competitors.
• Customer payment details: Unencrypted debit or credit card information is less valuable than it used to be because banks are getting better at spotting and stopping fraudulent payments. A compromised credit card may work for only an hour or two before it’s blocked. However, that’s enough time to inflict serious damage.
• Your company’s identity: Many cybercriminals attempt to change company details held at government agencies to open accounts with suppliers and then order goods or take out loans from financial institutions.
• Money in the bank: Although successful checking-account breaches are rare, cyber gangs can still cause significant financial damage to businesses with ransomware and phishing attacks.

What is cybersecurity insurance?

Cybersecurity insurance is a type of business insurance that compensates companies for incident investigations, data recovery, computer system restoration, income loss, reputational damage, ransoms paid and notification costs. Cyber insurance offerings are growing along with the threat of cybercrime.

Extended cybersecurity insurance includes coverage for legal bills incurred to defend yourself against claims related to a breach, as well as for settlements and damages. Insurers’ security policies generally don’t cover lost profits, the loss of company value caused by intellectual property theft, or the replacement or upgrading of technology to boost cybersecurity. 

According to Insureon, the average cost of cyber insurance for small businesses is about $1,740 per year, or $145 per month, with coverage ranging from $1 million to $5 million.

Why is it important to safeguard your business against cyberattacks?

It’s important to safeguard your business against cyberattacks to protect your company’s reputation, financial assets and client base. As a bonus, when your business is secure, vendors and customers know they can trust you with their confidential data — an excellent selling point.

Here are the reasons business owners should defend against online threats with a robust cybersecurity plan:

• A cybersecurity plan protects your finances. Successful data breaches incur significant financial losses, including stolen funds, the costs of recovering from an attack and regulatory fines. A cybersecurity plan protects your revenue and cash flow while minimizing potential losses.
• A cybersecurity plan helps you maintain customers’ trust. Consumers and business decision-makers are more likely to patronize and work with a company that can protect their sensitive personal, financial and health data.
• A cybersecurity plan ensures business continuity. Cyberattacks can significantly disrupt your business operations. An excellent cybersecurity plan protects you from most attacks and provides a quick route to recovery if you experience a successful breach.
• A cybersecurity plan protects your valuable data. Your business houses sensitive information, such as customer payment information and employee personnel details. It also has valuable intellectual property, including product designs and marketing strategies. You can protect your valuable data and assets from internal and external bad actors by ensuring the highest cybersecurity levels.

A thorough cybersecurity plan is an investment in your business’s future. By following the guide above, you can protect your assets, maintain your customers’ trust and give your business a competitive advantage.