Why Do Small Businesses Need a Cybersecurity Plan?

In a world where cybercrime never sleeps, organizations need an “always-on” cybersecurity plan. And for small and medium-sized businesses (SMBs), the need is even greater. Cybercriminals have significantly increased their focus on smaller organizations in recent years — in 2023, 41% of small businesses fell victim to a cyberattack, a rise from 38% in 2022 and 22% in 2021.

The good news for SMBs is that establishing a strong security posture is within reach. Our cybersecurity checklist will help you uncover risk areas and identify opportunities for improving the security of your operations.

Most Common Cyber Threats to Small Businesses

Before diving into the checklist, it’s important to understand what you’re trying to keep at bay in the first place. The cyber threat landscape is vast, so it’s probably not a surprise to hear that small businesses need to safeguard against the same attacks that threaten larger organizations. For SMBs in particular, some of the most common cybersecurity threats of 2024 include:

• Ransomware
• Security misconfigurations and unpatched systems
• Credential stuffing
• Social engineering

But unlike larger business counterparts, when a small business gets hit by ransomware, malware or a data breach, it can have a much greater (and far more damaging) impact to the business. Notably, the average cost of a data breach for small businesses is $3.31 million.

Small Business Cybersecurity Checklist

1. Understand Your Environment
2. Train Employees
3. Implement Security Defenses
4. Maintain Good IT Security Hygiene
5. Prepare a Response Plan

Understand Your Environment

The end game for cybercriminals is to gain access to your high-value data. This data goes for a pretty penny in dark web marketplaces, so it’s important to take stock of your environment to understand the various devices and systems you have in place and where your valuable data resides.

Expect a breach

Knowing your environment well and preparing for a breach allows you to react quickly if a successful attack occurs. In this case, the old adage holds true: Hope for the best, plan for the worst.

One important thing to consider in your planning is your speed to respond. This is essential because attack velocity (i.e., the speed of an attack) is increasing, and the time it takes for an attacker to steal data is decreasing. In 2023, for example, the average eCrime breakout time was only 62 minutes, compared to 84 minutes in 2022.

Evaluate your device, facility and network landscape

Data breaches can arise from cybercriminals taking advantage of unaware employees or using charm to manipulate someone to gain access to facilities. Train your employees to lock and physically secure their sensitive documents and computer files. Likewise, encourage good safety practices for your corporate devices and laptops; these can be easily stolen if they’re left unattended. Desktops and servers located in open, public areas or in offices that are unattended and unlocked can also be easily taken.

Identify your IT security resources

Keeping an organization’s infrastructure up and running securely requires a good deal of time and expertise. It’s important to assess your current resources to determine if you have any gaps in knowledge or personnel. If you’re feeling stretched thin, you’re not alone. 59% of companies report that they feel their company is either somewhat or significantly understaffed, creating additional cyber risks for their organization.

If cybersecurity is always an item on your never-ending “to do” list, it’s probably a good sign that it’s time to get more help, whether that means hiring additional in-house staff or outsourcing your IT security resources to a managed service provider.

Train Employees

Employees are a company’s best asset, but unfortunately, they’re also often the weakest link in protecting against cyber threats. The human element (e.g., falling for phishing, clicking on a link or simple human error) continues to drive security incidents, contributing to 68% of breaches from November 2022 to October 2023. Here are some best practices to put in place to support your employees.

Provide security awareness training

Your employee base can be your greatest ally and resource in protecting your company from cyber threats. That’s why 72% of organizations are providing or planning on providing more security training as part of their talent and technology investments.

Closing your employees’ knowledge gap by providing training on security best practices will mitigate this risk and empower your users to become an active part of your organization’s security defense.

Create and enforce strong passwords

It’s vitally important to use strong passwords for your organization’s router or firewall devices. The last thing you want is for a hacker to gain access to your entire network and all of the files and data within it. Using and enforcing strong password practices with your users is also essential to prevent unauthorized access to your software as a service (SaaS) applications, laptops and devices.

Your password policy should require lengthy and complex passwords that use a variety of characters. Left to their own devices, 78% of people reuse the same password across multiple accounts, so require your employees to use unique passwords that aren’t recycled. One way to boost the effectiveness of your password program is to require employees to update their passwords every 90 days.

Create, enforce and continuously update a personnel security policy 

If there’s one thing that’s consistent in any organization, it’s change — with employees coming, going and moving into new roles within the company. Putting a security policy in place will help align your ever-changing personnel on the expected rules and behavior to follow for meeting minimum IT security and data protection requirements.

Implement Security Defenses

Security technologies can help safeguard your organization against the many attack vectors bad actors use. Though many tools allow you to customize them depending on your specific environment, there are some universal items to look for when looking for the right security technology.

Implement multifactor authentication (MFA)

MFA is a powerful way to enhance your organization’s security, as it requires your users to identify themselves with more than just a username and password. Though good usernames and passwords are important , they’re not a failsafe against suspicious login activity. That’s why 46% of SMBs have adopted MFA, and this number is expected to grow.

When you adopt MFA, your users will be asked to provide another “factor” in addition to their passwords, such as a PIN or mobile push from their smartphone. This significantly increases the likelihood that the person attempting to log in is really who they say they are. According to Microsoft Security, MFA can prevent 99.9% of attacks on your accounts.

Determine how many layers of security to implement

Layered security is the concept of using multiple security components (or layers) to protect your organization’s infrastructure. The purpose of this best practice approach is to ensure that each individual security component has a backup if it doesn’t detect a threat. For example, if a phishing email gets past an email security technology and a user clicks on a malicious URL within the email, your endpoint security product would provide another security layer to stop the threat and protect your organization.

Every layer of additional protection matters. Most organizations’ layers should include a firewall, patch management, endpoint protection, web and email content filtering, and multifactor authentication. Determine which of these are missing from your layered security strategy, and plan to adopt the appropriate ones that support your IT environment.

Implement employee access limitations to data and software installations

As a best practice, you should limit who has access to your organization’s high-value data. Putting an access control policy in place will help you establish guidelines that outline who can access data and resources for your business. You’ll also want to limit access to software installations; for example, only certain users should have access to applications like your customer relationship management (CRM) software, which includes your customer contact details.

Implementing role-based access control (RBAC) will help you ensure that only authorized users can access data and software. In short, RBAC lets you give employees access to only the data, tasks and applications necessary for their job functions and roles.

Install antivirus software across all devices

Protecting your users’ desktops, laptops and mobile devices (i.e., your endpoints) from malware, ransomware and other threats has always been an important security practice. With today’s large remote and hybrid workforce, adopting antivirus software — often referred to as endpoint protection — is more critical than ever because your endpoints can serve as doorways for cybercriminals to gain access to your company’s network.

Maintain Good IT Security Hygiene

Continuously back up data

In the event of a successful cyberattack, backups often serve as an organization’s “get out of jail free” card, as the damage can be undone by restoring the impacted machine or systems to the latest backup.

Having regular and reliable data backups is an important IT practice for SMBs to adopt. It can prevent long-term damage from lost data due to a security incident, an accidental deletion or a natural disaster. Data backups ensure you have a complete copy of your systems ready to restore, no matter why the data loss occurred.

Update software and patch systems

SMBs must be ready to act quickly during the small window between the discovery of a new flaw in software, hardware or firmware and when a vulnerability exploit leveraging that flaw is released. Why? Because 57% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.

Patch management is the cornerstone of your vulnerability management plan. Ensure you have a strong patch management process that’s always on and connected to provide the visibility you need into which patches are high priority and require immediate deployment to your impacted systems.

Prepare a Response Plan

In the event of a successful attack, having a plan in place will help you act quickly and efficiently to involve the right people, take the necessary actions and mitigate the damage.

Establish an incident response plan leveraging the National Institute of Standards and Technology (NIST) framework

When it comes to incident response and having a foundation on which to build your plan, NIST provides a solid framework for small businesses to follow. It contains four phases of the incident response life cycle:

•  Step #1: Preparation
•  Step #2: Detection and Analysis
•  Step #3: Containment, Eradication and Recovery
•  Step #4: Post-Incident Activity

Speed is critical for detecting and containing a successful attack. Isolating an attack (perhaps by disconnecting an impacted machine from the network) gives you some breathing room to coordinate and deliver on the rest of your response.

Does your business check all of the boxes? Speak with a cybersecurity expert today to learn more.

Talk with an expert