Techfive primary logo - white
Book demo
CYBER SECURITY

Small Business Cybersecurity Ultimate Guide [2022]

Max Pierce - December 21, 2021

Linkedin Youtube Facebook
Small business cybersecurity guide graphic. On left red warning sign with an arrow pointing towards a green check mark circle on the right.

Welcome to Techfive’s ultimate guide to small business cybersecurity. We created the Ultimate Guide to Small Business Cybersecurity to be a one-stop shop solution to those of you who are managers or owners of small businesses and are looking to improve your businesses cyber hygiene.

Inside, you will find this guide is stuffed full of actionable advice, great resources, and tools for you to start the process of securing your small business.

Make sure to block out some time to read, it will take about 30 minutes from start to finish.

After finishing reading this guide you will:

1. Have a better understanding of the current cybersecurity landscape going into 2022
2. Have access to a practical guide on how to protect your business
3. Have access to the top resources for further learning
4. Understand the value of working with a cyber security service provider
5. Have answers to the most frequently asked questions we get about small business cybersecurity

Let’s get into it.

Download the PDF Version

This is a great resource to hand out to your team to introduce them to the core concepts of cybersecurity.

Download PDF

Cybersecurity trends in 2021 & 2022

If you are a regular reader of ours, I’m sure you have gathered by now that cyber-attacks are rapidly increasing in volume. In 2020, more cyber-attacks were reported than in the 15 prior years combined. 2021 saw that number rise even higher.

The combined cost of cyber-crimes in 2020 alone was $2.7 billion. Small businesses are attractive targets (and are quickly becoming the most common targets) because they have valuable information that cyber-criminals want and more often than not, don’t have proper cybersecurity controls implemented.

People are finally starting to realize the necessity of improved cyber security. Unfortunately, it has taken record-breaking amounts of cybercrime and a world-altering pandemic for cybersecurity to become mainstream. Regardless, we are getting to the point where cybersecurity is a major talking point for most mid-size to enterprise-sized organizations. Small businesses are (typically) the only ones being left in the dust and rubble.

The numbers don’t lie either. Here are some of the most jarring small business cybercrime statistics to give you a better picture of the current world we are living in.

  1. The average ransomware payment climbed 82% to a record high of $570,000 in the first half of 2021.
  2. Cybersecurity analysts estimate a ransomware event will occur every 11 seconds in 2022. Ransomware attackers are rapidly refining their malware payloads and extortion activities. Not only is their tech improving but they are becoming more systematized as well.
    1. Many people still view cybercriminals as a single guy in a basement somewhere in the US stealing money from people. That just isn’t the case. Cybercriminals are now almost always part of larger cyber crime “organizations”. These organizations have a systemic approach to distributing ransomware payloads to businesses. They have customer support, managers, and executives. They are operationally mature, multi-million dollar businesses and they are using their ample resources to target the backbone of the American economy.
  3. Supply chain attacks are becoming increasingly common. These attacks rose by 42% in the first quarter of 2021. The government is well aware of this and is attempting to prevent these attacks from continuing to occur.
    1. Remember when gas prices nearly doubled in the early summer of last year? You can blame that on a cyber attack.
  4. Healthcare providers, financial services, education providers, government agencies, and energy providers are the top target industries for cyber attackers.
  5. 86% of data breaches in 2020 were financially motivated.
  6. 43% of cyber attacks are aimed at small businesses, only 14% of small businesses are prepared to defend themselves.
  7. 66% of small businesses say they have experienced a cyber attack in some capacity in the past 12 months.
Cybersecurity basics graph showing average cost of ransomware payments increasing since 2019

Insider Insight: We don’t want to paint too negative of a picture but it is impossible to ignore the implications that these attacks have on small businesses. We don’t want to see our friends local businesses shut down because of these organizations. In 2022, cyber attacks are a risk you can’t ignore.

If you are an owner, manager, or executive at an organization making more than $500,000 ARR your organization is a prime target. It’s time to get ahead of the curve. Of course, we are going to recommend you work with Techfive but really what we want to reiterate is that you should work with any reputable cyber security provider.

There is good some news though, if you are a state, local, territorial, or tribal government entity you may have access to ARPA funds to help your agency improve it’s cyber defenses.

ARPA (American Rescue Plan Act)

If you are a part of a state, local, territorial, or tribal government entity I’m sure you are familiar with ARPA. ARPA funds can be used for the modernization of cybersecurity programs, including upgrading hardware, software, and protecting critical infrastructure.

COVID-19 has caused a rapid shift in operating environments meaning cybercriminals have new ways to take hold of public sector agencies. This has presented unique cybersecurity challenges for providers. The federal government is looking to improve the general cybersecurity posture of these public sector entities by injecting sizeable amounts of funding.

As a managed security service provider, Techfive can help your agency enhance your cyber defenses and upgrade/manage your IT. We have nuanced knowledge solving the issues government agencies face.

Specifically, Techfive can help your agency with:

  • Policy development
  • Implementation of cyber security frameworks
  • Employee cybersecurity awareness training
  • Risk assessments

Please reach out if you are interested in doing a quick discovery call with our advisors, they will set you on the right path.

Check this map to see estimated ARPA allocations your county, state, or tribal government received.

The most common cybersecurity threats

Although threats are constantly evolving, some stay fairly consistent. The largest threats to small businesses in 2021/2022 are:

  • Ransomware
  • Phishing
  • Business Email Imposters
  • Tech support scams
  • Malware
  • Internal threats

The talk of the town right now is ransomware.

Ransomware is a favorite method of cybercriminals to extort businesses. Ransomware payouts tend to be substantial and are increasing rapidly. The average ransomware payout increased by 82% to a record high of $570,000 in the first half of 2021. The majority of small businesses do not have half a million dollars on hand to pay out a ransom payment of that size (and you wouldn’t want to either). This is one of the many reasons why cybersecurity is so important.

So how does a ransomware event occur?

Typically the process looks something like this:

  1. Someone in your company gets an email or text. It looks legitimate so they click on the link or download the attachment.
  2. The link contained a malicious software package (malware) that locks down your entire network.
  3. Your business network is entirely inaccessible. Operations are halted.
  4. You attempt to recover from backups
    1. Unfortunate bonus step: Those backups are encrypted as well because they were poorly managed or configured.
  5. The attackers are going to ask for a ransom in the form of money or more likely, cryptocurrency.
  6. You pay the ransom
  7. The attackers then should give you your data back. That isn’t always the case though, often the attackers will keep your data or just destroy it.

The majority of the time, an attack occurs because of one of these reasons:

  1. A user on your network opens a scam email or text and clicks on a link or attachment
    1. This is the most common cause of ransom-related cyber attacks. Even with the best intentions, people can make silly mistakes. These emails are very professionally put together and will often look completely legit (and make the message seem very urgent). As a non-technical person, it can be nearly impossible to tell the difference between a real email and a fake phishing email.
    2. Training your employees on common tell-tale signs of these scams is a must.
  2. You have a vulnerability in your server which can be exploited by hackers
  3. A user on your network visits an infected website that downloads malicious software onto their device.
  4. A user clicks an ad online that contains malicious code. These ads can appear on any site, even well-trusted ones.

Insider Insight: It is important is to cultivate a culture of openness and honesty towards cybersecurity within your organization. It is all too common for an employee to mistakenly click on a malicious link and keep it a secret in fear of repercussions. This is a terrible situation to put your employee (and organization in). These attackers are preying on the inherent goodwill of your employees and they will do anything to exploit them and subsequently you.

Remember that your employees aren’t the bad guys, the attackers are.

With that being said, sometimes unfortunately employees will maliciously attempt to extort your organization as well. Let’s talk a little about internal threats

Internal Threat Actors

Malicious internal threat actors are fairly common. These situations often occur after an anonymous cyber criminal reaches out to employees within your organization promising them a cut of the ransom payment if they give them access to your business data/network.

If you happen to have an estranged employee on staff that is looking to get back at you (or make a quick buck), they could accept that offer. Remember that these cybercriminals may be offering these internal threat actors amounts exceeding $100,000. That number can be very convincing, especially to an already upset current (or former) employee.

This is where your cybersecurity controls come into play. If you have a properly configured access management system with zero-trust policies in place, it should be very difficult for a malicious actor to give a cybercriminal access to your business network. The reality for most small businesses however, is that it would likely be fairly trivial to give a cybercriminal access to your business network.

Detecting and controlling internal threats is very complex, your best bet is to focus on controlling your network environment and let that do the heavy lifting for you.

Malware (or Viruses)

Malware is short for “malicious software”. They are invasive programs designed to be disruptive or harmful to your computer/greater network. The most common transfer of malware occurs via email attachments, text messages/instant messages, peer-to-peer downloads, or misleading websites/ads.

These viruses have varying purposes. Some destroy data on infected devices or intentionally increase network traffic to congest and disrupt your network. Often these packages are self-propagating. They infect other devices on a network by triggering email servers to spread the virus over the entire network.

Essentially malware is software designed to harm your device or network.

Ransomware is a type of malware designed to block you from accessing your device.

The ABC's of small business cybersecurity

Cybercriminals target companies of all sizes.

Knowing the basic principles of cyber hygiene can help to protect your small business and reduce the risk of a cyber attack.

Insider Insight: An important thing to understand is that completely preventing cyber-attacks is not possible. These attacks are carried out by sophisticated organizations with access to huge amounts of capital and a deep roster of expertise. However, avoiding being the “low hanging fruit” can be a very effective preventative measure. Following these basic protocols below to avoid being the easy target.

Protect your files and devices:

  • Update your software automatically and consistently
    • Consistently updating your software can help to close open holes. Often analysts will discover a hole/entry point in a 3rd party software that may expose your business network. The owner of that software will then patch it, closing the hole. For you to be protected you have to install the new version. Outdated software (and hardware) is a common problem in many businesses because of vendor complexity. These outdated pieces of software could be leaving glaring gaps in your cybersecurity.
    • Older devices may be unable to update. As of 2020, Windows 7, Microsoft Office 2010, and Windows Server 2008 have reached the end of support and are no longer considered secure. If your business is still using these, it’s time to upgrade.
    • Be sure to update your antivirus software as well
  • Encrypt your devices
    • Any device that carries sensitive information, whether that be client information or personal information (bank accounts, personal records, etc.) should be encrypted. This includes any device that may have access to that data such as:
      • Laptops
      • Tablets
      • Smartphones
      • Removable drives
      • Backup tapes
      • Cloud storage solutions
      • Work desktops
      • Industry-specific hardware
  • Secure your files
    • Back up your important files offline and separate them from your primary network. Backing up your files on a hard drive or in the cloud is the way to go. If you have large amounts of information that is constantly changing, a dedicated backup solution would be a much better option. Not sure how to configure a custom backup solution? Our technicians can help. Reach out to us and we will get someone on your case asap.
    • Backing up your data means you have a recovery method if you experience a ransomware event. It is a precautionary measure that is necessary in the modern world. If your business is attacked and you don’t have any backups (or they get encrypted as well) you are at the mercy of the attacker. This is a worst-case scenario.
    • Store your paper files securely too.
  • Use multi-factor authentication
    • You should require multi-factor authentication (MFA) to access areas of your network that may contain sensitive information, especially on accounts with administrative access.
      • Often threat actors will get access to a business network and sit on the network for weeks, sometimes even months to years in an attempt to elevate their privileges. This means administrative accounts are especially lucrative to attackers. Focus on getting MFA on those accounts first and work your way down.
      • You should prioritize financial and email accounts when setting up MFA.
    • MFA is a good standard for personal apps as well. It is considerably more difficult for would-be attackers to access your personal information with MFA in place. We generally recommend it for everything.

Tip: MFA is almost always a requirement to get or renew a cyber insurance policy in 2021/2022.

Protect your wireless network:

  • Secure your router
    • Change your router’s default name and password.
      • Your routers come with default login credentials so you can configure them. Many people leave these defaults without much thought. The problem is that attackers know these default credentials and can easily get access to your network.
    • Turn off remote management.
    • Log out as the administrator once the router is configured.
    • Use WPA2 encryption or better.
      • Most modern routers offer solid encryption. Ensure if you are using an older piece of hardware that is properly encrypted.
      • Encryption protects the information sent over your network.

Operate with a security-first mentality:

  • Require strong passwords at an organizational level. This means that every device connected to your network should have passwords that are:
    • A minimum of 12 characters in length
    • A mix of numbers, letters, and symbols (phrases can work well too and can be easier to remember)
    • Unique and are not reused anywhere else.
      • This is more of a problem now that working from home is so common. Your employees may bring their own devices to work with shared passwords between their personal accounts and work accounts. Not only does this open up a vulnerability in your business network, but this also leaves your employee’s personal information vulnerable in case of an attack.
      • Cybercriminals know that re-used passwords are common. They can often gain access to multiple accounts just by getting a single set of login credentials. They will likely target your financial accounts first. They will also target private information that they can use to blackmail you.
  • Passwords should never be shared via email, text, phone, Slack, on a video call, etc.
    • Investing in a password manager is a must for any security-focused organization. These password managers allow you to securely distribute login credentials.
      • No software is 100% secure, there have been instances of password managers being hacked. You are still better off using one rather than not but it is important to recognize that nothing is ever 100% secure.

Tip: If you ever working with a vendor/cybersecurity provider and they claim they can make you “completely secure” they are either lying or are ignorant.

  • Consistently train your staff on best security practices.
    • Training your staff will likely be the thing that makes or breaks your cybersecurity policies. You can have the biggest, baddest lock on your front door but it doesn’t do much if someone unlocks it from the inside.
    • Cultivate a culture of security and awareness. Don’t ridicule employees who make mistakes or click on things they shouldn’t have. An honest environment is a necessity. If your employee keeps a mistake they made private in fear of repercussions, that potential vulnerability will likely go undetected.
    • Share real-world examples of scam messages and how they look for training purposes.

Operate with a security-first mentality:

  • Require strong passwords at an organizational level. This means that every device connected to your network should have passwords that are:
    • A minimum of 12 characters in length
    • A mix of numbers, letters, and symbols (phrases can work well too and can be easier to remember)
    • Unique and are not reused anywhere else.
      • This is more of a problem now that working from home is so common. Your employees may bring their own devices to work with shared passwords between their personal accounts and work accounts. Not only does this open up a vulnerability in your business network, but this also leaves your employee’s personal information vulnerable in case of an attack.
      • Cybercriminals know that re-used passwords are common. They can often gain access to multiple accounts just by getting a single set of login credentials. They will likely target your financial accounts first. They will also target private information that they can use to blackmail you.
  • Passwords should never be shared via email, text, phone, Slack, on a video call, etc.
    • Investing in a password manager is a must for any security-focused organization. These password managers allow you to securely distribute login credentials.
      • No software is 100% secure, there have been instances of password managers being hacked. You are still better off using one rather than not but it is important to recognize that nothing is ever 100% secure.
        • Tip: If you ever working with a vendor/cybersecurity provider and they claim they can make you “completely secure” they are either lying or are ignorant.
  • Consistently train your staff on best security practices.
    • Training your staff will likely be the thing that makes or breaks your cybersecurity policies. You can have the biggest, baddest lock on your front door but it doesn’t do much if someone unlocks it from the inside.
    • Cultivate a culture of security and awareness. Don’t ridicule employees who make mistakes or click on things they shouldn’t have. An honest environment is a necessity. If your employee keeps a mistake they made private in fear of repercussions, that potential vulnerability will likely go undetected.
    • Share real-world examples of scam messages and how they look for training purposes.

Develop a response plan:

  • Consider how you are going to recover your data
  • How are you going to begin operations again following a cyber incident?
  • What information are you going to disclose to your employees and clients?

Important: Don’t say anything until you have spoken with an attorney. Speak with your cyber insurance agent as soon as possible. Your insurance agency will likely get you in contact with a breach coach. A breach coach will help guide you through the process of returning to operations and helping you to pay a ransom (if need be)

You may have a legal obligation to disclose information related to a breach. If this is the case, follow the law. We (Techfive and its constituents) are not legal experts and this is not legal advice.

Control who can access different items within your network:
Commonly known as “access control”. Access control allows you to granularly control who has access to which parts of your network/which hardware they can access. Access control is designed help protect your business both from internal threats and external threat actors by making it more difficult to move laterally within your business systems.

Staff & external providers typically do not need full access to all of your business data and accounts. You should restrict access whenever possible.

  • Internal threats are real and are a fairly common cause of breaches. A common way this occurs is an external threat actor will offer one of your employees a cut of a ransom if they help them to gain access to your business’s network. This form of malicious access can be very difficult to prevent, the best way to do so is to limit access where possible. Think of it as isolating a fire to a small area rather than letting it run rampant.


You should give users the bare minimum permissions and work from there rather than the opposite. Your employees rarely need administrative access and distributing it freely will leave your business more vulnerable.

Remember to delete accounts when employees leave (especially if the exit is particularly nasty) or if you change providers. Most companies we work with find that they still have active accounts of employees that have been gone for quite some time.

Protect your data offline
Always follow standard security practices. Remember that a threat actor can get access to your business network in person as well.

Don’t write your passwords on sticky notes, don’t let random people access your network, keep your server room locked, etc. You get the picture, use common sense and avoid costly and easy to avoid mistakes.

So now that we have covered the “basics”, let’s dive a little deeper into what you can do to properly secure your business. We often find many of our clients find this super overwhelming. If that’s the case for you I’d like to propose 2 options:

  1. Continue reading (and implement the principles covered here) to give your small business the best chance of preventing a cyber attack
  2. Hop on a 30-minute discovery call with our team at Techfive. We can walk you through this whole process. This is what we do at Techfive, if you feel overwhelmed, we are the people to talk to.

Cybersecurity frameworks: NIST, CMMC, & CIS

What is a framework? A framework is a voluntary guide designed to help business owners/operators manage and reduce cybersecurity risk by providing a set of standards to follow.

Why would you use a cybersecurity framework?
One of the best ways to improve your business cyber hygiene is by following the principles laid out in a cybersecurity framework. Each framework serves a slightly different purpose.

Insider Insight: The majority of the most popular cybersecurity frameworks are based upon the NIST cybersecurity framework. NIST is a government-made framework to help owners/operators manage cyber risk.

NIST stands for: “National Institute of Standards and Technology”

NIST (National Institute of Standards and Technology)

NIST is a voluntary framework consisting of “standards, guidelines, and practices to promote the protection of critical infrastructure.” The framework is designed to be flexible, repeatable, and cost-effective which allows owners/operators to manage cybersecurity-related risk. source
NIST is composed of three major components: the Core, Implementation Tiers, and Profiles.

The Core:

  • “Provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand” source
  • It serves as a guide for organizations to manage and reduce their cybersecurity risk in a way that complements an organization’s existing cybersecurity and risk management processes.
  • Despite the language being “common” and “easy to understand”, it can still be difficult to do so. If you are reading more into NIST and have any questions feel free to reach out to me on LinkedIn and I’ll help you out.

Implementation Tiers:

  • The Implementation Tiers exist to help provide context to your organization’s views on cybersecurity risk management. They are built to help organizations consider the appropriate level of “rigor for their cybersecurity program…”. source
  • Organizations will often use the Implementation Tiers as a tool to discuss critical business initiatives such as risk appetite, mission priority, and budget restraints.

Framework Profiles:

  • The Framework Profiles serve as a way to identify the unique needs of your organization and then apply those needs based on your organization’s priorities in a systematic way. “Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.” source

How do I implement the principles laid out in NIST?

The best way to do so is to work with a cybersecurity service provider. There are professionals dedicated to the implementation of these frameworks. The likelihood that you will be able to follow the standards and implement them without significant technical knowledge is pretty low. It is also important to remember that large portions of these cyber security frameworks require constant effort. Like we have said before, cyber threats are not static. If you implement a cyber security framework expect that it will require month-to-month management.

If you would like to move forward without professional help, check out the quick start guide from the Computer Security Resource Center.

For those of you that want the short version:

The Framework is organized by 5 key functions.

  • Identify
    • Help your organization to develop an understanding of your current systems, assets, data, and capabilities.
  • Protect
    • Develop and implement the proper security measures to ensure operational continuity and delivery of services.
  • Detect
    • Helps you to develop and implement systems to detect a cybersecurity event.
  • Respond
    • Helps you to build a system of action following a cyber event.
  • Recover
    • Helps your organization develop and implement a plan to recover services following a cyber event. This also helps you to maintain your cyber resilience following an event.

Official NIST cybersecurity framework page

CMMC (Cybersecurity Maturity Model Certification)

CMMC serves as a way for the DoD to “guarantee” its contractors and subcontractors have implemented the proper cyber-defense principles to properly protect the sensitive information being shared with them.

Insider Insight: Guarantee is in quotes because despite the function of CMMC being to protect sensitive declassified information, many DoD contractors do not follow the requirements within.

That should be changing with the updated CMMC 2.0 guidelines.

The CMMC framework has three key features:

  • Tiered model: CMMC requires that organizations that have been entrusted with national security information implement a set of cybersecurity standards at progressively advanced levels. The level of implementation depends on the type and the sensitivity of the information.
  • Assessment Requirements: CMMC assessments allow the DoD to verify the legitimacy and the implementation of the cybersecurity standards within.
  • Implementation through contracts: Once an organization has fully implemented CMMC, certain DoD contractors will be required to achieve varying CMMC levels as they are awarded new contracts.

Essentially, CMMC is the cybersecurity framework that organizations that work with DoD must follow to maintain compliance and continue working with the DoD. It is heavily based on the NIST framework but is tailored to DoD contractors & subcontractors.

For further reading: https://www.acq.osd.mil/cmmc/index.html

CIS Critical Security Controls

The CIS Critical Security Controls are a set of actions to help your organization achieve improved cyber defense. The CIS controls are built to provide actionable ways to prevent the most pervasive attacks from occurring within your organization. CIS controls are a shortlist of highly effective “must-do, do-first” starting point actions for every enterprise seeking to improve their cyber defense.
CIS controls serve as a way to help organizations prioritize and implement the NIST security guidelines mentioned above in a systematic way that is specifically tailored to your organizational requirements. CIS controls map to most major compliance frameworks in some capacity and help your organization to achieve compliance, especially if you are required to follow HIPPA, NERC CIP, FERPA, or CMMC guidelines.

  • HIPPA: Guidelines for medical providers/healthcare organizations
  • NERC CIP: Series of standards to protect any assets used to operate North America’s Bulk Electric System.
  • FERPA: Federal law that protects the privacy of student educational records.
  • CMMC: Framework for defense industrial base contractors that work with the Department of Defense.

Following a cybersecurity framework is the go-to recommendation for most organizations to improve their cyber defenses. Generally speaking, we recommend most of our clients start by working with the CIS Critical Security Controls and working towards achieving the standards laid out in Implementation Group 1 (IG1). Once an organization achieves IG1, they are considerably more difficult to exploit and can then focus on enhancing their cybersecurity posture dependent on needs and/or compliance requirements.

At Techfive, we have helped numerous organization ranging from healthcare providers to defense contractors improve their cyber defenses and achieve compliance. Reach out for more information.

Taking your small business cybersecurity to the next level

Cybersecurity risk assessments:

Read the full guide on cybersecurity risk assessments here →

What is a cybersecurity risk assessment?

A cybersecurity risk assessment is the analysis of your company assets and procedures to identify gaps that could make you vulnerable to a cyber-attack.
Once you have identified those gaps, you can then rank them from highest and most immediate threat to least.

This will allow your organization to go perform your risk mitigation process in order of importance, saving critical resources and maximizing efficiency.

How to perform a cyber security risk assessment of your business

Follow these 5 vital guidelines when conducting your assessment:

1. Figure out the scope of your assessment
This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated to accurately determine the full scope of the project.

We would recommend starting small with a single asset type and moving systematically through in that fashion.

Once you have chosen your asset type, you will need to figure out any other devices or information it touches in any way.

Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored.

2. Determine the value of each asset
Once you have completed step 1, it’s time to talk value.

It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.

Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.

For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.

3. Identify gaps in your security
This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.

What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.

The most common threats that affect every organization typically include:

  • Unauthorized access: from attackers, malware, or employee error.
  • Misuse of info by authorized users: data may be altered, deleted, or used without approval.
  • Leaked data: identifiable information being leaked intentionally by attackers or unintentionally by poorly configured systems.
  • Business disruption: loss of revenue/reputation damage due to business downtime.

4. Perform an info value vs cost of prevention analysis

This is the way you figure out what to prioritize first and what is most immediately beneficial.

What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.

To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.

Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.

5. Establish security controls (and continuously monitor them)
Once again, this is a complex task requiring multiple skill sets to complete and do well. The key here is continuous monitoring of security controls.

Threat actors aren’t static threats, they are constantly finding the newest vulnerability/angle to attack from. To stay ahead of the curve you have to constantly monitor and adjust your threat mitigation strategies.

A good practice is to update your cybersecurity assessment roughly once per year.

6. Document your findings!
This report doesn’t mean a lot if you cant reference it later. This report will serve as an invaluable tool you can use to develop new (and more effective) security practices.

You can also use your report as a training tool for new hires coming into your organization.

Take your time here. Meticulously organize your findings, you won’t regret it.

Cybersecurity Insurance for small business

Ransomware attacks are on the rise and cyber insurance is becoming more and more of a necessity every day. Organizations that find themselves with poor cyber hygiene AND no cyber insurance are asking to be attacked. It’s a perfect storm for threat actors.
To have a comprehensive cyber defense policy in place, your small business should invest in cyber insurance. Cyber insurance protects you from the “worst-case scenario” and acts as a final line of defense. The hope is that your organization will never have to use it.

Essentially, cyber insurance functions much like any other type of insurance. If you find yourself in a situation where you need to pay a $500,000 ransom, your insurance will cover that cost (**with some notable exceptions)

What does a cyber insurance policy cost?
Typically organizations with around $1mm ARR at a $10,000 deductible will spend about $1500/year on a cyber insurance policy. This number will likely increase in 2022 as cyber insurance agencies are finding themselves upside down on these policies because of the massive influx of cyber attacks in the last 18 months. These rates are highly variable depending on the nature of your business and the size of your business.

What to look for in a cyber insurance policy?

Important: Cyber insurance isn’t standardized, your organization should review all policy language with a broker before making a decision. Policies often vary significantly in the language used and their policy options.

You should look for policies that use broad terminology and those that protect against a wide range of threats. Especially lookout for the following:

  • The threat to damage or destroy software/programs
  • The threat to use your network to transmit malware
  • To interfere with your company website (modify content to deface your company)
  • Phishing attempts
  • Impair/disrupt business operations
  • The threat to introduce malicious software to your network (viruses and self-propagating code)
  • Access private data stored on your network and subsequently sell, disclose, or misuse that data

Cyber insurance policies and premiums will vary highly depending on your business industry, if you store sensitive records, the risk management policies you have in place, and much more.

This means that the only way to find the best policy for your organization is to work with a broker.

Insider Insight: It’s important to remember that insurance companies are a business and they expect to make a profit, in 2022 most insurance providers will no longer provide coverage unless you follow basic risk management procedures. This means doing things like implementing multi-factor authentication and training your employees on cyber risks.

A quick summary of our recommendations on cyber insurance:

  1. Yes, you should invest in cyber insurance
  2. The cost of cyber insurance is highly variable. You can expect to pay a minimum of $1500/year for businesses exceeding $1mm a year in revenue.
  3. Work with a broker to establish a specific policy for your organization. Look for broad language around threats.
  4. Most cyber insurance policies require you to protect your organization first. This means committing to risk management for your organization.
  5. Work with the pros

Vendor Cybersecurity:

We often find businesses that work with 3rd party vendors that have less-than-stellar cybersecurity practices in place. This often leaves huge gaps in a small business’s cyber defenses and can serve as an open door into your business’s network or systems.

It’s important to work with reputable vendors that have nuanced knowledge of their cyber defenses and how they are protecting their clients.

This may be particularly relevant if you find yourself in an industry that has strict compliance requirements. If you work with a 3rd party vendor that unintentionally reveals sensitive data you may be liable for that data breach. That may mean massive fines and a million headaches.

Important: If your vendor can’t direct you to resources that explain their cybersecurity policies, they probably aren’t prepared for an attack. You can’t afford to ignore this if you are in a particularly cyber-sensitive industry.

A Practical 11-step Process to Train Your Employees on Good Cyber Hygiene

Your employees are both your biggest asset and your biggest cyber liability. Training them to follow best practices can provide immense value and prevent cyber events from ever occurring. Here is our practical 11 step process to helping your employees significantly improve their cyber hygiene (and subsequently, your businesses as well).

  1. Avoid unknown email, links, and pop-ups
    1. Avoid clicking on anything. Adopt a zero-trust mentality towards any unknown links. If you are unsure, always ask!
    2. Never enter crucial personal or business information in unknown emails, websites, etc.
  2. Don’t plug in that USB you found
    1. Seriously, this is one of the oldest (and easiest to avoid) ways of injecting malware onto your device. Have your IT team double-check any USB before you plug it in.
  3. Protect your cell phone
    1. Your mobile device has access to tons of sensitive data, especially in the work-from-home era. If your cell phone is compromised or lost, that could mean free access to all of that important data. Make sure to keep track of your devices, especially those of you with administrative access.
  4. Use strong passwords every time
    1. Luckily most signups force this now but that wasn’t always the case. Always use complex passwords with special characters, numbers, and letters.
    2. Create unique passwords for each login.
    3. Tip: you can use a password manager to manage your unique password so you don’t have to remember them all.
  5. Verify software is legitimate before you download it
    1. Not everything you download is safe. Your antivirus software should protect you from threats but nothing is foolproof.
    2. It never hurts to ask your IT provider if something is legitimate.
  6. Understand that cybercriminals will try to manipulate you
    1. Social engineering is the name of the game in 2021. Threat actors are intentionally attempting to manipulate by preying on your goodwill. If something seems fishy, it probably is. Always verify first.
  7. Use a reputable antivirus software
    1. If you use Windows devices, the default Windows Defender is a solid pick. Your IT provider may install different types of antivirus on your device as well.
  8. Backup your data
    1. This is valuable for both cybersecurity and just general peace of mind. Having backups means that in the case that something goes wrong, you have that backup to restore from.
  9. Be wary of emails & texts from executives, CEO’s, or higher-ups
    1. Compromised emails are becoming increasingly common. You may receive an email from your CEO saying you need to urgently buy gift cards, or enter sensitive information, or download an infected link, etc. These types of emails are difficult for spam filters to detect so they may often land in your inbox. Always verify these are legitimate before taking any action.
  10. Use multi-factor authentication
    1. MFA is the way to go to protect your personal and business assets. Use an authenticator app on your mobile device whenever possible. There have been instances where cyber-criminals had backdoor access to text messages. Those types of MFA may not be secure.
  11. Adopt a “zero-trust” mentality
    1. Zero trust basically means that you always verify the legitimacy of an email, text, website, etc. before you commit to any actions related to that thing. The zero trust mentality means that you consider that everything could potentially be a threat. Your IT provider can help you implement systems that can assist with zero-trust if you choose to go this direction.

Frequently Asked Questions

Is my small business at risk? We barely have any revenue.

Every business is at risk.

Small businesses are becoming the prime target for attackers moving into 2022. Even very small businesses (<$1mm ARR) have data/systems that could be compromised. Remember threat actors are almost always only interested in turning a profit. If your small business has little-to-no cyber security controls in place, you are an exceptionally easy target and a quick payday.

Cyber attackers have become very systematized. The days of a guy in a hoodie in a basement are gone. The majority of cyber-attacks are being carried out by large-scale hacking organizations living in nations abroad. These organizations are relatively untouchable because of the countries they originate from.

This means that there are plenty of attackers to go around, this is causing cyber attacks to be much more widespread. A wider net of attackers means that more small businesses are being targeted than ever before. 2020 alone experienced more cyberattacks than the 15 previous years combined

What happens if my business experiences a cyber event?

There is a multitude of ways a business could experience a cyber event.
The most common threats in 2021/2022 are:

  • Phishing
  • Business email imposters
  • Tech support scams
  • Ransomware
  • Malware
  • Viruses

When a business gets attacked, it is almost always for money. That means a threat actor will do anything they can to get you to fork up cash (cryptocurrency). The most common way this is carried out is through ransomware.

Ransomware encrypts your network & business systems, effectively shutting down your operations. The threat actor will (sometimes) provide a key to regain access to your systems once a ransom is paid.

As you might expect, these threat actors don’t have your best interest in mind. There are often reports of businesses paying a ransom and then the attackers forcing them to pay a second ransom immediately after.

  • Your business is more likely to experience another ransom event if you have already experienced one, these second events are often carried out by the same group.

Attackers most often get access to your business network by exploiting the people within your organization. Investing in cyber security training will pay huge dividends in the long run.


Can my business recover from a cyber attack?

A large portion of businesses that experience a cyber attack shut down within 12 months following the event. The strain a cyber event puts on small organizations both operationally and financially can often be a death sentence.

The only way to guarantee recovery (or to help prevent an attack from ever happening) is to have a dedicated plan in place. A functional cyber security plan of action must:

  • Have cybersecurity controls in place
  • Have a system for performing risk assessments
  • Have a system to constantly monitor your networks & business systems
  • Have dedicated employee training built-in
  • Have an Incident Response Plan
  • Have a cyber insurance policy in place
  • Have a team to consistently update your controls according to the best modern practices. Cyber threats are not static.

Top Small Business Cybersecurity Resources

CSRC for Small & Medium Business

Resource center for cybersecurity and technical resources targeted specifically to small & medium business.

https://csrc.nist.gov/Topics/Applications/small-and-medium-business

Cybersecurity for Small Business

Learn the basics for protecting your business from cyber attacks.

https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity

Department of Homeland Security Cybersecurity

Resource center for cybersecurity and technical resources targeted specifically to small & medium business.

https://www.dhs.gov/topic/cybersecurity

National Cyber Security Alliance

The nation’s leading nonprofit, public private partnership promoting cybersecurity and private education.

https://staysafeonline.org/

SBA Technology Coalition

Learning programs to empower and educate small business owners.

https://www.sba.gov/techcoalition

NCSA & SBA Small Business Resources

Free online safety resources for all internet users and recognizes businesses as a core component of its audience.

NCSA & SBA Small Business Resources

Closing thoughts

Well you made it to the very end. I hope this was valuable to you and can get you started on improving your small business cybersecurity.

If you read this far, I’d love to hear from you. We can discuss your small business cybersecurity and how Techfive can help you implement all of those important security controls you read about above. (or I’m also open to just chatting about your favorite steak spot, I’m always looking for good recommendations!)

Here is my LinkedIn, let’s chat:
https://www.linkedin.com/in/max-pierce

Prefer to talk to our advisors over at Techfive? give us a call or contact us online:

(918) 919-7920
www.t5it.com/contact-us

That’s it for this SUPER guide. If you like my content sign up for more below, I will send you even more actionable tech content. Thanks for reading.

Max Pierce profile picture. Man sitting in chair with hand in fist on chin.

WRITTEN BY

Max Pierce

Marketing Manager @ Techfive | Working to make B2B brands more personable & human.

Up Next

What are Remote Managed IT Services and How Can They Benefit My Business?

Read Article

Manufacturing IT - Everything You Need to Know in 2022

Read Article

The Basics Of Cyber Security [10-minute guide]

Read Article
Techfive primary logo - white

At Techfive, we are all-in-one strategic partners for cyber-aware companies. We offload time-consuming tech management and help our partners become more cyber aware and secure.

Google Logo
5/5

"Always prompt on response whether in person or by phone! Very nice and friendly employees and very helpful!"

Google My Business profile icon

Ashley Harrison

Company
Home
Contact
Managed Services
Internet Service
Blog
Articles
Manufacturing managed IT
Why we rebranded
Ransomware insurance
Basics of cybersecurity
Top cybersecurity books
Important IT services
Cyber security assessment
Locations
Miami Oklahoma
Grove Oklahoma
Pittsburg Kansas
Joplin Missouri
Springfield Missouri
Bentonville Arkansas
Tulsa Oklahoma
Rogers Arkansas
Wichita Kansas
Resources
Ultimate SMB Cybersecurity Guide
Cybersecurity Essentials for Business Owners
Resource Hub
Cyber Stories
Cyber Academy

2022 Techfive, LLC.

Linkedin

Privacy Policy

Terms & Conditions

Sitemap