Cybersecurity Best Practices for Small Businesses

Contact Us Visit Us

Create a multi-step plan to protect you and your customers.

The impact of recent breachs that compromised the personal data of over 145 million individuals has left many confused, frustrated and downright angry. And while massive attacks on large corporations make headlines, small businesses have just as much, if not more, at stake.

According to data analyzed in a report by Hiscox, an insurance provider, cyberattacks are likely to have a bigger financial impact on small businesses. The 2017 report found that small businesses with under 99 employees faced an average cost of $36,000 after a cyberattack. Less advanced security protection, a smaller budget dedicated to cybersecurity and fewer resources for a fleshed-out IT department make small businesses an ideal target for hackers.

What, exactly, is a cyberattack?

A cyberattack is an unauthorized attempt to expose, destroy or access your data. According to a survey of 700 business owners by BuyBizSell, an online marketplace for small businesses up for sale, 1 in 10 small businesses have been attacked. The three most common attacks cited were general malware, web-based attacks, and phishing scams or social engineering.

General malware. Short for malicious software, malware acts against the intent of the user, and can come in the form of a virus, Trojan horse or worm. Ransomware — a form of malware that demands money to avoid a negative consequence, like permanently deleting your data or publishing it publicly — costs small businesses approximately $75 billion a year, according to a 2016 report by cybersecurity company Datto.

Web-based attacks. A web-based attack is when malware gets access to your computer via the internet. There are multiple ways for this to happen, including malicious websites that present themselves as legitimate, and hackers who insert malicious code into the code of a legitimate website.

Social engineering scams. A social engineering attack is when a hacker tricks you into giving up personal information like credit card numbers, Social Security numbers or bank information. It is also known as phishing.

How can I protect myself and my customers?


For October, which is National Cyber Security Awareness Month, Microsoft is offering a series of free cybersecurity workshops for small-business owners, co-sponsored by the National Institute of Standards and Technology, or NIST, and the U.S. Small Business Administration. The SBA also offers a self-guided online course in cybersecurity basics.


Your cybersecurity plan should include an employee training program and incident response plan. The first step to securing your network is to make sure your employees understand security policies and procedures. Training shouldn’t be a one-and-done deal; schedule yearly or semi-yearly refresher courses to keep security top of mind. Help your employees understand the importance of updating their software, adopting security best practices and knowing what to do if they identify a possible security breach.

The faster you act in the face of a cyberattack, the better you’ll be able to mitigate the damage.

An incident response plan will have crucial information such as:

  • whom to contact
  • where data and data backups are stored
  • when to contact law enforcement or the public about a breach

The Federal Communications Commission offers a cybersecurity planning guide to help small-business owners create a plan to protect their business. (You can download your customized plan at the bottom of the page after you create it.)


The NIST advises government agencies on password best practices. According to the organization’s Digital Identity Guidelines, released in June 2017, NIST recommends passwords be at least eight characters long and notes that length is more beneficial than complexity. Allow your employees to create long, unique passwords that are easy for them to remember.

If you deal with highly sensitive data, you may want to require multifactor authentication, which requires users to present at least two identifying factors, like a password and a code, before gaining access to systems or programs. Think of it like an ATM, which requires a combination of a bank card and a PIN to access funds.


According to cybersecurity company Symantec, in 2016, 1 in 131 email messages were malicious — this is the highest rate in five years.

Basic email safety precautions, like not opening suspicious attachments or links, are a first step that can be covered in your employee training plan. If you deal with clients’ personal data, you can also encrypt documents so both the sender and the recipient need a passcode to open it.


A firewall acts as a digital shield, preventing malicious software or traffic from reaching your network. There are many kinds of firewalls, but they fall into two broad categories: hardware or software.

Some firewalls also have virus-scanning capabilities. If yours doesn’t, be sure to also install antivirus software that scans your computer to identify and remove any malware that has made it through your firewall. It can help you control a data breach more efficiently by alerting you to an issue, instead of your having to search for the problem after something goes wrong.


Any type of Wi-Fi equipment you receive will not be secure when you first buy it. And no, you shouldn’t keep the default password that comes with your device — there are resources online for hackers to access default passwords based on model numbers of popular routers, so make sure your network is encrypted with your own, unique password. Your router will likely allow you to choose from multiple kinds of passwords; one of the most secure is a Wi-Fi Protected Access II (WPA2) code.

You’ll also want to hide your network, meaning the router does not broadcast the network name. If customers or clients will need access to Wi-Fi, you can set up a “guest” account that has a different password and security measures, which prevents them from having access to your main network.


It’s crucial to work with your bank or payment processor to ensure that you’ve installed any and all software updates. The more complex your payment system, the harder it will be to secure, but the Payment Card Industry Security Standards Council offers a guide to help you identify the system you use and how to protect it.

© Copyright 2017 NerdWallet, Inc. All Rights Reserved

Think Forward

Tools to help you get ahead