10 Cyber Security Tips to Keep Your Small Business Safe

Two office workers looking at a sparklin padlock at the office
Click here for a summary of this article
Summary: 10 Cyber Security Tips to Keep Your Small Business Safe

Cybercriminals use a variety of common techniques, including phishing, malware, ransomware, and viruses, to attack businesses of all sizes. While usually, only big-name data breaches make the news, more than 50 percent of small- to medium-size businesses experience at least one data breach each year.

Here are some cyber security tips you can implement to safeguard your company’s data.

  • Create a cyber security plan. Assess your vulnerabilities and write down solutions for each one.
  • Implement a clean desk policy. Require employees to properly safeguard confidential data.
  • Install a firewall. Create an invisible barrier that scans incoming internet traffic for security threats.
  • Use an antivirus program to identify and contain threats on computers, laptops, and tablets.
  • Include protection for mobile devices by including security protocols for smartphones and other Internet of Things (IoT) devices that access your company’s network.
  • Require secure password protocols and use a password manager to create and store complex, unique passwords for all employees.
  • Protect your Wi-Fi. Hide your network from discoverability by third parties, and password-protect your router.
  • Back up your data. Do this daily and store the backup in a secure, off-site location.
  • Use multi-factor authentication. Require more than a user name and password for access.
  • Secure your payment channels by keeping software updated and using a dedicated computer for online payments.

Read our complete article for details on keeping your business cyber secure.

If you own a small- or medium-sized business (SMB), protecting your company from cyber attacks might seem like a low-priority item. Between managing employees, marketing your business, and keeping the sales pipeline full, adding cyber security to your plate seem impossible — especially if you don’t have an IT team.

But keeping your business safe from cybercriminals must be a priority.

According to CyberSecurity Magazine, 43% of all data breaches involve small- and medium-sized businesses, and more than 60% of SMBs reported at least one data breach within the previous 12 months.

Read on to learn about the most common types of cyberattacks, how to assess your company’s vulnerabilities, and ten cyber security tips that will keep your business safe from a security breach.

What are the Most Common Types of Cyber Attacks?

Anytime there is something to steal or there’s easy money to be made, hackers are close by, ready to reap a payday from unsuspecting victims. While their methods continuously evolve, there are a few tried-and-true strategies hackers rely on time and again.

Phishing attacks

Money being phishedCyber criminals try to install malware onto a device through phishing scams. These emails look like they originated from legitimate people or organizations. Within the email is either a suspicious link or an attachment. This link downloads malicious code to the user’s device when they click or open the attachment.

Other times, links from phishing attacks will take users to fake websites that mimic a real business, with the hope that the user will provide confidential information, like login credentials or bank or credit card data. Identity theft often begins with phishing attacks, so make sure employees (and especially officers!) are protected from this scam.


As the name suggests, malware is software that does malicious things on any device where it is installed. It is an umbrella term encompassing viruses and ransomware, but also other software like bots, spyware, or keyloggers.

Malware can give hackers remote control of an infected computer; spy on user activity; collect data and keystrokes; or even use an infected device to launch attacks on other connected devices and spread the malware.

Ransomware attacks

Ransomware attacks are on the rise and tend to make the news when high-profile targets are attacked. This type of cyber attack works by introducing malware into a device or computer system that then locks a user out of their data — until a large sum of money is paid to the cybercriminals.

The biggest ransomware attack to date was WannaCry in 2017. In that ransomware attack, more than 250,000 computers in 150 countries were affected. Many globally recognized businesses and their sensitive data were also targeted, including FedEx, Britain’s NHS, Hitachi, and Nissan.Infographic Ransomware as a Servive (RaaS) Business Model


The general idea behind a computer virus is that it will infect a device and then quickly spread to other devices, either via a connected network or through actions on the infected device (like sending phishing emails to a user’s contact list).

New computer viruses hit the news with alarming frequency. One of the most infamous computer viruses is Mydoom, an email worm that caused $38 million in damage.

Ten Cyber Security Tips You Can Implement Today

The good news is there are some simple cyber security tips businesses of every size can — and should — follow to minimize the risk of a cyber attack.

1. Create a cyber security plan

Even if your business doesn’t have a lot of documented policies and procedures, you should take the time to create a written cyber security plan. A written plan allows anyone in your organization to quickly understand the hows and whats of tech safety in your office.

Your plan starts by identifying your organization’s vulnerabilities, and then details steps to mitigate those risks. Your IT department is always the best resource to do this. If you don’t have dedicated IT staff, be sure to check out the free tools listed below to get started yourself.

2. Implement a clean desk policy

Although it sounds like something your mom might demand, a clean desk policy is driven by corporate security not maternal dreams of tidiness. Implementing a clean desk policy ticks some compliance boxes, too.

Regulations such as the General Data Protection Regulation (GDPR) require efforts to ensure data integrity and confidentiality. Others, like ISO 27001, have a specific “clear desk and clear screen policy” requirement, under control 11.2.9.

When a company implements a clean desk policy, they are asking employees to securely store confidential or vulnerable information at the end of each workday. From client notes and USB sticks to Post It™ notes with a password jotted down (YIKES!), there are myriad ways private information can fall into the wrong hands when not handled with care.

At the very least, your clean desk policy should require all employees to clean off their workspace of anything confidential in nature — and store any information in a secure location. Employees should also:

  • Lock laptops and other devices when not in use.
  • Lock devices and workstations at the end of the day.
  • Securely store removable media when not in use.
  • Erase whiteboards and other displays, so no sensitive data or important credentials are left on them.
  • Never leave private and personal information on company devices.

You should include a written version of your clean desk policy in your cyber security policy, and share it with employees during the onboarding process. Quarterly refreshers are also a good standard practice.

3. Fight fire with a firewall

When you install a firewall, you put up an invisible barrier that filters all internet traffic before it gets to your local network or devices. There are both hardware and software firewalls, and you should consider installing both for extra protection. You should also require all remote employees to install a firewall on their devices before they gain access to your company network.

Firewalls work by using rules to filter out undesirable data. You choose the rules during installation, thus allowing you to customize the levels of protection you want. Learn more about firewalls and why you should have one here.

4. Install antivirus software

Laptop with a bug shielded icon and blob backgroundYou should install solid antivirus software on every device used at your business to monitor suspicious activity

An antivirus program runs unnoticed in the background, scanning your device to identify various threats — like malware, viruses, and bots — and takes immediate steps to contain them. Find out which antivirus programs we recommend for SMBs.

Operating systems also often come with their own antivirus measures. It’s important to keep your operating system updated at all times, as security updates are often rolled out to better protect your device.

Don’t forget to require this cyber security tip on any personal devices your employees use during their workday, including work-from-home staff.

One major weakness facing organizations comes from the user-owned devices infecting corporate networks. It’s critical that when you let employees BYOD (bring your own device), those devices are subject to the same security measures as employer-provided devices.

5. Don’t forget about mobile devices

Speaking of devices, it isn’t just an employee’s mobile device you should be worried about. Smartwatches and IoT devices also pose a risk to company networks. Even if you don’t intend for it to happen, many IoT devices like appliances, gadgets, and even electric cars are attached to corporate networks.

At the very least, your cyber security plan should require two things — that device users adhere to solid password protocols and to keep their devices’ operating systems up-to-date.

6. Require solid password protocols

Shield with a lock on itCreating and keeping track of complicated passwords is a source of frustration among office workers. It’s what leads so many employees to write down their passwords on sticky notes stuck on monitors or cubicle walls — and why they use the same password on different accounts.

This phenomenon — called password fatigue — is such a widespread issue, even Pew Research conducted a study on it. They found that 49% of users write passwords down, which creates a huge cyber security threat.

Implement a common-sense password policy for your employees. If you really want to ease the burden, incorporate a password manager into your cyber security policy. There are third-party apps designed specifically for this purpose. They create strong passwords and store them in a secure server.

You can also choose to use the password manager that comes with your company-approved browser. Either method is far more secure than a hand-written password stuck to a computer monitor.

7. Secure your Wi-Fi

Smartphone with a WiFi and Padlock iconWi-Fi is a particularly vulnerable security point at any business. Even with password protection in place, the threat of a hack is very real. It is also a very easy cyber security tip to implement.

Hide your Wi-Fi network, so its name is not seen by nearby devices. You can do this at your router or wireless access point. By hiding your Service Set Identifier (SSID), your Wi-Fi network’s name is invisible. Also, don’t forget to use a complex password on your router.

8. Back up data regularly

You should get in the habit of backing up all important data on a regular basis. Include all documents, spreadsheets, financial information, communications, human resources files, sensitive information, and anything else that is valuable. This includes cloud storage data, too.

You can set automated backups so you don’t have to remember to manually do it each day. Be sure to store your backup files in a different, secure location, and periodically check to ensure the backups are happening as expected.

9. Use multi-factor authentication

The use of two-factor authentication (2FA), in addition to a password, is also a good cyber security tip to keep your office secure. With 2FA enabled, login will require more than just knowing a user name and password.

The second factor is typically a code sent via text message or viewable through a dedicated mobile app (e.g. Google Authenticator). These can also be biometrics; three letters from a passphrase; or a specialist hardware token. If your applications and other resources support a second-factor credential to log in, use it.

10. Secure your payment channels

Make sure your banks and payment card processors are using validated tools and trusted anti-fraud services, and that your business complies with any special security requirements issued by your payment processors. You’ll find these requirements in the contract you have with each processor.

Also, be sure to stay current with all software updates as they are issued. Whenever possible, use a dedicated computer for processing card payments, and don’t use that computer for general internet access.

Tools to Assess Your Cyber Vulnerabilities

There are several free tools available, designed to help business owners identify areas of vulnerability and create a solid cyber security plan. While these are U.S.-centric tools, cyber security tips and strategies are the same across the globe.

ResourceWhat It Does
FCC Planning ToolThe Federal Communications Commission (FCC) is a U.S. government agency that regulates domestic and international communications made by television, radio, satellite, cable, and wire in the United States and its territories. They implement and enforce all laws and regulations related to such communications. They also offer a free Cyberplanner tool for small businesses. With the tool, you can map out a customized cyber security policy for your business.
CISA ToolsThe Cybersecurity & Infrastructure Security Agency (CISA) is a U.S. government agency that tracks and deals with cyber security threats. Their Cyber Resilience Review (CRR) is a self-assessment tool that studies ten common business domains and prepares a gap analysis to identify your business’s vulnerabilities.

For U.S.-based businesses, the agency also offers Cyber Hygiene: Vulnerability Scanning. This program helps strengthen the security of your business programs that access the internet and recommends modern security best practices. You must sign up for the service, but once the initial paperwork is complete, the service runs automatically and generates regular automated reports.

For any business with supply chain security concerns, there is the ITC Supply Chain Risk Management Toolkit. With it, businesses can become more aware and take steps to reduce the security risks associated with their supply chains.

STOP. THINK. CONNECT.™ CampaignThis U.S. Department of Homeland Security initiative is designed to increase awareness of cyber threats and help people stay safer and more secure online. While many of the resources are consumer-centric, there are tools that will help businesses improve their cybersecurity, too.

Closing Thoughts on Cyber Security for Businesses

Combating cyber attacks isn’t easy, but it can be done. All business owners must remain vigilant to the ever-present threat of cybercriminals and the security flaws in their network. This starts by identifying vulnerabilities and continues with taking steps to mitigate risk, like using a firewall and a good antivirus program.

You should also turn on two-factor authentication and require employees to use complex, unique passwords. Securing your Wi-Fi network and backing up data daily are also solid steps to take.

By implementing the cyber security tips in this article, you can safeguard your company and stand the best chance of fending off cybercriminals.

10 Cyber Security Tips to Keep Your Small Business Safe: Frequently Asked Questions

Didn’t find what you were looking for in our article? Still have questions? Check out our FAQs below.

You can incorporate several technical solutions like installing a firewall, using antivirus software, and hiding your corporate Wi-Fi from discoverability.

You can also educate your employees on your company’s cyber security plan and clean desk policy; require them to use two-factor authentication; and implement a password manager that will generate and securely store complex, unique passwords for users.

While nothing can guarantee you’ll never fall victim to a cyber attack, doing these things will greatly reduce the likelihood.

Cyber security takes a five pillar approach to data protection. This includes:

  • Confidentiality – only authorized users have access to data
  • Integrity – data is not inappropriately modified
  • Availability – data is available on demand for authorized users
  • Accountability – everyone who has access to data is responsible for the data
  • Authentication – validation of all users, devices, and data

Read our full article to find out how to keep your business safe from a cyber attack.

Phishing emails pose the biggest threat to small businesses since they often look very legitimate.

If an employee opens a corrupt attachment or clicks on a bad link, malware can be downloaded to a device and then onto an entire corporate network. This could unleash a ransomware demand — a virus that multiplies and infect more devices — and even spy on user keystrokes or take full control of a device.

Your company’s cyber security strategy should include an assessment of potential vulnerabilities, strategies to address them, and all policies employees should know about and follow to mitigate the threat of a cyber-attack.

Read our full article for tips on building a cyber security strategy for your small- or medium-sized business.

Tech journalist
Liz is a professional writer with a special interest in online privacy and cybersecurity. As a US expat who travels and works in diverse locations around the world, keeping up with the latest internet safety best practices remains her priority.
Corporate IT security expert
Susan has been involved in the IT security sector since the early nineties, working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology.