Cybersecurity Tips for Small Businesses

Cybercriminals target small businesses that have valuable information about their customers, employees and finances. Small businesses can protect their networks and data by taking various steps to build up their cybersecurity defenses.

1. Assess risk.

Conducting a risk assessment is the first step for small businesses to identify potential cybersecurity vulnerabilities and improvements. Small business without their own IT staff can use risk assessment resources from the U.S. Department of Homeland Security, including a cyber resilience review and cyber hygiene vulnerability scanning.

2. Educate and train all staff in security principles and practices.

Create a culture of security by educating all employees in basic security practices and policies, such as requiring strong passwords. Give regular security training, and update employees about new risks and vulnerabilities. Establish appropriate Internet use guidelines and rules of behavior on how to handle and protect customer information and other vital data.

All organization members play vital roles in cybersecurity. Small business owners need to know and practice cybersecurity basics to reduce the risk of cyberattacks. IT specialists are in the best to position to promote cybersecurity within their business. Managers are responsible for making sure that staff members follow best practices.

3. Defend your devices.

Keep devices clean of viruses and malware. Having the latest security software, browser, apps and operating system is the best defense. Set updates to happen automatically, and run an antivirus scan after each update. Encrypt devices and other media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes and cloud storage solutions.

4. Provide firewall security for your Internet connection.

A firewall is a set of related programs that prevents outsiders from accessing data on a private network. Make sure that the operating system's firewall is enabled, or install free firewall software available online. If employees work from home, ensure that their home systems are protected by a firewall.

5. Create a mobile device action plan.

Mobile devices can create significant security and management challenges, especially if they hold confidential information and can access the corporate network. Require users to password-protect their devices, encrypt their data and install security apps to prevent criminals from stealing information while phones are on public networks. Set reporting procedures for lost and stolen equipment.

6. Make backup copies of important business data and information.

Regularly back up the data on all computers offline, on an external hard drive or in the cloud. Back up data automatically if possible or at least weekly, and store paper files securely. Critical data includes word processing documents, electronic spreadsheets, databases and financial, human resources and accounts receivable/payable files.

7. Control physical access to your computers.

Prevent access to company devices by people who shouldn't be using them. Laptops, tablets and smartphones can be lost and stolen easily, so lock them whenever they're not in use – especially in public places. Limit the number of unsuccessful log-in attempts to thwart password-guessing attacks.

8. Secure Wi-Fi.

Make the workplace Wi-Fi network secure, encrypted and hidden. When setting up the router, change the default name and password, and turn off remote management. Set the router to not broadcast the network name, or the service set identifier (SSID). Create a password, and turn on WPA2 or WPA3 encryption. Encryption keeps outsiders from reading information sent over the network.

9. Employ best practices on payment cards.

Work with banks and payment processors that use the most trusted and validated tools and anti-fraud services. Meet any additional security obligations agreed upon with banks and processors. Isolate payment systems from less secure programs, and don't use the same computer to process payments and surf the Internet.

10. Limit employees' access to data and permissions.

Do not give any employee access to all data systems. Create a separate account for each employee, and give administrative privileges only to trusted IT staff and key personnel. Employees should only have access to the data systems they need for their jobs, and they should not be able to install software without permission.

11. Make strong passwords and authentication measures.

Require strong passwords. They should be unique, have at least 12 characters and use a mix of number, symbols and upper- and lowercase letters. Don't reuse passwords, or share them by phone, text or email. Employees should change their passwords every three months.

Use multi-factor authentication to protect access to sensitive information. Multi-factor authentication requires log-in steps beyond entering a password. Users might provide a temporary code on a smartphone or insert a key into a computer. Check whether vendors, particularly financial institutions, use multi-factor authentication for customer accounts.

About this Page

This page is based on information from the U.S. Federal Communications Commission, Small Business Administration, National Institute of Standards and Technology and Cybersecurity Infrastructure and Security Agency.