What your SMB can do to get big-business cybersecurity

CNET@Work: About 60 percent of small businesses close their doors within six months following a cyberattack. Put in place a comprehensive defense before cybercriminals target you.

Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
Charles Cooper
5 min read

With technology increasingly intertwined with all aspects of business, CNET@Work can help you -- prosumers to small businesses with fewer than five employees -- get started.

If a computer repair and data recovery company can get hacked, so can you.

New York-based LaptopMD.com got victimized by a cyberattack when an attacker exploited a vulnerability in an outdated version of WordPress that no one had maintained.

"Our entire server got filled with malware pretty quickly and removal tools couldn't stop the problem," recalled Matt Ham, now the owner of a sister company, Computer Repair Doctor. "Our hosting provider gave us a brief chance to fix it, but it was unsuccessful and they quarantined and ended up deleting our entire account.

"It was a classic example of how not running updates can cause major problems," Ham said. "It reminded me of the importance of making sure all products, sites, apps, etc. are updated even if you're not using them."

The attack was also a reminder that while cybersecurity breaches at big organizations such as TargetSony and Heartland Payment Systems may get the lion's share of media attention, malicious hackers also have small businesses in their cross hairs

Consider this: In 2011, small business hacks represented fewer than 20 percent of all attacks; nowadays the number is close to 50 percent.   

While large companies make the headlines, the reality is one-in-three documented data breaches occur in smaller businesses. And the aftermath is often grim. About 60 percent of small businesses close their doors within six months following a cyberattack, according to Brian Kearney, chief underwriting officer for Travelers Small Commercial Accounts.

All it takes is one employee to open a malicious email message for a cybercriminal to gain access to a company's network to gain access to confidential customer or financial information.  

Yet just 53 percent (PDF) of companies with fewer than 50 employees attach a high priority to cybersecurity. In an increasingly digital world, that's an invitation to trouble.  

Smaller businesses obviously can't match what their large enterprise counterparts are able to spend on cybersecurity. Still, there are ways to compensate for any budgetary limitations and put in place a comprehensive defense before cybercriminals target you.

Here are 11 tips you can apply to the task.

Seek security help

If you can't set up your security and processes properly, contract a professional. No shame if you can't do this in-house. It's a lot easier to protect yourself properly from the beginning than to deal with a hack or data loss after the fact. There are any number of reputable managed security service providers and value-added resellers who can assist. The CompTIA trade association, which represents most of the technology reselling universe, is a good resource for starting your search.

Head for the cloud

For the sake of convenience and security, move more of your data to the cloud. Many small shops don't have the wherewithal to take on that sort of project by themselves, but there are any number of Managed Service Providers (MSPs) who can handle the transition and provide ongoing service. The MSP Alliance is a good resource to consult. Check out our list of hosting providers for additional choices in cloud services.

Back up your data


Ransomware allows cybercriminals to hold a company's data hostage until the victim pays up.

Cisco Talos

Ransomware is the new favorite weapon of cybercriminals. It allows bad actors to hold a company's data hostage until the victim pays up. All the more reason you ought to back up your systems so there's a pristine copy of your data somewhere safe. And back up the data in multiple locations -- whether that involves using a cloud service or external hard drives. If you only do a single backup and there's a failure, you're out of luck.  

Update everything

Make it part of the routine. This includes updating your operating system -- and don't ignore Microsoft's monthly security patches if you're a Windows shop -- your apps, Java and any browser-related plug-ins. If your company operates a website, update your content management system and don't forget to install security updates on your server as well. Most people with a hosted website will update WordPress, but then forget to refresh their server.

Make multifactor authentication a must

There's no excuse not to do this -- yesterday. Two-factor authentication should be applied not only to your VPN, but to your organization's LinkedIn and Google accounts, as well as any other online accounts.

Scan for malware

Scan regularly for malware: weekly if possible, monthly at a minimum. You need to ensure that your systems remain clean and free from virus infection.

Password management

Use complex passwords and never reuse them across different sites. Remembering them all can be unwieldy so you may find it useful to try a password management utility, such as LastPass. At the same time, make sure there's a process in place to automatically change all sensitive passwords when employees leave your company.

Keep close watch on the digital supply chain

Small businesses are increasingly connected to enterprise supply chains for software and services. But with data on the move and flowing constantly in so many directions, the traditional idea of a security perimeter doesn't mean much anymore. That puts the onus on you to make sure any suppliers you're connected with digitally have taken adequate security measures to protect the integrity of information flowing to and from your pipes.

Preach the security gospel

Take time to educate your staff about the acceptable use of corporate resources. Demand adherence to security protocols and make employees aware of the risks entailed when they open emails from strangers and click on the attachments. Training should focus on furthering employee understanding of how to minimize risks such as data breaches. Reinforce the message regularly -- even to the point of including cybersecurity awareness as part of their annual review, if that's what it takes.

Incident response

A survey commissioned by insurer Nationwide revealed that 79 percent of small business owners do not have a cyberattack response plan. That's particularly unwise considering that 63 percent of them have reported being victims of at least one type of cyberattack. It's worth the time investment to map out an incident response plan in advance of a cyberattack, spelling out specific roles and responsibilities in order to mitigate the effects of a breach.

Look into cybersecurity insurance

Talk with a broker to discuss insurance options to protect your company in case of a breach and loss of customer data. In case there's a lawsuit, you need to be protected.

You can also browse other cybersecurity tips and tools on the SBA's page of cybersecurity resources for SMBs. Also, the FCC (PDF) and the Department of Homeland Security (PDF) curate dedicated pages geared to small businesses.