A Cybersecurity Plan for Small Business Owners

What is a cybersecurity plan?

A cybersecurity plan is a detailed blueprint of an organization’s steps to secure its systems and data and repel the threats posed by online criminals. Effective cybersecurity plans require thoughtful technology investments and detailed staff training. Investing in employee training is particularly crucial because, according to Verizon’s Data Breach Investigations Report, human error is at least partly responsible for 74 percent of data breaches.

While preventing attacks is the goal, a thorough cybersecurity plan will also inform your strategy for recovering from a data breach if one occurs. The goal is to mitigate damage and recover as quickly as possible so your company can get back to business as usual.

How do you create a cybersecurity plan?

To create an effective cybersecurity risk management plan, you must identify and address security threats that make your business vulnerable so you can apply the right technological and human patches.

Consider the following seven-step cybersecurity plan template. Customize it to your company’s needs to protect your organization from internal and external digital threats.

Step 1: Decide what’s important.

In your initial cybersecurity risk assessment, take these steps:

• Determine which data is essential. Start by identifying and categorizing your organization’s digital assets, including sensitive customer data, financial records and intellectual property. Assess the importance of each data type by determining how your business would be affected if that data were compromised or lost. [Read related article: What Is Intellectual Property Insurance?]
• Identify critical systems and assets. Some hardware and software are more important than others. Identify and prioritize these assets, particularly the systems necessary for daily operations, as any breach or unauthorized access could severely disrupt your business continuity. [Read related article: Disaster Preparedness for Small Business]
• Run an impact analysis. Successful cyberattacks can disrupt your business operations for prolonged periods. Evaluate the financial and reputational damage you’d experience from different cybersecurity incidents so you can focus on the areas that would affect your operations the most. 

Step 2: Identify and fix technical vulnerabilities.

It’s essential to understand your current technical vulnerabilities. You can’t craft solutions until you know where your problems are and why they arose. Take the following steps:

• Check for malware on your network. You may already have malware and ransomware on your network. Identify these intrusions and purge your system as soon as possible.
• Delete unused software. If you no longer use a specific software program, you’re likely not updating it with the latest security patches. Identify unused software and delete it to eliminate potential threats.
• List every device that connects to your network. Create and continually update a risk register of all devices with network connection permissions. Consider restricting network access to these listed devices; it’s much easier for a hacker to gain entry if any device can log in.
• Create a layered network. Generally, desktop and mobile device security is tighter than security levels on printers, security cameras and internet-connected devices. Consider segmenting your network to ensure critical systems are inaccessible from less-secure elements.
• Map your data flow. Understand and map how information travels throughout your business. Pinpoint where data is stored after it’s collected, who can access it and what they can do with it, especially if third parties can log in. Mapping your data flow will help you identify weaknesses in your data security processes.
• Conduct regular vulnerability scans. Invest in software that scans for less-secure spots in your corporate network. Pay attention to high-risk issues the software flags, and fix them immediately. Conduct these vulnerability scans at least once a month. You can purchase stand-alone software for this purpose, although many antivirus apps provide this functionality.
• Review and update system configurations. Data breaches and other cyber incidents are often successful because companies don’t securely configure hardware such as firewalls, routers and servers. If you no longer use an access point, consider removing it. Your IT team should also ensure users’ passwords are strong and unique to minimize the chances of a successful dictionary attack.
• Evaluate third-party security protocols. If you work with vendors or partners who have access to your systems or data, carefully evaluate their security measures to ensure that poor security on their end doesn’t make you more vulnerable to potential cyberattacks.
• Ensure you comply with all appropriate regulations. Your cybersecurity strategies must comply with data protection regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). If not, you risk fines and financial and reputational damage.

Step 3: Establish your technical defenses.

To address emerging threats from cybercriminals, your technical defenses should include the following solutions and strategies:

• Decide and set account privileges. Staff members should be able to access only the programs, apps and data they need to perform their jobs. This approach, known as the “principle of least privilege,” is crucial in well-executed cybersecurity plans. For example, an admin doesn’t need the same access to programs and data as your chief financial officer does. So, if hackers break in via the admin’s credentials, they’ll gain restricted access, reducing the damage they can do.
• Utilize and update antivirus software. Employees may unwittingly help cybercriminals by downloading an attachment or clicking a rogue link in an email. Fortunately, top antivirus and internet security software can stop ransomware and malware from infiltrating your network in these instances. Ensure you use quality antivirus software with automatic updates, and set it to run regular scans.
• Install robust firewalls. Firewalls monitor traffic across your computer network and block traffic that fails predetermined security tests. More advanced firewalls learn traffic patterns over time and create additional security rules. For the greatest protection, consider installing hardware and software firewalls.
• Ensure data is encrypted. Encrypt all information transmitted on your network. If a hacker gets in, it would take billions of years to crack the Advanced Encryption Standard, the modern encryption algorithm. You should encrypt all of your data, whether at rest (the data you’re storing on your network and cloud systems) or in transit.
• Protect your data with backups. Choose a backup service with cloud encryption to protect your data, and schedule multiple daily backups. Having a backup means that when you regain control of your system after a breach, you can download the most recent database to your system. Test your backup systems frequently to ensure you can access the data you need when recovering from a cyber incident.
• Monitor software update cycles. Sign up for newsletters from your software vendors to stay current with updates and security patches. While many software programs update automatically, not all do, so check once a month to make sure each program is updated.
• Consider software swaps. If a software package you use has been retired and the vendor no longer provides security patches, swap it for a similar package that is currently supported. Many software programs, including operating systems, update automatically, but not all do. Patch management apps can automate this process for you. [Read related article: How to Install Windows Patches With PowerShell for Free]
• Prioritize Wi-Fi network security. If possible, hide your business Wi-Fi network by switching off the beacon frame so others can’t discover it. Ensure your Wi-Fi network also uses the strongest possible encryption (preferably WPA-3), and change the default admin password often.
• Implement robust password management. Ideally, a central team should manage passwords using 256-bit encryption to allow and deny employees and contractors access to your network.
• Implement two-factor authentication (2FA). For additional security, 2FA requires users to receive a message on a second, recognized device to verify their identity — similar to how Google asks you to authenticate your account sign-in on a tablet or computer by sending a message to your mobile phone.
• Protect internet-connected devices. Don’t limit your protection efforts to computers. Cameras, printers and other internet-connected devices are favorite attack vectors for cybercriminals. They’re not actually trying to control those devices; they want to use them as gateways to access your wider network. 

Step 4: Establish your human defenses.

Let your employees know why stopping hackers is vital: All it takes is one big cyberattack to threaten the entire company’s existence — and their jobs. Train them to stay vigilant about suspicious activity, and explain what to do if something happens. Use the following guidance as a starting point:

• Be suspicious of every email and phone call. Train staff to be alert to phishing attempts and common business scams. For example, if someone claiming to be the CEO calls the accounts team demanding an invoice be paid immediately, require team members to perform safety checks to ensure that the CEO was actually making the demand and the invoice is genuine.
• Consider eliminating BYOD (“bring your own device”) policies. Many organizations don’t allow employees to connect their personal smartphones and tablets to the company’s network. These devices typically have much lower security levels than business devices. If staff members currently use their own laptops to connect to your network, consider purchasing secure business laptops so you can control their security levels. Also, consider adjusting your acceptable use policy to cover mobile device usage issues. 
• Don’t connect to public Wi-Fi without a VPN. Public Wi-Fi equipment that uses the WPA3 protocol is insecure. To ensure secure remote access, allow employees to connect to public Wi-Fi only if they use an encrypted virtual private network (VPN) platform. For even greater security, require remote employees to connect via 4G or 5G if available.
• Don’t overshare on social media. The more information a person shares on social media, the more likely a hacker is to guess their password. Phishing attacks become harder for staff to detect if cybercriminals reference information they gathered from social media.
• Ask for permission before you allow remote desktop access. Some cyberattackers pretend to be from a company’s IT services team and gain access to an employee’s computer through remote desktop access. Ask staff to check with your IT manager before allowing this type of access. 

Step 5: Monitor employee performance.

Effective cybersecurity plans require continuous monitoring to ensure employees respond positively to training and put their knowledge into practice. Consider implementing the following best practices:

• Run periodic training tests. Consider testing team members periodically to see whether they have retained the necessary knowledge to keep the business safe. Retrain those who need a refresher so they don’t fall further behind.
• Create a culture of cybersecurity communication. A key goal of your cybersecurity plan should be to establish a strong company culture where employees feel comfortable reporting potential threats to management. Cybersecurity leadership starts from the top, so consider rewarding employees who spot security threats.
• Offer continuous cybersecurity training. Cybersecurity attacks are constantly evolving, so consider offering additional training as new cyberthreats emerge. Update your training manuals and methods regularly to reflect emerging and ongoing threats.

Step 6: Create an incident response plan, and build a team.

No matter how much you plan, a well-executed cyberthreat may overwhelm your defenses and lead to a breach. Prepare your business for this possibility in the following ways:

• Develop a response plan. Establish how your company will respond to different cyberthreats, including data breaches, ransomware attacks and DDoS incidents. Include ways to identify and classify attacks, as well as the necessary recovery steps. Consider setting up a secure communication channel for team members to coordinate their activities.
• Build a response team. Recovering from an attack will require different team members from across your business to work together. Include members of your IT team, legal team (for compliance issues), public relations department (for external communications), internal HR department (for employee-related issues) and C-suite executives (to manage the process). Ensure that everyone’s responsibilities are clearly defined and that they can access the personnel and tools they need.
• Involve internal and external stakeholders. To help you manage a crisis situation such as a data breach, your response team also may need the services and support of external stakeholders, like investors, cybersecurity consultants, law enforcement contacts, forensic analysts, crisis management experts and insurance brokers. Depending on your cybersecurity budget, consider offering retainers to the most essential external stakeholders to ensure their immediate availability in case the worst happens.
• Prepare a communication plan. In the event of a breach, you’ll need to contact multiple parties. You’ll also have to manage and share information with customers and regulators and prepare press releases and scripts for your customer service team.

Step 7: Review security policies regularly.

Protecting your business from all threat actors and vectors requires continuous and comprehensive oversight. Consider the following security review best practices:

• Conduct emergency drills. To protect your business from a data breach, practice your incident response plan with internal teams and external stakeholders. Assess how well teams and individuals cooperate, look for opportunities for improvement, and identify where your plan needs additional thought. Conduct a drill twice yearly to keep your team sharp and assess your security posture.
• Schedule regular policy reviews. It’s prudent to run regular checkups on your security policies to ensure you’re still achieving the required protection levels. Consider running additional reviews if new cyberthreats emerge or you make significant changes, such as adopting new technologies or expanding your business operations.
• Update your threat intelligence. Task a team member with monitoring cybersecurity news and emerging threats. Staying informed about attack trends and changing data protection regulations will provide valuable insights for your periodic policy reviews.
• Continuously monitor and adapt your plan. Monitor the effectiveness of your technical and human firewalls. Assess the number of security incidents or near misses to look for indications that your business may be becoming more vulnerable. Use this information to update and adapt your security programs to ensure the highest level of protection.

What are the common types of cybersecurity attacks?

According to the Identity Theft Resource Center’s 2023 Business Impact Report, 73 percent of SMBs were targeted in a cybersecurity incident in the previous 12 months. However, according to Amazon Web Services, 35 percent of SMBs say security isn’t an area of strategic priority. This disconnect is concerning because all businesses should prioritize cybersecurity protection and understand emerging threats. 

Here’s a look at the most significant cybersecurity risks that threaten businesses today: 

• Phishing attacks: Phishing attacks fool people into revealing sensitive data such as account logins, credit card numbers and passwords. Most phishing attempts utilize email, phone calls and text messages. Common phishing attempts include spoof emails, purportedly from well-known retailers, asking you to log back in because “your account has been frozen” and text messages from courier companies asking you to make up an alleged underpayment on a delivery.
• Identity theft: Identity theft is the theft of personal or company financial details to set up loans, credit cards and trade accounts in someone’s name. The criminal gets the money or goods, while the victim is stuck with the bill.
• Distributed denial-of-service (DDoS) attacks: DDoS attacks overwhelm websites, email servers and internal computer networks by sending millions of near-simultaneous access requests. To regain control, victims may have to pay a ransom.
• Software vulnerability exploitation: Software vulnerability exploitation occurs when hackers access computer networks that haven’t applied software patches. It’s easier to gain entry when there are security holes. Unsupported software is another vulnerability point for this threat.
• Malware: Malware damages computer networks, servers and individual terminals in numerous ways. This threat may involve cryptocurrency mining, keystroke logging, and the creation of system “backdoors” that allow hackers to load more malware later.
• Cyber extortion: Cyber extortion involves hackers copying sensitive or commercially valuable data stored on your system and threatening to sell it to a competitor or widely distribute it if a ransom is not paid.
• Data diddling: Data diddling involves altering data as it’s input into a computer system to create a financial benefit. Payroll, credit records and inventory records are vulnerable to this type of attack. To make detection harder, some hackers change the altered numbers after stealing your money.
• Internet of Things (IoT) hacks: Cybercriminals use IoT hacks to access a corporate computer network via poorly protected security cameras, printers and other connected devices.
• Man-in-the-middle attacks: Man-in-the-middle attack victims are fooled into thinking they’re communicating with someone they know. For example, a hacker may pretend to be your property lawyer and send an email asking you to transfer your property deposit into a specific account. It can take weeks before consumers or lawyers realize there’s been a crime. This technique is also used in business email compromise fraud.
• Password attacks: Hackers use password attacks to access individuals’ or companies’ computer networks and online accounts. They may use brute-force attacks, where millions of passwords are tried simultaneously in the hope that one is correct. Or, they may troll social media and websites to gather information about unsuspecting victims and guess their passwords. 

What does your business have that cybercriminals want?

Cybercriminals are looking for specific information when they hack businesses, including the following:

• Sensitive commercial data: Cybercriminals know the market value of the data stored on a business’s computer system, and many gangs offer industrial espionage as a service. Instead of sending thieves to break into competitors’ physical premises, companies can pay hackers to break in electronically to get copies of rivals’ customer databases, research details, development projects and more.
• Customer databases: Information about your highest-spending customers can be sold on the black market or to competitors.
• Customer payment details: Unencrypted debit or credit card information is less valuable than it used to be because banks are getting better at spotting and stopping fraudulent payments. A compromised credit card may work for only an hour or two before it’s blocked, but that’s enough time to inflict serious damage.
• Your company’s identity: Many cybercriminals attempt to change company details held at government agencies to open accounts with suppliers and then order goods or take out loans from financial institutions.
• Money in the bank: Although successful checking-account breaches are rare, cyber gangs can still cause significant financial damage to businesses with ransomware and phishing attacks.

What is cybersecurity insurance?

Cybersecurity insurance is a type of business insurance that provides compensation for incident investigations, data recovery, computer system restoration, income loss, reputational damage, ransoms paid and notification costs. Cyber insurance providers are growing along with the threat of cybercrime. 

Extended cybersecurity insurance also includes coverage for legal bills incurred to defend yourself against claims related to a breach, as well as for settlements and damages. Insurers’ security policies generally do not cover lost profits, the loss of company value caused by intellectual property theft, or the replacement or upgrading of technology to boost cybersecurity.

The average cost of cyber insurance is about $1,740 per year, or $145 per month, with coverage ranging from $1 million to $5 million. 

Why is it important to safeguard your business against cyberattacks?

Business owners must defend against online threats to protect their company reputation, financial assets and client base. As a bonus, when your business is secure, companies and customers know they can trust you with their confidential data — an excellent selling point. 

With a robust cybersecurity policy in place, your business will reap these benefits:

• A cybersecurity plan protects your finances. Successful data breaches incur significant financial losses, including stolen funds, the costs of recovering from an attack, and regulatory fines. A cybersecurity plan protects your revenue and cash flow while minimizing potential losses.
• A cybersecurity plan helps you maintain customers’ trust. Consumers and business decision-makers are more likely to choose a firm that can keep their sensitive personal, financial and health data safe.
• A cybersecurity plan ensures business continuity. Cyberattacks can significantly disrupt your business operations. An excellent cybersecurity plan protects you from most attacks and provides a quick route to recovery if you experience a successful breach.
• A cybersecurity plan protects your valuable data. Your business houses sensitive data, such as customer payment information and employee personal details. It also has valuable intellectual property, including product designs and marketing strategies. By ensuring the highest cybersecurity levels, you can protect your valuable data and assets from internal and external bad actors.

A thorough cybersecurity plan is an investment in your business’s future. By following the guide above, you can protect your assets, maintain your customers’ trust and give your business a competitive advantage.