Creating a Small Business Cyber Security Plan


Chris Adams

Jan 9, 2023


category folder



Limiting access to your sensitive data is a must in this information-heavy society that we live in today. Protecting that data is even more essential if you're running a small business. Everyone from your employees and vendors to your customers expects you will treat their information with the same security as yours. Anything less can lead to serious monetary penalties and severe and lasting reputational damage.

Devices connected to the cloud

Here at EMA, we do more than show you how to create engaging posts on social media. As a repository for all things small business, we felt that compiling an essential primer on creating and implementing a small business cyber security plan would be worthwhile for this entry. Just as all business decisions should be planned and executed as part of an overall master plan, your cyber security procedures should also be tailored to your specific business model. Implementing these steps as a part of a full-fledged cybersecurity plan is doable for even a small business. It will pay dividends even if it does nothing less than save you time by eliminating duplicated effort or small oversights.

Laying The Foundation

Now that we've covered why cyber security is important and why a formal plan is integral to your success, where do you start? These next few items should take place simultaneously or as near to that as possible. No one element is more important than another, and you need to have them all solidly identified before developing the actionable items that we'll get to a bit later.

Conduct a Cyber Risk Assessment

Risk Assessment

What segments of your business are the most vulnerable to cyber threats? If you don't know where your weaknesses are, you aren't able to harden them effectively. By analyzing your vulnerabilities, you can better tailor your plan to fit your enterprise's most common attack vectors. Some of the most common attack vectors for cybercriminals are the following:

  1. Ransomware
  2. Malware/Spyware
  3. Phishing and other social engineering scams
  4. Man in the middle attacks

Audit and Evaluate Your Systems and Devices

Knowing what sensitive information you have stored in what systems and the devices that have access to those systems is another critical benchmark towards building an effective small business cyber security plan. Limited access networks are great, but if your staff access those networks from outdated mobile devices or with an unpatched operating system, then the access controls are extremely limited.

Include Your Subject Matter Experts

Business owners may not always be aware of the breakdown of desktops versus mobile devices or even network systems containing protected business data. Even small businesses may place most of the responsibilities regarding cyber security on a few select employees or even a third-party vendor. You have to include these parties in the development stage of your business cyber security plan to get an accurate representation of the path ahead of you.

Planning Actionable Steps

Your information-gathering stage is complete, and it's time to develop an action plan. These next steps will go beyond your basic security practices and elevate your security posture to a much higher level.

Secure Your Passwords

Fingers typing the Password

No matter the attack vector, weak password security will compound any issue into something much worse. You should implement password requirements, including length, special characters, numbers, capital, and lowercase text, and strongly encourage a passphrase instead of just a single word. As a best practice, you could provide a password manager application that randomly generates passwords, stores them securely with encryption, and even allows additional features like preventing the reuse of passwords across networks or applications. Multi-factor authentication should be mandatory.

Install Firewalls and Other Cyber Security Programs

Firewalls, antivirus, anti-malware programs, and anti-spyware programs are all key pieces of the puzzle. This won't absolve your staff of the need to be careful and educated on cyber security. Still, an additional layer of defense with push notification warning capabilities can allow you to detect a data breach in the early stages and limit the damage. This is also a good time to secure your wi-fi networks with passwords and ensure they are running at least WPA2 protocols. Regardless of the programs you choose to apply, you must make sure that software updates are regularly installed, as are any provided patches, to ensure that known vulnerabilities can't be exploited. You can't just install security apps and walk away, no matter what some developers may promise.

Train Your Staff

Manager training his staff

An educated and engaged staff will do wonders for your cyber security posture. It isn't enough to tell them what the rules are. Having a crew that understands the reasons behind security protocols and procedures only increases the chances that they will follow policy voluntarily and be on the lookout for early warning signs of a potential data breach. Training should be interactive, realistic, and ongoing, not just something pushed out to check a box or fulfill the minimum requirements.

Establish an Incident Response Plan

It's not a matter of if but when. Over 43% of cyber attacks target small businesses, so it only improves your chances of success if you look at a data breach as a likely outcome. That doesn't mean that you shouldn't do everything in your power to secure customer information, but accepting that a cyber incident is going to happen allows you to establish concrete steps to take in response to such an event. Review this response plan with your employees, run exercises of common breaches, regularly update contact information, and adjust steps to comply with changes in staff roles, responsibilities, and changing business practices. This will help limit damage from any adverse event and help mitigate any downtime you might experience due to an attack.

One Final Point

A small business cyber security plan is not a one-and-done project. This is a fluid document that requires regular input, updating, and revision, and it should be treated as equally important to your business plan as a whole. For more tips on managing your business more efficiently, subscribe to our weekly small business newsletter. At E-Marketing Associates, we help small businesses grow.

Ready to Grow Your Business?