business.com receives compensation from some of the companies listed on this page. Advertising Disclosure
Home

A Cybersecurity Plan for Small Business Owners

Mark Fairlie
Mark Fairlie
business.com Contributing Writer
Updated Nov 28, 2022

Learn which types of cybersecurity attacks SMBs should be worried about and how to develop a five-step plan to stop cybercriminals in their tracks.

If you thought cybersecurity was something only big businesses had to worry about, think again. Small companies are at risk of cyberattacks too, and it would be a mistake not to prepare your organization to defend against them. Fortunately, a five-step cybersecurity plan could be enough to keep your business protected.

What is a cybersecurity plan?

A cybersecurity plan is designed to repel threats from online criminals. The most effective cybersecurity defenses are investing in technology and staff training. Training staff is particularly important because 85% of data breaches are caused by employee mistakes, according to a study by Tessian.

Cybersecurity plans not only serve as methods of prevention, but they can also include what to do in the event a breach does occur. The goal, of course, is to mitigate any damage and recover as quickly as possible so your company can get back to business as usual.

Did you know?Did you know? According to a Cyber Readiness Institute survey, only 40% of small businesses implemented a cybersecurity policy as remote work increased with the onset of the COVID-19 pandemic.

How do you create a cybersecurity plan?

To create an effective cybersecurity plan, you first need to identify which assets need protecting and where your vulnerabilities lie so you can apply the right technological and human patches. Once put in place, companies should regularly review their cybersecurity policies to identify and defend against new threats.

From assessment to implementation, follow these steps when creating a cybersecurity plan for your business.

Step 1: Decide what’s important.

In your initial cybersecurity risk assessment, do the following:

  • Determine what data is essential. Over time, businesses accumulate massive amounts of information on customers, suppliers and employees. Figure out what data you need to operate your business and eliminate the rest.
  • Decide who should have access to data and why. Some data may be needed by your accounts team only. Make sure each employee can access only the data they need to perform their role successfully. 

Step 2: Identify and fix technical vulnerabilities.

Before you start to build your technical firewall, understand where your problems are now and why they arose.

  • Check for malware. You may have malware and ransomware already on your network. Purge your system of them as soon as possible.
  • Delete any software you no longer use. If you no longer use a piece of software to operate your business, chances are you’re not updating it with the latest security patches. Delete it to eliminate potential threats.
  • Consider banning BYOD (“bring your own device”). Personal devices generally have lower levels of security than business devices. If staff currently use their own laptops to connect to your network, consider purchasing equipment for them to use instead so you can set the ideal security levels.
  • Know what connects to your network. Create a list of devices with permission to connect to your network, and update the registry frequently. It’s much easier for a hacker to gain overall control of your system if any device can connect to it.
  • Decide account privileges. Create a virtual barrier, known as ringfencing, around parts of your computer system depending on employee seniority and data needs. An admin is not likely to need the same access to programs and data as your CFO. So if a hacker does break in via the admin’s credentials, the areas the hacker can access would be greatly restricted by default, reducing the amount of damage they can do.

TipTip: Want to know how secure your business really is? Hire a white-hat hacking firm to test how hard it is to gain unauthorized access to your company’s systems and data.

Step 3: Establish your technical defenses.

Your technical defenses should include the following solutions and strategies.

  • Antivirus software: The best antivirus and internet security software stops ransomware and malware from being downloaded to your computer network via a rogue link on a website or an email attachment. 
  • Strong firewalls: Firewalls monitor traffic across your computer network and block traffic that fails predetermined security tests. More advanced firewalls learn patterns of traffic over time and create additional security rules. 
  • Encryption: Make sure all information transmitted on your network is encrypted. If a hacker does manage to get in, it would take billions of years to crack the Advanced Encryption Standard, the modern encryption algorithm.
  • Backups: Choose an encrypted cloud backup service to protect your data, and do multiple backups each day. Having a backup means that when you regain control of your system after a breach, you can download the most recent database to your system.
  • Software update cycles: Sign up for newsletters from the vendors of the software titles you use. This will help you stay up to date with updates and security patches. While many software programs update automatically, not all do, so check once a month that each program is updated.
  • Software swaps: If a software package you’re using has been retired and the vendor no longer provides security patches for it, swap it for a similar package that is supported.
  • Wi-Fi network security: If possible, hide your Wi-Fi network, so it can’t be discovered by others, by switching off the beacon frame. Learn more about setting up Wi-Fi for your business.
  • Password management: Ideally, passwords should be managed by a central team using 256-bit encryption to allow and deny employees and contractors access to your network.
  • Two-factor authentication: For additional security, two-factor authentication (2FA) requires users to receive a message on a second, recognized device to verify their identity – similar to how Google asks you to authenticate signing in to your account on a tablet by sending a message to your mobile phone.
  • Protection for Internet of Things (IoT) devices: Cameras, printers and other internet-connected devices are favorite attack vectors for cybercriminals. Don’t limit your protection efforts only to computers.

Step 4: Establish your human defenses.

Let your employees know why stopping hackers is vital. Impress on them how all it takes is one big attack to threaten the existence of the entire company and their jobs. Then train them on what they need to be aware of and what they should do if something suspicious happens. Use this guidance as a starting point:

  • Be suspicious of every email and phone call. Train staff to be alert to phishing attempts. For example, if someone claiming to be the CEO calls up the accounts team demanding an invoice be paid immediately, require team members to perform safety checks to make sure it was actually the CEO making the demand and that the invoice is genuine.
  • Don’t connect to public Wi-Fi without a VPN. Public Wi-Fi equipment using the WPA2 protocol is insecure. Make sure your staff connect to public Wi-Fi only if they are using an encrypted virtual private network (VPN) platform. For even greater security, require employees to connect via 4G or 5G if available.   
  • Don’t overshare on social media. The more information a person shares on social media, the more likely it is that a hacker can guess their password. Phishing attacks also become harder for staff to detect if a cybercriminal references information they gathered from social media.
  • Ask for permission before allowing remote desktop access. Some cyberattackers pretend to be from a company’s IT services team and then gain access to an employee’s computer through remote desktop access. Ask staff to check with your IT manager before allowing this type of access. [See our recommendations for the best remote PC access software.]  

Step 5: Monitor employee performance.

For a cybersecurity plan to be effective, you’ll need to regularly check that your employees are responding positively to their training and putting what they’ve learned into practice. You may want to run periodic tests to see whether team members have retained the knowledge they need to keep the business safe. Retrain those who may not have understood everything, and consider rewarding employees for spotting security threats and reporting them to their managers.

Cybersecurity attacks are constantly evolving, so you may want to offer additional training as new threats emerge.

What are the common types of cybersecurity attacks?

According to Acronis, 43% of all cybersecurity attacks are against small and midsize businesses (SMBs). Worryingly, a BullGuard study found that one-third of SMBs with 50 or fewer employees in America use inadequate, free consumer security products to protect their companies. What’s even worse is that 1 in 3 use no security at all.

Given that the threat of cybercrime is changing all the time as technology develops and businesses become more connected to and reliant on the web, it’s critical companies invest in cybersecurity protection and understand the potential for cyberattacks. The current greatest cybersecurity threats to SMBs include phishing and extortion. 

  • The purpose of phishing is to get people to reveal sensitive details like account logins, credit card numbers and passwords. Most phishing attempts are carried out by email, followed by phone calls and text messages. Common phishing attempts include spoof emails purportedly from well-known retailers asking you to log back in because “your account has been frozen” and text messages from courier companies asking you to make up an alleged underpayment on a delivery.
  • Identity theft is the theft of personal or company financial details to set up loans, credit cards and trade accounts in your name. They get the money or the goods, but you’re stuck with the bill.
  • Distributed denial-of-service (DDoS) attacks overwhelm websites, email servers and internal computer networks by sending millions of near-simultaneous requests for access. To get back control, you normally have to pay a ransom.
  • Software vulnerability exploitation occurs when hackers look for computer networks where software patches haven’t been applied, as it’s easier to gain entry when there are security holes. Networks using software no longer supported by vendors are also a major target for cybercriminals.
  • The goal of malware is to damage a computer network, server or individual terminal. This happens in many different ways, including cryptocurrency mining, keystroke logging, and by creating system backdoors that allow hackers to load more software onto your system at a later date.
  • With extortion, hackers copy sensitive or commercially valuable data stored on your system and then threaten to sell it to a competitor or widely distribute it if a ransom is not paid.
  • Data diddling involves altering data as it’s input into a computer system to create a financial benefit. Payroll, credit records and inventory records are vulnerable to this type of attack. To make detection harder, some hackers change the altered numbers back after they’ve got your money.
  • With IoT hacks, cybercriminals gain access to a corporate computer network via poorly protected security cameras, printers and other connected devices.
  • Victims of man-in-the-middle attacks are fooled into thinking they’re communicating with someone they know. For example, a hacker may pretend to be your property lawyer and send an email asking you to transfer your property deposit into a specific account. It can take weeks before consumers or lawyers realize there’s been a crime. This technique is also used in business email compromise fraud.
  • Hackers use password attacks to gain entry into individuals’ or companies’ computer networks and online accounts. Sometimes, it’s a brute-force attack, where millions of passwords are tried simultaneously in the hopes one is correct. Other times, information targets share about themselves on company websites and social media is used to guess passwords.

FYIFYI: Phishing was the most popular attack approach used by cybercriminals in 2020, according to the FBI’s Internet Crime Complaint Center, also known as IC3.

What does your business have that cybercriminals want?

Cybercriminals are looking for specific information when they hack businesses.

  • Sensitive commercial data: Cybercriminals know the market value of the data stored on a business’s computer system, and many gangs offer industrial espionage-as-a-service. Instead of sending thieves to break into competitors’ physical premises, companies can pay hackers to break in electronically to get copies of rivals’ customer databases, obtain details on research and development projects, and more.
  • Customer databases: Information about your highest-spending customers can be sold on the black market or to competitors.
  • Customer payment details: Unencrypted debit or credit card information is not as valuable as it used to be because banks are getting better at spotting and stopping fraudulent payments. A compromised credit card may work for only an hour or two before it’s blocked, but that’s enough time to inflict serious damage.
  • Your company’s identity: Many cybercriminals attempt to change company details held at government agencies to open accounts with suppliers to order goods and financial institutions to take out loans.
  • Money in the bank: Although successful checking account breaches are quite rare, cybergangs can still cause significant financial damage to businesses with ransomware and phishing attacks.

What is cybersecurity insurance?

As the threat from cybercrime has grown, so has the number of cybersecurity insurance providers. These insurers provide compensation for incident investigations, data recovery, computer system restoration, income loss, reputational damage, ransoms paid and notification costs.

Extended cybersecurity insurance also includes coverage for legal bills incurred defending yourself against claims related to a breach, as well as for settlements and damages. Insurers will generally not cover lost profits, loss of company value caused by intellectual property theft, or replacing or upgrading technology to become more cybersecure.

Did you know?Did you know? As of 2021, the average cost of cyber insurance was $1,485 per year, or $124 per month, with per-incident coverage ranging from $500,000 to $5 million. Check out our overview of the best business insurance providers for our recommendations.

Why is it important to safeguard your business against cyberattacks?

Business owners, small and large, need to be vigilant against online threats to protect their company reputation, financial assets and client base. Customers expect the companies they deal with to hold their private information securely. It costs time and money to be digitally secure, but why not turn that into a selling point? Let clients know in your advertising just how seriously you take protecting their personal, professional and financial information. Those safeguards could pay off in more ways than one.

Image Credit: EvgeniyShkolenko / Getty Images
Mark Fairlie
Mark Fairlie
business.com Contributing Writer
Mark Fairlie has written extensively on business finance, business development, M&A, accounting, tax, cybersecurity, sales and marketing, SEO, investments, and more for clients across the world for the past five years. Prior to that, Mark owned one of the largest independent managed B2B email and telephone outsourcing companies in the UK prior to selling up in 2015.