The complete guide to SMB cybersecurity

You don’t have to look far for news about data breaches these days.

Unfortunately, there is a pervasive myth that small businesses are often overlooked by cybercriminals. Popular opinion seems to be that they are too small to be worth the time and effort of hacking. In reality, these small businesses are easy targets.

According to the 2018 Data Breach Investigations Report by Verizon, small businesses account for 58% of malware attack victims. The cost can be enormous, both in dollars and lost data, not to mention reputation, so when it comes to protecting your data and your business, you really can’t be too careful.

Cybersecurity is more than just a program you install on your computer, though. If done correctly, it should touch every part of your business.

With this in mind, we have put together a complete guide that addresses the following essential components of cybersecurity for your small business:

Antivirus software

At the most basic level, your business should have antivirus software installed on all of your computers. Many businesses choose the DIY approach to their IT management. However, it is critical to keep antivirus software up to date and running at all times in order to protect computers from infections.

While antivirus software is not difficult to maintain, it can be time-consuming and the consequences of missing an update can be severe.

Depending on the size and IT budget of your business, you may have the means and inclination to hire dedicated IT staff. IT staff can manage antivirus software, in addition to all other IT responsibilities. Even if this is outside of your capabilities, you may be able to consider an IT managed service provider (MSP).

Many MSPs offer cloud-based antivirus services, which enable your MSP to keep your computers protected with automatic updates and patches. Most MSPs offer out-of-the-box antivirus solutions, but you may also want to consider purchasing a custom app designed especially to meet your unique cybersecurity needs.

Related reading: DIY networking troubleshooting you can do before calling in the pros

Ransomware and phishing prevention

In addition to managing your antivirus software, an MSP or IT department has the responsibility of monitoring the network for malware attacks.

Increasingly, small businesses are being targeted by phishing and ransomware attacks. These scams are often propagated through email, so employee education and awareness are vital elements of prevention.

If you are handling your IT work yourself, this becomes more complicated and the education piece is even more important.

Related reading: The 18 biggest data breaches of the 21st Century

VoIP security

VoIP phone systems come packed with lots of useful features making them attractive to businesses. Unlike traditional phone lines, though, VoIP phone systems use the internet. Because of this, it is very important not to neglect securing this piece of your network. We recommend the following best practices when it comes to VoIP security:

  • Choose encrypted VoIP services
  • Change the default password on your VoIP handsets
  • Keep track of usage in case of an account take-over attack (ATO)
  • Keep software/patches up to date
  • Enable multi-factor authentication, if available

Related reading: The SMB owner’s phone system buying guide

Employee education

Regardless of the size of your business or the industry you operate in, employee education is an important piece of the cybersecurity puzzle.

Employees can be your biggest asset or your biggest liability when it comes to cybersecurity. Educate employees and engage with them regularly on the following cybersecurity procedures:

  • Creating strong passwords
  • Ransomware and phishing prevention
  • BYOD policies and best practices
  • Physical security best practices
  • Understanding compliance
  • Safe internet usage
  • Disaster recovery – employee roles and expectations

Related reading: How better communication boosts productivity

Physical security

When it comes to cybersecurity, there are some protections that are hard to overlook, such as antivirus software. However, there are other less obvious (but equally important) protections in the realm of physical security.

The following are some recommended best practices when it comes to physically securing your data:

  • Always lock computers when not in use
  • Never write down passwords
  • Do not share passwords with others
  • Do not connect unapproved devices, such as USB drives, to work computers
  • Removing physical files, USB devices, or company property from the premises without permission is prohibited
  • Do not leave company-issued laptops unattended in public or locked in vehicles
  • Keep Wi-Fi/networks secured

Related reading: The DIY guide to IT projects


Almost all employees use personal devices to access work at some point in time. The ability to use project management mobile apps can help employees to be more productive while streamlining the work process and improving workflow.

At the same time, it is very important to communicate device use expectations and boundaries to employees with Bring Your Own Device (BYOD) policies. If there are any compliance concerns, make sure to also outline these clearly and concisely.

Related reading: The top 11 mobile collaboration tools

Backups and disaster recovery

When technology is central to everyday operations, it is paramount that your business is prepared for every eventuality, from occasional downtime to outright disasters.

To minimize downtime, make sure your network setup is as stable as possible. Regular backups will help to protect you from data loss. While local backups are more accessible and give you complete control over your data, there are many significant benefits to backing up to the cloud (for more thoughts on this, head over to Cloud vs. local backup: Which do you need?).

It is also worth reading about the 3-2-1 backup rule and why it is important for small businesses.

According to FEMA, almost 40% of businesses do not reopen after a disaster. When a disaster hits, you need to have a plan in place in order to establish emergency communications, reopen operations, and keep things going. You can’t afford to leave these things up to chance.

Read more about how your small business can create the best disaster recovery plan possible.