Cybersecurity for small businesses: How to stay protected in a digital-first world

Published April 27, 2021

Do you leave the doors of your business unlocked when you close for the evening? Of course not. But what about your digital doors?

Rapid digitization during the pandemic has been a good thing for small businesses looking to diversify and add more sustainable revenue channels—but it also comes with potential risks. Thankfully, there are simple, powerful strategies that businesses can use to achieve peace of mind in the digital era.

Since the digital side of your business runs 24/7, applying simple cybersecurity strategies to your small business’s online activity is the digital equivalent to locking up shop. Cybercriminals are opportunistic, so as long as you don’t “leave the door open” for them, you’ve vastly reduced any risks from the get-go.

Whether you’re a growing retailer delving into e-commerce for the first time, a small restaurant ramping up online delivery, or something else entirely, the internet can potentially open doors for wrongdoers looking to capitalize on vulnerable small businesses. Don’t be alarmed. Digital transformation makes cybersecurity for small businesses a priority, and there are fool-proof ways to make sure your business stays safe.

Learn cybersecurity basics to secure your small business

Cybersecurity can be an intimidating topic for the uninitiated, but getting the basics down is imperative, whether you’re “just using email and maintaining a website” or something more complex like cloud computing. The first steps are understanding the common threats and the negative impacts they can have, then working to prevent them.

Related: Guarding your digital doorstep: Data security tools and fraud prevention

Common types of cyberattacks

The most common types of cyberattacks play on openings to find a way into unwitting businesses. The “in” in this case means access to an internal network—think of it as trespassing on a physical business property but online. And unfortunately, small businesses can lack expertise or awareness of what’s at stake and how they can be compromised. The most common types of cyberattacks play on these openings to take advantage of unwitting businesses.


The first, known as “phishing,” has been around as long as email has and is more prevalent now than ever before. This scam doesn’t involve sophisticated hacking; instead, it relies on old-fashioned trickery to get a user to perform a specific action—usually something as innocuous as clicking a link. Phishing scams typically present themselves in the form of emails, with the actions taken granting the perpetrator confidential information that will them give access to private systems.

An example of a (obvious) phishing email attempt.

Be on the lookout for these typical phishing email characteristics:

  • Ambiguous greetings (“Dear Customer,” “Dear Valued Member,” etc.). Legitimate businesses that are worth your time will address you by your name or that of your business specifically.
  • Suspicious email domains. If the tail end of the sender's email isn’t the same as the actual business website, beware.
  • Upfront requests for personal information. Data protection is huge nowadays, and responsible businesses know this. Don’t provide personal info without due diligence.


The next common type of cyberattack comes in the form of malware—“malicious software” intended to cause data breaches and expose system weaknesses. Malware infections are commonly referred to as “viruses,” but this isn’t exactly correct in that “virus” only applies to the most severe autonomous malware infections. This makes viruses particularly difficult to clean up—but thankfully, more common malware is easier to detect and remove using over-the-counter cybersecurity software.

A business is at risk when files containing malware are downloaded, unbeknownst to the user, that then disrupt internal systems. Extensive malware infections have been widely publicized in the past few decades, with the most recent and notorious being “CovidLock,” which installs itself through files that promise to provide useful information related to the pandemic.

An attempt to play on COVID fears to initiate the download of malware.

Commonly known types of malware are:

  • Trojans: Just as the Trojan horse was assumed to be a peace offering and welcomed within the city walls during the Trojan War, Trojan malware disguises itself as something helpful (a virus scan, threat warning, etc.) to get users to run the malicious program. Trojans usually come via email or pop-up and, once executed, can give the hacker control of the computer remotely. 

  • Ransomware: The rise of cryptocurrency and digital payments has seen ransomware become a more common cyber threat. Ransomware essentially holds a system, network or data hostage until certain demands—almost certainly a sizable monetary transfer—are met. Sometimes, cybercriminals will disappear into thin air without releasing the encryption, as was the case with an unlucky small Midwest retailer back in 2016.

  • Spyware: Spyware is used to observe and record actions on a computer, like internet usage data or keystrokes of passwords that can then be used to access private accounts and intellectual property. Spyware is the easiest to detect and remove but is still concerning as it uses the same vulnerabilities as more serious cyber threats use to get inside.


Insider attacks

The final common type of cyberattack is one that’s a sad reality for upstanding businesses—an insider attack. As the name suggests, it involves someone on the inside causing exposure to sensitive information and data. 

Insider attacks affect cybersecurity for small businesses and large corporations alike—Tesla, for example, fell victim to an attack in 2018 where an insider caused, as CEO Elon Musk put it, “quite extensive and damaging sabotage ... direct code changes to the Tesla Manufacturing Operating System ... and exporting large amounts of highly sensitive Tesla data to unknown third parties.” 

Insider attacks are best prevented through employee training initiatives and airtight security protocols. More on this later.

We’ve listed some of the most well-known cyber threats, but it’s still worth doing your own research on advanced persistent threats, password attacks, man-in-the-middle attacks, and more to give you more confidence in securing your small business.

Risks for your small business

There is a lot at stake when it comes to cybersecurity for small businesses. So, understanding the consequences of cyberattacks is equally important as being knowledgeable about the threats themselves.

No small business deserves to have their hard work sabotaged—you want to make sure security is in check, so you can focus on growth. Rest assured, taking action against cyber threats will allow you to avoid these potential negative effects:

  • Digital destruction: If the digital aspects of your business are compromised, it can leave your internal software and databases unusable, virtually affecting everything you do.

  • Business disruption: Modern businesses rely on internal networks and computers for every business function, so if they become inaccessible due to a cyberattack, work can come to a halt from “point-of-sale checkout to inventory management to payroll.”

  • Reputation damage: Notifying customers and users of data breaches can be intimidating, but handling it irresponsibly is even worse. Take the Facebook data breach affecting over half a billion users that recently came to light—the global social media platform decided against reporting the breach in 2019 and is now facing scrutiny. 

  • Financial liability: Businesses that remain compliant with cybersecurity regulations are safer, but being unaware of such regulations can leave your business financially liable for breaches.

Cybersecurity for small businesses: must-dos

There are a few absolute necessities to get you started on securing your small business from cyber threats.

Secure your networks.

Wi-Fi is everywhere nowadays, and it’s the first place to look when ensuring your business is cyber secure: “Network security strategies are all about preventing unauthorized use and misuse of your computer network—in other words, the devices and data controlled by your network administrator.”

Make sure to use strong passwords to keep your networks private, and use separate networks for important business activities and other uses (IoT, public access, etc.). In 2017, hackers managed to funnel 10 gigabytes of sensitive data out of an American casino by accessing a network-connected smart fish tank control device. This is a cautionary tale for keeping a lock on private networks and being aware of any devices that could be compromised.

Back up your data constantly.

Data backups are fundamental to cybersecurity for small businesses. Not only will they safeguard your business from malicious demands from ransomware, but you will also be protected in the case of force majeure or events like data corruption or physical damage. 

Keeping multiple backups is ideal. Cloud storage is seamless and convenient but still liable to be breached by cybercriminals. Make sure you’re regularly backing up important data physically—on a separate, offline hard drive—to be 100 percent certain you have that information on hand if something goes wrong.

Keep everything up to date.

Software patches prioritize security improvements, as developers recognize that cyber threats are continuously evolving. Just as biological viruses can mutate and cause problematic infections among humans beings, outdated software won’t have the “immunities” needed to protect from new malicious software or hackers.

Keeping all software up to date is important not only to protect from cyber threats but also to avoid service interruptions and bugs and to keep your business running smoothly. 

Use that knowledge to train a cyber-savvy team

Properly training your employees on cyber threats and how to prevent them is one of the most important steps you can take to protect your small business. Cybercriminals look to exploit openings, and more often than not, those vulnerabilities come from human mistakes—accounting for an astonishing 95 percent of cyber breaches, according to a study by IBM. 

Human errors as they relate to cybersecurity typically stem from a lack of awareness, proper training or a distracting work environment. According to Micke Ahola with usecure, there are two types of human error that contribute to cyber breaches:

  • Skill-based errors are “small mistakes that occur when performing familiar tasks and activities.” These can be hard to avoid, as typically the employee is already familiar with the correct course of action. These errors can be minimized by not overworking your staff and providing a work environment that is conducive to deep focus.

  • Decision-based errors happen when an individual lacks knowledge or awareness—making them unable to make decisions in line with cybersecurity. These errors are what you are counteracting with the proper training and company culture.

Now that you’ve built up a good foundation of cybersecurity knowledge, it’s time to share that knowledge with your team and minimize threats to your small business.

Promote a security-first culture

Developing and maintaining a security-first company culture is the greatest defense against cyberattacks. The best way to begin fostering a security-first culture is by teaching employees the same cybersecurity basics you learned: how to recognize the most common types of cyberattacks, what’s at risk for the business, and what the absolute essentials are.

Once everyone is on the same page with the basics, try elevating cybersecurity efforts through:

  • Documenting all security policies. This would be a clear physical plan that holds everyone accountable and keeps everyone on the same page as to what the cybersecurity agendas of the business are. 

  • Keeping sensitive data on a “need to know” basis. Transparency is great but having all data available to all staff just doesn’t make sense and provides more opportunities for mistakes. Keeping sensitive data close and confidential minimizes the chances of it falling into the wrong hands.

  • Hosting regular cybersecurity training sessions. Whether it's a company-wide gathering or a self-study online, encourage employees to take part in training to inform them of developments and changes in cybersecurity, so they can continue making the right decisions. 

  • Offering incentives for cybersecurity wins. Make learning about cybersecurity entertaining and rewarding by holding competitions and rewarding employees for completing training.

Don’t put too much pressure on employees

Putting too much pressure on your employees to maintain cybersecurity can lead to anxiousness. As Martin Jones writes for Cox BLUE, “many people look at the news of a massive data breach and conclude that it’s all the fault of some hapless employee who clicked on the wrong thing.” Nobody wants to be in a position to receive the blame for a cyber breach, and the added pressure can actually increase the likelihood of human error.

Instead, your business should focus on laying the groundwork and continuously supporting staff on cybersecurity best practices. Once habits are formed, the extrinsic pressure won’t be so significant.

Teach password best practices

Strong passwords are the cornerstone of cybersecurity. There are running jokes of businesses and decision makers using “password” or “123456” to secure important accounts. Jokes aside, the sad thing is that these examples still actually happen today. Businesses need to go the extra mile and make sure their entire teams are exercising password best practices.

Simple passwords are completely outdated, and it takes more than a slightly crafty misspelling to throw off hackers looking to bypass the logins of vulnerable businesses. Remember that ill-fated time a CNN “technology analyst” suggested using “pa$$word”?

Ensuring that employees understand how vital it is to use strong passwords goes a long way toward keeping your business protected. It doesn’t have to be difficult, either. Make sure that employees:

  • Never reveal their passwords to others
  • Use different passwords for different accounts
  • Try to use passwords greater than 16 characters
  • Make passwords complex (multiple character sets, numbers, symbols)

Here’s a visualization of (roughly) how long it would take a skilled hacker to “brute-force” passwords of different complexities:

The time it takes hackers to bypass passwords increases exponentially the more complex the password is.

One of the best tools in your small business’s cybersecurity arsenal is the use of a password manager. These programs store complex, computer-generated passwords for all separate business accounts in a virtual “vault” and can be used company-wide. Check out 1Password or Bitwarden for paid and free password management options, respectively.

Implement technology that makes cybersecurity easier to manage

The final step in defending your small business against cyber threats is to use the right technology stack and strategy. When cybercriminals are faced with resistance, they’ll typically move on to an easier target, so a little can go a long way when it comes to cybersecurity software.

Let antivirus software find and remove malware threats

This is fundamental. Modern antivirus software is designed to do the heavy lifting in detecting and removing cyber threats. Antivirus software isn’t just single-use protection; it’s “a package of evolving defense mechanisms designed to protect your computer against the constant barrage of known, unknown, and ever-shifting malicious threats devised by hackers, trolls, and cybercriminals,” according to Stewart Wolpin with U.S. News.

Antivirus software is capable of scanning thousands of files in seconds, then removing any threats it finds. As developers of antivirus software and hackers constantly try to one-up each other, you shouldn’t expect it to protect against every new threat, though, and it’s best used in coordination with proper training and a security-first culture. 

To best protect your small business, use antivirus software from a well-known brand that’s optimized for businesses. Also, look for advanced security features—VPN, password management and file backup, to name a few—and regular updates to address evolving cyber threats.

Use firewalls to control network traffic

Firewalls monitor traffic in and out of a private network and decide to either allow it or block it based on pre-defined security rules. Obtaining access to a private network is exactly how most cyberattacks take place, so the value of a firewall is self-evident.

Firewalls aren’t only for preventing nefarious access from outside a network, but they can also control internal traffic. An article by Forcepoint used a house as an excellent analogy for how firewalls protect private networks:

Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted people (source addresses) are allowed to enter the house ([IP] address)—then it’s further filtered so that people within the house are only allowed to access certain rooms (destination ports) ... The owner is allowed into any room (any port), while children and guests are allowed into a certain set of rooms (specific ports).”

Use a combination of people and technology to best protect against evolving cyber threats

There’s a lot for small business owners to learn, sure, but rest assured that educating yourself and your team and using the right tools goes a long way toward eliminating threats before they become dangerous. If you’re implementing a cybersecurity strategy for the first time, also keep in mind that it’s an ongoing process. Cybercriminals are always looking for new ways to cause trouble, so business owners have to remain vigilant.

While monitoring and protecting your business’s network and computers using antivirus and firewall technology are great foundations for a full-scale cybersecurity strategy, remember that continuous learning and training in tandem with software are key to creating the best defense. Stay safe!

Need more information?