Cybersecurity for Small Businesses: How to Protect Yourself

6 min read
Cybersecurity for Small Businesses How to Protect Yourself

Executive Summary

Cybersecurity is a threat, but you’re not powerless. As a small business owner, you can do a comprehensive risk assessment of your brand and take the steps necessary to close any vulnerabilities. Let these safety measures serve as a starting point for a cybersecurity plan.

Disclaimer: Our first priority is giving you the best financial advice for your business. Tillful may receive compensation from our partners, but that doesn’t affect our editors’ opinions or recommendations in the content on our website. Editorial note

🎉 Tillful is now part of Nav! Sign up for a Nav account here

Don’t equate “small” with “safe.” In fact, preventative cybersecurity plays a key role in the success of a small business, which doesn’t have the luxury of being able to afford hacker negotiation services and other pricey damage control like larger businesses.

That’s not to scare you, but you should understand how important cybersecurity measures are. That’s why we’re chiming in with the types of cyberattacks that could target your business, a cybersecurity must-have checklist, and why employee education is everything.

But first, small business owners are at greater risk of cyberattacks—why?

On average, an employee at a small business of less than 100 employees receives 350% more social engineering attacks than an employee at a larger enterprise, according to a study from cybersecurity firm Barracuda.

Social engineering” is a type of phishing that targets human error to bypass security measures and access sensitive data. The most common types of attacks happen over either phone or email.

Large companies still fall victim to social engineering attacks (just look at Uber, where a teen hacker targeted an employee through the company’s Slack channel) and other types of cyber attacks. However, cybercriminals of all kinds often target small businesses because they expect them to be more vulnerable—and less likely to catch them—than the big guns.

Did you know? Barracuda reports that 60% of small businesses close their doors six months after a security breach. By preventing attacks, you’re protecting your business for the long haul.

Types of cyberattacks that could target your business

  • Phishing is when scammers send fraudulent emails posing as a company, group, or individual to get sensitive personal and financial information. Cisco’s latest Cybersecurity Threat Trends report says phishing scams account for 90% of attacks.
  • Ransomware attacks infect a computer or software system, blocking access to it until the victim pays a ransom. In 2023, ransomware damages are expected to surpass $30 billion worldwide.
  • Malware, aka malicious software, disrupts, damages, or otherwise gains unapproved access to a computer system and its data. New forms of malware are always evolving, so it’s important to keep your security software active.
  • Spyware is a type of cyberattack that allows a hacker to monitor victims’ computer activity. Data transmits via the computer system’s hard drive.
  • Data breaches may overlap with other types of cyberattacks. In general, a data breach refers to stolen information. Data breaches can be digital or physical, but the modern era makes digital data breaches more common.

Did you know? Around 2014, hackers stole the data of 500 million Yahoo! users, marking it as the largest data breach in history.

Checklist: Small business cybersecurity must-haves (& why they’re important)


Antivirus software Antivirus software on all company devices is a good starting point when used in conjunction with other cybersecurity resources.

Remember: Update your antivirus software. Take a lesson from the IRS, which ran outdated antivirus software for a year, leaving a lapse in protection. A report from pushed the IRS to strengthen its protections for the Taxpayer Digital Communications (TDC) platform, which is teeming with Americans’ most sensitive data.

Norton, Avast, McAfee

Multi-factor authentication Two-factor authentication (2FA) or multi-factor authentication protects any sensitive data you may have. Jeff Neal, founder of The Critter Depot, says it’s an added layer of security for online accounts and protects you from malicious actors who discover your username and password.

Neal adds, “Some institutions use SMS or email for their 2FA, but these are not good options, because phones can be SIM swapped or email accounts can easily be breached. The most secure 2FA is through Google's Authenticator app.”

Duo, Authy, Google Authenticator

Data encryption Data encryption makes your information unreadable even if stolen. It comes in many forms, but some common types include full-disk encryption and Transport Layer Security (TLS).

Like the name suggests, full-disk encryption works by encrypting an entire disc or drive.

TLS encrypts data being sent from one place to another (you see it in applications like HTTPS web pages, for example).

AxCrypt, NordLocker, FolderLock

Firewalls A firewall is software that can protect you from malicious cyberattacks. It blocks incoming unauthorized connections by monitoring outgoing traffic for signs of malicious activity.

Sebastian Schaeffer, chief tech officer of dofollow, says, “If you have a broadband internet connection, you likely already have a hardware firewall in the form of a router. However, it's important to make sure this router is properly configured and that you have up-to-date firmware. You should also consider using a software firewall, especially if you have a complex network or use remote access.”

Bitdefender, Avast, Norton

Strong passwords Password reuse can create vulnerabilities in your business. Whether it’s a Slack login or a credit card password, consider them all equal and use a different one for each account. Protect them in a secure password manager.

Paid platforms LastPass and 1Password are top competitors in the password management market, but there are free options as well. Google Password Manager is generally safe, but businesses may out-scale it.

LastPass, 1Password, NordPass

Virtual private network (VPN) VPNs help you guard against hackers on public networks or even private networks that they get past.

It’s worth noting that VPNs do not make you or your computer invincible. In fact, 57% of cyberattacks occurred while using a VPN. However, it’s an important tool in your toolkit and can serve as an added safeguard for sensitive information.

ExpressVPN, NordVPN, Surfshark

Private wifi network Public wifi networks are not secure. Use a private wifi network whenever you can. This goes for all laptops, tablets, smartphones, and other wifi-connected devices. Consider changing your wireless network encryption settings to WPA3.

If you have to use a public network at some point, make sure you verify its legitimacy, use a VPN, and avoid completing tasks involving sensitive data while on the network.

Have you educated your employees on cybersecurity best practices?

Sam Shepler, CEO of Testimonial Hero, says educating your employees about cybersecurity is key. This is especially true given the prevalence of social engineering tactics in the cybersecurity space.

Shepler says, “Make sure your employees know never to open attachments or click links from unknown senders, and remind them to be extra vigilant about phishing emails that may masquerade as being from a trusted source. You should also have strict policies in place regarding the handling of sensitive data, and make sure your employees are aware of these policies.”

When you train employees on cybersecurity strategy, you empower them to protect themselves and the company at large.

Learn more about protecting yourself from cybersecurity risks

Head to the Global Cybersecurity Alliance (GCA) and National Cybersecurity Alliance (NCA) websites for a small business cybersecurity toolkit. SCORE also hosts a cybersecurity training webinar that you and your employees can take part in. All of these resources are recommended by the Federal Communications Commission (FCC).

Last word on small business cybersecurity

Cybersecurity is a threat, but you’re not powerless. As a small business owner, you can do a comprehensive risk assessment of your brand and take the steps necessary to close any vulnerabilities.

Let these safety measures serve as a starting point for a cybersecurity plan. You can even consider enlisting the help of a verified consultant with direct industry expertise if you want. However, with so many legitimate resources at your disposal, you can start to tackle cybercrime now and build the many pieces of your small business security system.

About the author

Rachel Curry

Written by Rachel Curry

Rachel Curry is a freelance finance and investing writer living in Pennsylvania. She wants to act as a bridge connecting the world to the information they need to feel better, be better, and make this planet a better place to live.

You may also like

Is your business getting the credit it deserves?

Sign up to take control of your business’s financial health today.

Get Your Free Score

Tillful Advertiser Disclosure

Our first priority is giving you the best financial advice for your business. Tillful may receive compensation from our partners, but that doesn’t affect our editors’ opinions or recommendations in the below content or content throughout our website unless expressly stated. Our partners cannot pay for favorable reviews, and they don’t review, approve or endorse our editorial content.

Tillful may receive compensation from third-party advertisers, but that doesn’t affect our editors’ opinions on the services or products we cover in our content. Our marketing partners don’t review, approve or endorse our editorial content. It’s accurate to the best of our knowledge when posted.

Any personal views and opinions expressed are the author's alone, and do not necessarily reflect the viewpoint of Tillful. Editorial content is not those of the companies mentioned, and has not been reviewed, approved or otherwise endorsed by any of these entities.

Reviews are not provided or commissioned by the credit card, financing and service companies that appear in this site. Reviews have not been reviewed, approved or otherwise endorsed by the credit card, financing and service companies and it is not their responsibility to ensure all posts and/or questions are answered.

Your business’ success, future and financial well-being is our first priority.

Every time.

We believe everyone should be able to make financial decisions with confidence. And while our site doesn’t feature every company or financial product available on the market, we’re proud that the guidance we offer, the information we provide and the tools we create are objective, independent, straightforward — and free.

So how do we make money? Our partners compensate us. This may influence which products we review and write about (and where those products appear on the site), but it in no way affects our recommendations or advice, which are grounded in thousands of hours of research. Our partners cannot pay us to guarantee favorable reviews of their products or services.

Back to Top