Welcome to Techfive’s ultimate guide to small business cybersecurity. We created the Ultimate Guide to Small Business Cybersecurity to be a one-stop shop solution to those of you who are managers or owners of small businesses and are looking to improve your businesses cyber hygiene.
Inside, you will find this guide is stuffed full of actionable advice, great resources, and tools for you to start the process of securing your small business.
Make sure to block out some time to read, it will take about 30 minutes from start to finish.
After finishing reading this guide you will:
1. Have a better understanding of the current cybersecurity landscape going into 2022
2. Have access to a practical guide on how to protect your business
3. Have access to the top resources for further learning
4. Understand the value of working with a cyber security service provider
5. Have answers to the most frequently asked questions we get about small business cybersecurity
Let’s get into it.
This is a great resource to hand out to your team to introduce them to the core concepts of cybersecurity.
If you are a regular reader of ours, I’m sure you have gathered by now that cyber-attacks are rapidly increasing in volume. In 2020, more cyber-attacks were reported than in the 15 prior years combined. 2021 saw that number rise even higher.
The combined cost of cyber-crimes in 2020 alone was $2.7 billion. Small businesses are attractive targets (and are quickly becoming the most common targets) because they have valuable information that cyber-criminals want and more often than not, don’t have proper cybersecurity controls implemented.
People are finally starting to realize the necessity of improved cyber security. Unfortunately, it has taken record-breaking amounts of cybercrime and a world-altering pandemic for cybersecurity to become mainstream. Regardless, we are getting to the point where cybersecurity is a major talking point for most mid-size to enterprise-sized organizations. Small businesses are (typically) the only ones being left in the dust and rubble.
The numbers don’t lie either. Here are some of the most jarring small business cybercrime statistics to give you a better picture of the current world we are living in.
Insider Insight: We don’t want to paint too negative of a picture but it is impossible to ignore the implications that these attacks have on small businesses. We don’t want to see our friends local businesses shut down because of these organizations. In 2022, cyber attacks are a risk you can’t ignore.
If you are an owner, manager, or executive at an organization making more than $500,000 ARR your organization is a prime target. It’s time to get ahead of the curve. Of course, we are going to recommend you work with Techfive but really what we want to reiterate is that you should work with any reputable cyber security provider.
There is good some news though, if you are a state, local, territorial, or tribal government entity you may have access to ARPA funds to help your agency improve it’s cyber defenses.
If you are a part of a state, local, territorial, or tribal government entity I’m sure you are familiar with ARPA. ARPA funds can be used for the modernization of cybersecurity programs, including upgrading hardware, software, and protecting critical infrastructure.
COVID-19 has caused a rapid shift in operating environments meaning cybercriminals have new ways to take hold of public sector agencies. This has presented unique cybersecurity challenges for providers. The federal government is looking to improve the general cybersecurity posture of these public sector entities by injecting sizeable amounts of funding.
As a managed security service provider, Techfive can help your agency enhance your cyber defenses and upgrade/manage your IT. We have nuanced knowledge solving the issues government agencies face.
Specifically, Techfive can help your agency with:
Please reach out if you are interested in doing a quick discovery call with our advisors, they will set you on the right path.
Although threats are constantly evolving, some stay fairly consistent. The largest threats to small businesses in 2021/2022 are:
The talk of the town right now is ransomware.
Ransomware is a favorite method of cybercriminals to extort businesses. Ransomware payouts tend to be substantial and are increasing rapidly. The average ransomware payout increased by 82% to a record high of $570,000 in the first half of 2021. The majority of small businesses do not have half a million dollars on hand to pay out a ransom payment of that size (and you wouldn’t want to either). This is one of the many reasons why cybersecurity is so important.
So how does a ransomware event occur?
Typically the process looks something like this:
The majority of the time, an attack occurs because of one of these reasons:
Insider Insight: It is important is to cultivate a culture of openness and honesty towards cybersecurity within your organization. It is all too common for an employee to mistakenly click on a malicious link and keep it a secret in fear of repercussions. This is a terrible situation to put your employee (and organization in). These attackers are preying on the inherent goodwill of your employees and they will do anything to exploit them and subsequently you.
Remember that your employees aren’t the bad guys, the attackers are.
With that being said, sometimes unfortunately employees will maliciously attempt to extort your organization as well. Let’s talk a little about internal threats
Malicious internal threat actors are fairly common. These situations often occur after an anonymous cyber criminal reaches out to employees within your organization promising them a cut of the ransom payment if they give them access to your business data/network.
If you happen to have an estranged employee on staff that is looking to get back at you (or make a quick buck), they could accept that offer. Remember that these cybercriminals may be offering these internal threat actors amounts exceeding $100,000. That number can be very convincing, especially to an already upset current (or former) employee.
This is where your cybersecurity controls come into play. If you have a properly configured access management system with zero-trust policies in place, it should be very difficult for a malicious actor to give a cybercriminal access to your business network. The reality for most small businesses however, is that it would likely be fairly trivial to give a cybercriminal access to your business network.
Detecting and controlling internal threats is very complex, your best bet is to focus on controlling your network environment and let that do the heavy lifting for you.
Malware is short for “malicious software”. They are invasive programs designed to be disruptive or harmful to your computer/greater network. The most common transfer of malware occurs via email attachments, text messages/instant messages, peer-to-peer downloads, or misleading websites/ads.
These viruses have varying purposes. Some destroy data on infected devices or intentionally increase network traffic to congest and disrupt your network. Often these packages are self-propagating. They infect other devices on a network by triggering email servers to spread the virus over the entire network.
Essentially malware is software designed to harm your device or network.
Ransomware is a type of malware designed to block you from accessing your device.
Cybercriminals target companies of all sizes.
Knowing the basic principles of cyber hygiene can help to protect your small business and reduce the risk of a cyber attack.
Insider Insight: An important thing to understand is that completely preventing cyber-attacks is not possible. These attacks are carried out by sophisticated organizations with access to huge amounts of capital and a deep roster of expertise. However, avoiding being the “low hanging fruit” can be a very effective preventative measure. Following these basic protocols below to avoid being the easy target.
Protect your files and devices:
Tip: MFA is almost always a requirement to get or renew a cyber insurance policy in 2021/2022.
Protect your wireless network:
Operate with a security-first mentality:
Tip: If you ever working with a vendor/cybersecurity provider and they claim they can make you “completely secure” they are either lying or are ignorant.
Operate with a security-first mentality:
Develop a response plan:
Important: Don’t say anything until you have spoken with an attorney. Speak with your cyber insurance agent as soon as possible. Your insurance agency will likely get you in contact with a breach coach. A breach coach will help guide you through the process of returning to operations and helping you to pay a ransom (if need be)
You may have a legal obligation to disclose information related to a breach. If this is the case, follow the law. We (Techfive and its constituents) are not legal experts and this is not legal advice.
Control who can access different items within your network:
Commonly known as “access control”. Access control allows you to granularly control who has access to which parts of your network/which hardware they can access. Access control is designed help protect your business both from internal threats and external threat actors by making it more difficult to move laterally within your business systems.
Staff & external providers typically do not need full access to all of your business data and accounts. You should restrict access whenever possible.
You should give users the bare minimum permissions and work from there rather than the opposite. Your employees rarely need administrative access and distributing it freely will leave your business more vulnerable.
Remember to delete accounts when employees leave (especially if the exit is particularly nasty) or if you change providers. Most companies we work with find that they still have active accounts of employees that have been gone for quite some time.
Protect your data offline
Always follow standard security practices. Remember that a threat actor can get access to your business network in person as well.
Don’t write your passwords on sticky notes, don’t let random people access your network, keep your server room locked, etc. You get the picture, use common sense and avoid costly and easy to avoid mistakes.
So now that we have covered the “basics”, let’s dive a little deeper into what you can do to properly secure your business. We often find many of our clients find this super overwhelming. If that’s the case for you I’d like to propose 2 options:
What is a framework? A framework is a voluntary guide designed to help business owners/operators manage and reduce cybersecurity risk by providing a set of standards to follow.
Why would you use a cybersecurity framework?
One of the best ways to improve your business cyber hygiene is by following the principles laid out in a cybersecurity framework. Each framework serves a slightly different purpose.
Insider Insight: The majority of the most popular cybersecurity frameworks are based upon the NIST cybersecurity framework. NIST is a government-made framework to help owners/operators manage cyber risk.
NIST stands for: “National Institute of Standards and Technology”
NIST is a voluntary framework consisting of “standards, guidelines, and practices to promote the protection of critical infrastructure.” The framework is designed to be flexible, repeatable, and cost-effective which allows owners/operators to manage cybersecurity-related risk. source
NIST is composed of three major components: the Core, Implementation Tiers, and Profiles.
How do I implement the principles laid out in NIST?
The best way to do so is to work with a cybersecurity service provider. There are professionals dedicated to the implementation of these frameworks. The likelihood that you will be able to follow the standards and implement them without significant technical knowledge is pretty low. It is also important to remember that large portions of these cyber security frameworks require constant effort. Like we have said before, cyber threats are not static. If you implement a cyber security framework expect that it will require month-to-month management.
If you would like to move forward without professional help, check out the quick start guide from the Computer Security Resource Center.
For those of you that want the short version:
The Framework is organized by 5 key functions.
CMMC serves as a way for the DoD to “guarantee” its contractors and subcontractors have implemented the proper cyber-defense principles to properly protect the sensitive information being shared with them.
Insider Insight: Guarantee is in quotes because despite the function of CMMC being to protect sensitive declassified information, many DoD contractors do not follow the requirements within.
That should be changing with the updated CMMC 2.0 guidelines.
The CMMC framework has three key features:
Essentially, CMMC is the cybersecurity framework that organizations that work with DoD must follow to maintain compliance and continue working with the DoD. It is heavily based on the NIST framework but is tailored to DoD contractors & subcontractors.
For further reading: https://www.acq.osd.mil/cmmc/index.html
The CIS Critical Security Controls are a set of actions to help your organization achieve improved cyber defense. The CIS controls are built to provide actionable ways to prevent the most pervasive attacks from occurring within your organization. CIS controls are a shortlist of highly effective “must-do, do-first” starting point actions for every enterprise seeking to improve their cyber defense.
CIS controls serve as a way to help organizations prioritize and implement the NIST security guidelines mentioned above in a systematic way that is specifically tailored to your organizational requirements. CIS controls map to most major compliance frameworks in some capacity and help your organization to achieve compliance, especially if you are required to follow HIPPA, NERC CIP, FERPA, or CMMC guidelines.
Following a cybersecurity framework is the go-to recommendation for most organizations to improve their cyber defenses. Generally speaking, we recommend most of our clients start by working with the CIS Critical Security Controls and working towards achieving the standards laid out in Implementation Group 1 (IG1). Once an organization achieves IG1, they are considerably more difficult to exploit and can then focus on enhancing their cybersecurity posture dependent on needs and/or compliance requirements.
At Techfive, we have helped numerous organization ranging from healthcare providers to defense contractors improve their cyber defenses and achieve compliance. Reach out for more information.
Read the full guide on cybersecurity risk assessments here →
What is a cybersecurity risk assessment?
A cybersecurity risk assessment is the analysis of your company assets and procedures to identify gaps that could make you vulnerable to a cyber-attack.
Once you have identified those gaps, you can then rank them from highest and most immediate threat to least.
This will allow your organization to go perform your risk mitigation process in order of importance, saving critical resources and maximizing efficiency.
How to perform a cyber security risk assessment of your business
Follow these 5 vital guidelines when conducting your assessment:
1. Figure out the scope of your assessment
This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated to accurately determine the full scope of the project.
We would recommend starting small with a single asset type and moving systematically through in that fashion.
Once you have chosen your asset type, you will need to figure out any other devices or information it touches in any way.
Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored.
2. Determine the value of each asset
Once you have completed step 1, it’s time to talk value.
It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.
Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.
For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.
3. Identify gaps in your security
This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.
What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.
The most common threats that affect every organization typically include:
4. Perform an info value vs cost of prevention analysis
This is the way you figure out what to prioritize first and what is most immediately beneficial.
What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.
To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.
Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.
5. Establish security controls (and continuously monitor them)
Once again, this is a complex task requiring multiple skill sets to complete and do well. The key here is continuous monitoring of security controls.
Threat actors aren’t static threats, they are constantly finding the newest vulnerability/angle to attack from. To stay ahead of the curve you have to constantly monitor and adjust your threat mitigation strategies.
A good practice is to update your cybersecurity assessment roughly once per year.
6. Document your findings!
This report doesn’t mean a lot if you cant reference it later. This report will serve as an invaluable tool you can use to develop new (and more effective) security practices.
You can also use your report as a training tool for new hires coming into your organization.
Take your time here. Meticulously organize your findings, you won’t regret it.
Ransomware attacks are on the rise and cyber insurance is becoming more and more of a necessity every day. Organizations that find themselves with poor cyber hygiene AND no cyber insurance are asking to be attacked. It’s a perfect storm for threat actors.
To have a comprehensive cyber defense policy in place, your small business should invest in cyber insurance. Cyber insurance protects you from the “worst-case scenario” and acts as a final line of defense. The hope is that your organization will never have to use it.
Essentially, cyber insurance functions much like any other type of insurance. If you find yourself in a situation where you need to pay a $500,000 ransom, your insurance will cover that cost (**with some notable exceptions)
What does a cyber insurance policy cost?
Typically organizations with around $1mm ARR at a $10,000 deductible will spend about $1500/year on a cyber insurance policy. This number will likely increase in 2022 as cyber insurance agencies are finding themselves upside down on these policies because of the massive influx of cyber attacks in the last 18 months. These rates are highly variable depending on the nature of your business and the size of your business.
What to look for in a cyber insurance policy?
Important: Cyber insurance isn’t standardized, your organization should review all policy language with a broker before making a decision. Policies often vary significantly in the language used and their policy options.
You should look for policies that use broad terminology and those that protect against a wide range of threats. Especially lookout for the following:
Cyber insurance policies and premiums will vary highly depending on your business industry, if you store sensitive records, the risk management policies you have in place, and much more.
This means that the only way to find the best policy for your organization is to work with a broker.
Insider Insight: It’s important to remember that insurance companies are a business and they expect to make a profit, in 2022 most insurance providers will no longer provide coverage unless you follow basic risk management procedures. This means doing things like implementing multi-factor authentication and training your employees on cyber risks.
A quick summary of our recommendations on cyber insurance:
We often find businesses that work with 3rd party vendors that have less-than-stellar cybersecurity practices in place. This often leaves huge gaps in a small business’s cyber defenses and can serve as an open door into your business’s network or systems.
It’s important to work with reputable vendors that have nuanced knowledge of their cyber defenses and how they are protecting their clients.
This may be particularly relevant if you find yourself in an industry that has strict compliance requirements. If you work with a 3rd party vendor that unintentionally reveals sensitive data you may be liable for that data breach. That may mean massive fines and a million headaches.
Important: If your vendor can’t direct you to resources that explain their cybersecurity policies, they probably aren’t prepared for an attack. You can’t afford to ignore this if you are in a particularly cyber-sensitive industry.
Your employees are both your biggest asset and your biggest cyber liability. Training them to follow best practices can provide immense value and prevent cyber events from ever occurring. Here is our practical 11 step process to helping your employees significantly improve their cyber hygiene (and subsequently, your businesses as well).
Is my small business at risk? We barely have any revenue.
Every business is at risk.
Small businesses are becoming the prime target for attackers moving into 2022. Even very small businesses (<$1mm ARR) have data/systems that could be compromised. Remember threat actors are almost always only interested in turning a profit. If your small business has little-to-no cyber security controls in place, you are an exceptionally easy target and a quick payday.
Cyber attackers have become very systematized. The days of a guy in a hoodie in a basement are gone. The majority of cyber-attacks are being carried out by large-scale hacking organizations living in nations abroad. These organizations are relatively untouchable because of the countries they originate from.
This means that there are plenty of attackers to go around, this is causing cyber attacks to be much more widespread. A wider net of attackers means that more small businesses are being targeted than ever before. 2020 alone experienced more cyberattacks than the 15 previous years combined
What happens if my business experiences a cyber event?
There is a multitude of ways a business could experience a cyber event.
The most common threats in 2021/2022 are:
When a business gets attacked, it is almost always for money. That means a threat actor will do anything they can to get you to fork up cash (cryptocurrency). The most common way this is carried out is through ransomware.
Ransomware encrypts your network & business systems, effectively shutting down your operations. The threat actor will (sometimes) provide a key to regain access to your systems once a ransom is paid.
As you might expect, these threat actors don’t have your best interest in mind. There are often reports of businesses paying a ransom and then the attackers forcing them to pay a second ransom immediately after.
Attackers most often get access to your business network by exploiting the people within your organization. Investing in cyber security training will pay huge dividends in the long run.
Can my business recover from a cyber attack?
A large portion of businesses that experience a cyber attack shut down within 12 months following the event. The strain a cyber event puts on small organizations both operationally and financially can often be a death sentence.
The only way to guarantee recovery (or to help prevent an attack from ever happening) is to have a dedicated plan in place. A functional cyber security plan of action must:
Well you made it to the very end. I hope this was valuable to you and can get you started on improving your small business cybersecurity.
If you read this far, I’d love to hear from you. We can discuss your small business cybersecurity and how Techfive can help you implement all of those important security controls you read about above. (or I’m also open to just chatting about your favorite steak spot, I’m always looking for good recommendations!)
Here is my LinkedIn, let’s chat:
Prefer to talk to our advisors over at Techfive? give us a call or contact us online:
That’s it for this SUPER guide. If you like my content sign up for more below, I will send you even more actionable tech content. Thanks for reading.
Marketing Manager @ Techfive | Working to make B2B brands more personable & human.
"Always prompt on response whether in person or by phone! Very nice and friendly employees and very helpful!"
2022 Techfive, LLC.