Small Business Cybersecurity Guide

A Guide to Computer Security for Small Businesses

According to one report, 43% of cyberattacks are aimed at small businesses, and only 14% of small businesses are well-prepared for such attacks. This lack of preparation may be due to sparser security resources, compared to larger companies. However, considering the potential for loss of revenue, sensitive information, and reputation, it is prudent for a company of any size to invest appropriately in cybersecurity measures. Smaller companies may in fact be at greater risk of long-term, devastating consequences to their business, due to their smaller resource pool.

The Changing Landscape of Cyberthreats

American working culture is going through many significant shifts that are, in turn, having an impact on cyberattack strategies. Prime among these shifts are the rise of remote work, the gig economy, and increasingly common ‘bring-your-own-device’ policies. Furthermore, the COVID-19 crisis has sped up many of these changes in the American workforce, due to the need to maintain social distance and/or supplement income.

Common Types of Cyberattacks

Cyberattacks can come in all shapes and sizes, but some types of cyberattacks are more common than others. These may include:

  • Ransomware

    This is a type of malware that is utilized for the sake of holding a user’s personal information or digital access hostage.

  • Phishing

    This is a cyberattack that involves using a fake and/or authoritative identity to steal sensitive information.

  • Advanced Persistent Threats

    This kind of cyberattack involves long-term, undetected, malicious intrusion on a device. This term often applies to attacks from government entities.

  • Distributed Denial-of-Service

    This type of attack uses a botnet to intentionally overload a server and prevent access to other users.

  • Man in the Middle Attacks

    This sort of attack intercepts information in transit without the knowledge of users.

  • SQL Injection Attacks

    This kind of attack utilizes malicious code inserted into an entry field of a target database.

  • Zero-Day Exploit

    This is a cyberattack that takes advantage of a cybersecurity flaw that has not been identified “in the wild,” or that has been recently identified but not yet patched.

How to Assess Risks

Before you choose and/or implement a cybersecurity solution for your small business, you should first do a risk assessment. Thereafter, cybersecurity risk assessments should be repeated on a regular basis to update measures and account for new risks. A general risk assessment usually includes the following steps:

  • Take stock of your resources: Consider your finances, personnel, hardware, and software. Determine how these resources can be allocated to cybersecurity and/or whether you need to expand your resource pool to securely manage them.

  • Consider the trajectory of your business: Think about how your cybersecurity needs may change based on business growth or other developments.

  • Anticipate common threats: Research and understand the most prevalent cybersecurity threats to businesses.

  • Identify your high-value resources: Determine what sensitive information your business manages, who has access to it, and how it is accessed and discussed.

  • Develop a thorough system of cybersecurity protocols: Research cybersecurity best practices and apply them to the findings from your assessment. Use this to create specific cybersecurity protocols.

  • Review and update: Constantly reassess threats, best practices, and your own cybersecurity protocols. Regularly review your cybersecurity measures and consider where there may be room for improvement.

Risk Assessment Tools and Resources

There are many tools and resources available to help you assess cybersecurity risks to your small business, including:

General Risk Prevention Best Practices

Cybersecurity risk prevention best practices include:

  • Staying informed about cybersecurity risks: Small business owners should regularly research new cybersecurity risks, as the cybercrime landscape is constantly evolving.

  • Determining your legal obligations: It is important to ensure that you cover all of your legal bases first and foremost. Your legal obligations may vary depending on factors such as your location and industry.

  • Adopting digital transformation as appropriate: Many analog and legacy systems can be digitally updated to fit within the new security infrastructure.

  • Updating systems regularly: Security updates must be done on a regular basis to ensure that security systems are running optimally.

  • Securely backing up information: Find a secure way to store information, such as a cloud server.

  • Managing digital infrastructure: Establishing a well-organized and secure infrastructure will facilitate data management.

  • Properly training employees: Many data breaches are caused by employee error. Ensure that employees fully understand cybersecurity protocols.

  • Restructuring as appropriate: Buy-in from all levels of the company is vital for proper cybersecurity management.

  • Maintaining transparency: Everyone within the company should understand why cybersecurity is important and why diligence is required to ensure there are no lapses in compliance.

  • Consulting an expert: Because cybersecurity is so important and complex, it often is very helpful to seek the experience of a cybersecurity expert.

  • Integrating security applications: Security applications can help you manage cybersecurity software in a simple and intuitive way.

  • Enforcing security protocols: Once established, it is important that security protocols are consistently enforced.

Data Breach Response

In the event that a data breach has occurred, the following basic steps should be taken:

  • Secure your access points: Until the breach vector is identified, access to sensitive information should be limited.

  • Identify the source of the breach: A major priority throughout the follow-up process will of course be to identify how the cyberattack breached security. The source may be quickly identified, or it may take further investigation using additional steps in the data breach response.

  • Reach out to law enforcement: Law enforcement can help your business investigate the breach. It is also a matter of due diligence to notify the authorities about a breach if it involves sensitive information.

  • Reach out to affected individuals: Whether information compromised by the breach impacts customers, employees, or government entities, it is a matter of due diligence to notify the affected individuals or entities.

  • Consult professionals: Cybersecurity professionals can help you investigate the breach and assist you in updating your security protocols to prevent future breaches.

  • Interview personnel: Employees may be able to help you identify the source of the breach or may have additional, relevant information.

  • Review and update: Conduct a thorough review of your cybersecurity protocols and update them accordingly.

Cybersecurity Resources for Remote Employees

  • Society for Human Resource Management:

    This is a general guide to cybersecurity for the remote workplace.

  • MIT Sloan Management Review:

    This guide explains why remote workers are at high risk of cyberattack, how to assess risks for a remote workplace, and how to develop a cybersecurity strategy for the remote workplace.


    This outlines cybersecurity best practices in the remote workplace, as identified by NSA and CISA experts.

Resources for Data Breach and Recovery

Training Resources

Government Cybersecurity Resources

You might also like...

Get in Touch

Let us help you
transform and grow

By submitting your information, you agree to our revised  Privacy Statement.

Let’s Talk


Status message

We're eager to assist you! Please leave a message and we'll get back to you shortly.

By submitting your information, you agree to our revised  Privacy Statement.