Business Loans

Small Business Cybersecurity: What You Need to Know

Editorial Note: The content of this article is based on the author’s opinions and recommendations alone. It may not have been previewed, commissioned or otherwise endorsed by any of our network partners.

You likely have locks on your business’s doors and windows, but you may not have similar security for your digital assets. Small business cybersecurity should be taken as seriously as protecting physical property.

For years, small business owners underestimated the risk, believing their size protected them from attackers seeking bigger prey. In the last year, major companies like Marriott and Under Armor joined Yahoo and Equifax in the ranks of businesses that were subjected to widespread security breaches. But cybersecurity giant Symantec found that in 2018, employees of small organizations were more likely to be hit by email threats than those in large organizations. Small and mid-sized retailers were more likely to be victims of “formjacking,” the use of malicious JavaScript code to steal credit card details and other information from payment forms on web pages. The Better Business Bureau polled 2,000 consumers and 1,100 businesses in 2017, finding that more than one out of five businesses were the target of a cyberattack, with about 36% of them losing money.

Small business owners will soon have a place to turn — the National Institute of Standards and Technology must publish cybersecurity guidelines for business owners on its website by August 2019, thanks to the NIST Small Business Cybersecurity Act.

In this article:

How does cybersecurity impact your small business?

Small business owners should no longer view cybersecurity as optional, said Vincent LaRocca, CEO of consulting firm Cyber Security Operations. Consumers and other businesses increasingly prefer to work with companies with cybersecurity and data protection in place.

“Businesses are losing business by not making that investment,” he said.

Failing to protect your business also makes you susceptible to cyber threats, LaRocca said. If you get hacked, you could lose intellectual capital, such as stolen research and product development. Stolen client information could severely damage your business as well, he said.

“The lawsuits that can come out of that can be tremendous,” LaRocca said.

To determine how much you should invest in cybersecurity measures, estimate the potential loss you could incur in a data breach as well as the risk of such a data breach. Then, identify the potential cybersecurity investments you could make and estimate how much those investments could reduce the risk of a data breach. Finally, compare the cost to the potential savings.

To make sure you don’t end up with a data breach on your hands, follow these cybersecurity tips to keep your business out of harm’s way.

Top 10 tips to secure your business

1. Perform a risk assessment.

Companies that provide cybersecurity services for small businesses can run tests to see where your business is most vulnerable, LaRocca said. Hiring an outside firm to perform a risk assessment can help you focus your security efforts and pinpoint areas that need added protection.

2. Install protective software.

At a minimum, you should protect your business data from ransomware and malware, LaRocca said. Keeping your security software up to date, as well as regularly updating your web browser and operating system, would be the best defense against malware and viruses that could destroy your information.

Additional precautions, like email authentication and intrusion protection software, could strengthen your defense against ransomware. If you suffer a ransomware attack, your data would be held hostage until you pay the ransom. But even if you hand over the ransom, there’s no guarantee you’ll receive your files from hackers, LaRocca said. And if your data is returned to you still encrypted, it may take days or weeks to decrypt the files, he said.


Looking for funding for your small business? Learn more about business loans here.

3. Set up firewall protection.

A firewall stops outsiders from gaining access to your private network. If your operating system doesn’t come with firewall protection, you can download firewall software online. To go a step further, you could make sure all employees have firewalls in place at home to keep data protected when they work remotely.

4. Buy cyber insurance.

Cyber insurance can help you recoup losses from a cyberattack. Such an insurance policy should provide coverage for data breaches involving theft of personal information and cyberattacks on your data. You should also consider whether your cyber insurance provider will defend you in a cyber-related lawsuit or investigation.

A cyber insurance policy would typically include first-party or third-party coverage. First-party coverage protects your internal data, including employee and customer information, while third-party coverage protects you from liability if a third party brings a claim against you.

5. Provide awareness training for employees.

Many cybersecurity incidents are the result of employee error, LaRocca said. Business owners should implement annual cybersecurity training as well as a response plan that employees can follow if they see something out of the ordinary like a suspicious email, he said.

You may also want to limit employee access to data systems and information. They should only have access to the systems they need to perform their duties. Also, employees should not be able to install software without permission.

Though the vast majority of cyberattacks are perpetrated by outsiders, about a quarter of breaches last year could be traced to insiders, according to Verizon’s 2018 Data Breach Investigations Report.

6. Keep passwords strong and fresh.

Encourage employees to come up with creative passwords and require them to change passwords every three months. Multifactor authentication would add more security, as employees would be required to provide information beyond a password to gain entry into systems or files.

7. Back up your information.

All crucial business documents and information, including electronic spreadsheets, databases, financial files, human resources files and accounts receivable files should be backed up. Ideally, you should aim to back up your files automatically or on a weekly basis. Copies of your information should be stored offsite. We’ll talk more about cloud storage in a minute.

8. Regulate physical access to computers.

You can prevent unauthorized people from having access to business computers or other technology. Because laptops can be easy to steal, you may want to lock them up when no one is around.

Keep track of which devices store sensitive information and who has access to those devices. Paper documents and files should be similarly secure. Be sure to lock any file cabinets or rooms containing valuable data.

9. Secure your Wi-Fi network.

The Wi-Fi network in your workplace requires its own security precautions. Make sure the network is secure and hidden from outsiders. You can set up your wireless router so it does not broadcast the network name, which is also known as the Service Set Identifier (SSID). You should also password-protect access to the router.

10. Make sure information is safe with vendors.

Your business vendors may have access to sensitive information, so be sure they are securing their own networks and computers. If not, your business could be at risk. In vendor contracts, include security provisions and establish a process for confirming that they are following your rules.

Don’t put your cyber safety at risk

In addition to putting best practices in place, be sure to avoid cybersecurity mistakes that could increase risk for your business.

Regularly check your backup processes.

After a cyberattack, LaRocca often sees business owners trying to restore their files only to find their backup system hasn’t been working. They’re unable to recover the files that were damaged or stolen during the breach. You should regularly make sure that your data is actually being backed up and stored in the right place, LaRocca said.

Be wary of unsecured wireless networks.

You shouldn’t log in to private accounts to view sensitive data while using an unsecured wireless network, LaRocca said. Wi-Fi networks in public areas should not be used to access private information, such as a bank account, he said. If a website is unsecure and doesn’t have “https” preceding the web address, you should avoid it as well.

Don’t trust cloud security on its own.

Many business owners store data on the cloud with the assumption that it is impervious to harm. However, the cloud is susceptible to data breaches and attacks, LaRocca said. Even if you use cloud storage from a major company like Microsoft or Amazon, you shouldn’t trust that your information is completely secure. Store your data in a safe secondary location in addition to the cloud for added security.

“The cloud is just another storage platform,” he said. “The security responsibility is still upon the owner of that data.”


Compare Business Loan Offers