Why do SMBs need a cybersecurity plan?
In a world where cybercrime never sleeps, organizations need an “always on” cybersecurity plan. And for small-to-medium businesses (SMBs), the need is even greater because cybercriminals have significantly increased their focus on smaller organizations in recent years. Between 2021 and 2022, there was nearly a 200% increase in incidents targeting organizations with fewer than 1,000 employees.
The good news for SMBs is that establishing a strong security posture is within reach. Our cybersecurity checklist will help you uncover any risk areas and identify opportunities for improving the security of your operations.
Most Common Cyber Threats to SMBs
Before diving into the checklist, it’s important to understand what you’re trying to keep at bay in the first place. The cyber threat landscape is vast, so it’s probably not a surprise to hear that SMBs need to safeguard against the same attacks and many attack “flavors” that also threaten larger organizations. For SMBs in particular, some of the most common cybersecurity threats of 2022 include:
- Security misconfigurations and unpatched systems
- Credential stuffing
- Social engineering
Yet, unlike larger business counterparts, when an SMB gets hit by ransomware, malware or a data breach, for example, it can have a much greater (and far more damaging) impact to the business. Notably, the average cost of a data breach for small businesses is $2.98 million. 
Now, on to your cybersecurity checklist.
Small Business Cybersecurity Checklist
- Understand Your Environment
- Train Employees
- Implement Security Defenses
- Maintain Good IT Security Hygiene
- Prepare a Response Plan
Understand Your Environment
The end game for cybercriminals is to gain access to your high-value data. It goes for a pretty penny in dark web marketplaces, so it’s important to take stock of your environment to understand the various devices and systems you have in place and where your valuable data resides.
Expect a breach
When you know your environment well and prepare for a breach, it will give you a much better “leg up” to react quickly if a successful attack occurs. In this case, the old adage holds true: hope for the best, plan for the worst.
An important factor for your planning: your speed to respond. This is essential because attack velocity (i.e., the speed of the attack) is increasing while the time it takes the attacker to steal the desired data is decreasing. For example, it takes an independent cybercriminal only 9.5 hours to obtain illicit access to a target’s network.
Evaluate your device, facility and network landscape
Data breaches can arise from cybercriminals taking advantage of unaware employees or using charm to manipulate a person’s courteous nature to gain access to facilities. Train your employees to lock and physically secure their sensitive documents and computer files. Likewise, encourage good safety practices for your corporate devices and laptops; these can be easily stolen if they’re left unattended. Desktops and servers located in open, public areas or in offices that are unattended and unlocked can also be easily taken.
Identify your IT security resources
Keeping an organization’s infrastructure up and running securely requires a good deal of time and expertise. It’s important to assess your current resources to determine if you have any gaps in knowledge or manpower. If you’re feeling stretched thin, you’re not alone. Two-thirds (67%) of companies report that skills shortage is creating additional cyber risks for the organization.
If cybersecurity is on your never-ending “to do” list that you can’t get to, it’s probably a good sign that it’s time to get more help, whether that’s to hire additional in-house staff or outsource your IT security resources to a managed service provider.
Employees are a company’s best asset but, often, the weakest link in protecting against cyber threats. The human element (e.g., falling for phishing, clicking on a link or simple human error) continues to drive security incidents, contributing to 82% of breaches in 2022. Here are some best practices to put in place to support your employees.
Provide security awareness training
Your employee base can be your greatest ally and resource in protecting your company from cyber threats. That’s why 36% of organizations are planning to provide more security training as part of their talent and technology investments.
Closing your employees’ knowledge gap by providing training on security best practices will mitigate this risk and empower your users to become an active part of your organization’s security defense.
Create and enforce strong passwords
It’s vitally important to use strong passwords for your organization’s router or firewall devices. The last thing you want is for a hacker to gain access to your entire network and all of the files and data within it. Using and enforcing strong password practices with your users is also essential to prevent unauthorized access to your software-as-a-service (SaaS) applications, laptops and devices.
Your policy should require lengthy and complex passwords that use a variety of characters. Left to their own devices, 66% of people reuse the same password across multiple accounts, so require that your employees use unique passwords that aren’t recycled. One way to boost the effectiveness of your password program is to update them every 90 days.
Create, enforce and continuously update a personnel security policy
If there’s one thing that’s consistent in any organization, it’s change — with employees coming, going and moving into new roles within the company. Putting a security policy in place will help align your ever-changing personnel on the expected rules and behavior to follow for meeting minimum IT security and data protection requirements.
Implement Security Defenses
Security technologies will give you a great defense to safeguard against the many attack vectors bad actors use. While the right tools can become highly customized depending on your specific environment, there are some universal items to include on your checklist:
Install multifactor authentication
Multi-factor authentication (MFA) is a powerful way to enhance your organization’s security by requiring your users to identify themselves with more than a username and password. Those usernames and passwords are important (and keeping up with good password practices), but they’re not a failsafe, alone, against suspicious login activity. That’s why 46% of SMBs (and growing) have adopted MFA.
When you adopt MFA, your users will be asked to provide another “factor” in addition to their passwords, like a PIN or mobile push from their smartphone, which significantly increases the assurance that the person attempting to login is really who they say they are. According to Microsoft, MFA can prevent 99.9% of attacks on your accounts.
Determine how many layers of security to implement
Layered security is the concept of using multiple security components (or layers) to protect your organization’s infrastructure. The purpose of this best practice approach is to ensure that each individual security component has a backup if it doesn’t detect a threat. For example, if a phishing email gets past an email security technology and a user clicks on a malicious URL within the email, your endpoint security product would provide another security layer to stop the threat and protect your organization.
Every layer of additional protection matters. Based on your environment set up, most organization’s layers should include a firewall, patch management, endpoint protection, web and email content filtering, and multi-factor authentication. Determine which of these is missing from your layered security strategy and plan to adopt the appropriate ones that support your IT environment.
Implement employee access limitations to data and software installations
As a best practice, you should limit who has access to your organization’s high-value data. Putting an access control policy in place will help you establish guidelines that outline who can access data and resources for your business. You’ll also want to limit access to software installations; for example, only certain users should have access to applications like your customer relationship management (CRM) software that includes your customer contact details.
Implementing role-based access control (RBAC) will help you enforce data and software access to only your authorized users. In short, RBAC lets you give employees access to only the data, tasks and applications that are necessary for their job function and role.
Install antivirus software across all devices
Protecting your desktops, laptops and users’ mobile devices (all known as your endpoints) from malware, ransomware and other threats has always been an important security practice. With today’s large remote and hybrid workforce, adopting antivirus software, often referred to as endpoint protection, is now even more critical than ever. That’s because your endpoints can serve as doorways for cybercriminals to gain access to a company’s network.
Maintain Good IT Security Hygiene
Continuously back up data
In the event of a successful cyberattack, backups often serve as an organization’s “get out of jail free” card — meaning, the damage can be undone by restoring the impacted machine or systems to the latest backup.
Having regular and reliable data backups is an important IT practice for SMBs to adopt. It can prevent long-term damage from lost data due to a security incident, an accidental deletion or a natural disaster. Data backups ensure you have a complete copy of your systems ready to restore, no matter why the data loss occurred.
Update software and patch systems
SMBs must be ready to act quickly during that small window between the discovery of a new flaw in software, hardware or firmware and when a vulnerability exploit leveraging that flaw is released. Why? Because 60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.
Patch management is the cornerstone for your vulnerability management plan. Ensure you have a strong patch management process that’s always on and connected to provide the visibility you need into which patches are high priority and require immediate deployment to your impacted systems.
Prepare a Response Plan
In the event of a successful attack, having a plan in place will help you act quickly and efficiently to involve the right people, take the necessary actions and mitigate the damage.
Establish an incident response plan leveraging the NIST framework
When it comes to incident response and having a foundation on which to build your plan, the National Institute of Standards and Technology (NIST) provides a solid framework for SMBs to follow. It contains four phases of the incident response lifecycle:
- Step #1: Preparation
- Step #2: Detection and Analysis
- Step #3: Containment, Eradication and Recovery
- Step #4: Post-Incident Activity
In terms of executing on your plan, speed is of great importance for detecting and containing a successful attack. That’s because once an attack is isolated (perhaps by disconnecting an impacted machine from the network) you’ll create some helpful breathing room to coordinate and deliver on the rest of your response.
Does your business check all of the boxes? Speak with a cybersecurity expert today to learn more.
 Verizon. Data Breach Investigations Report. 2022.
 Forbes. Most Common Cyber Security Threats In 2022. August 2022.
 IBM. Cost of a Data Breach. 2021.
 Forbes. The Importance of Time And Speed In Cybersecurity. 2021.
 ITRC. Annual Data Breach Report. 2020.
 (ISC)². REPORT: CYBERSECURITY SKILLS GAP CREATES VULNERABILITIES. May 2022.
 Verizon. Data Breach Investigations Report. 2022.
 (ISC)². The (ISC)² Cybersecurity Workforce Study. 2021.
 TechRepublic. SMBs are behind in adopting multi-factor authentication. July 2022.
 PingIdentity. 8 Benefits of Multi-Factor Authentication (MFA). October 2021.
 Ponemon Institute. Costs and Consequences of Gaps in Vulnerability Response. 2019.