Top 7 Cybersecurity Tips for Small Businesses

Small businesses are the backbone of the U.S. economy. There are an estimated 28 million operating in the U.S., and together they employ more than half of the working population.1


And yet, many small businesses aren't cybersecure. A 2016 report published by Keeper Security and the Ponemon Institute found that a full 50% had been breached in the past 12 months, and only 14% of respondents rated their ability to defend against cyberthreats as “highly effective.”


Cyberbreaches can be costly and damaging to a firm's reputation, and the worst among them can force businesses to shudder their doors. Which begs the question: Why is tight cybersecurity the exception and not the norm?


“The most fundamental problem for smaller businesses when it comes to cybersecurity is simply lack of threat awareness — not realizing that their business could become a victim, whether it is a malicious code infection, a ransomware attack, a fraudulent wire fraud request, or bank account compromise through a phishing email,” says Stephen Cobb, senior security researcher at ESET North America, which provides computer security solutions for businesses of all sizes.


Here are seven tips to close the awareness gap and help you keep your small business secure online.

1. Protect against viruses, spyware, and other malicious code

Ensuring that all of your business' computers have anti-virus and anti-spyware software, and that all software installed to your network is updated (and set to update automatically), may be the single-most effective way to mitigate cyber risk.

2. Establish cybersecurity protocol for your employees

Establish security policies governing how employees should handle and protect personally identifiable information and other sensitive data. Also, educate your employees about best practices for security, including safe web browsing and social-media use.

Continue to educate as best practices evolve. An often overlooked defensive tactic is raising the cybersecurity awareness of your workforce; employees are often the cracks through which phishing and other attacks take root, and a security-savvy employee base is less likely to fall victim to such threats.

3. Back up your systems

Ransomware, or viruses used by hackers to encrypt an organization's computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI. Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves.

4. Create a framework for mobile security

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Plus, set reporting procedures for lost or stolen mobile devices.

5. Stay secure in the cloud

While cloud computing services have been a major boon for small businesses, they have also opened up new security loopholes by exporting potentially sensitive data to external servers. To mitigate risk, Cobb points to the “3 Cs” of cloud computing:

  • Contract: Does your contract with your cloud provider outline the security provided? Check the service level agreements and access-tier data policies. How long do managed service providers retain the data? What do they do with it?
  • Control: Do you have adequate safeguards protecting access to the cloud? “You should not rely on passwords alone to protect cloud access,” says Cobb. “You need two-factor authentication and you need to keep track of access granted to employees, partners, suppliers, and customers.”
  • Connectivity: Do you have a reliable and secure internet connection?

6. Maintain strong standards for passwords and authentication

Require employees to create unique passwords and change them every three months. Adding an additional step after a password for access to key business assets is important, not only for business but personal use, said Matt Littleton, Microsoft East Regional Director of Cybersecurity and Azure Infrastructure Services, in PC Mag.


“Look at your security settings and require every employee to enter their cell phone number as a second factor,” Littleton noted, referring to two-factor authentication. (An example is a bank that requests not only your password, but sends you a text message to your personal phone number with a PIN number.) “Then, even if I'm an attacker and I steal your password, I can't use it unless I steal your cell phone and know the PIN.”

7. Secure your networks

Use a firewall and encryption to safeguard your internet connection. If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router.


It's important for small businesses to follow these and other security practices when looking to become cybersecure and cyberaware. Small businesses should evaluate their operational resilience and cybersecurity practices. A good start is US-CERT's Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more.

More information

Protecting your business against cyberthreats doesn’t have to be overwhelming. Start with the simplest and most affordable tools available. And for more tips on managing cybersecurity risk, see this resource list from the U.S. Small Business Administration, and review our business-protection tips.







Disclaimer: Views expressed in this article and the third party links contained herein may not necessarily reflect those of Citizens Bank. Citizens Bank does not guarantee the accuracy of the information contained on the third party websites linked to in this article, nor do we endorse the products or services mentioned or provided on said third party websites. The information contained herein is for informational purposes only as a service to the public, and is not legal advice or a substitute for legal counsel, nor does it constitute advertising or a solicitation. You should do your own research and/or contact your own legal or tax advisor for assistance with questions you may have on the information contained herein.