A Step-by-Step Process for Creating an SMB Cybersecurity Plan

In today’s digital world, security is vital for small businesses to thrive, or at least survive. 

Cyber attacks continue to dominate the headlines, with a particular focus on well-known firms. However, research shows that small businesses with fewer than 100 employees are the target of 71% of cyber attacks. This demonstrates that small businesses are just as vulnerable as larger corporations.

Identity Protection - McAfee Total Protection

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

It’s scary in cyberspace!

We don’t want to frighten you, but small businesses are more likely targets of internal and external threats because their network security is weaker than those of larger businesses. 

Cybersecurity firm Cobalt has put together some small business cybersecurity statistics gathered from reliable security surveys and studies. If they don’t alarm you, we hope you at least give them a second thought. Here we go:

• As a result of the COVID-19 pandemic, cybercrime has surged by 600%
• Cyberattacks on small enterprises account for 43% of all attacks (Small Business Trends)
• A cyber attack on a small business costs more than $25,000 on average (Readwrite)
• Only 14% of small firms are prepared to ward off cyber-attacks (Embroker)
• Phishing/social engineering, compromised/stolen devices, and credential theft are the most typical types of assaults on small enterprises (Forbes)
• In 2021, ransomware infected 37% of all businesses (Cloudwards)
• Every 14 seconds, a new organization is infected with ransomware. (Cloudwards)
• Phishing attacks are responsible for 90% of all data breaches (Cisco)
• Social engineering is used in 98 percent of attacks(Tribunal for hosting)
• Email accounts for 96% of all phishing attacks (Tessian)
• 80% of small and midsize businesses don’t use data protection (Intel Security)

Even as a small business you wouldn’t want your company to land in the headlines about a devastating cyber attack.

A Brief Review of Cybersecurity

Cybersecurity is the practice of ensuring that a small business’s digital network and data are protected from cyber threats. It involves the application of technology, procedures, and policies to protect systems, networks, programs, devices, and data from cyber attack attempts.

Why is cybersecurity important for small businesses?

Theft of digital information is now the most widely reported type of fraud, even more so than theft of physical stuff, according to the Federal Communications Commission (FCC).

Small businesses don’t operate on the same scale as larger corporations. For this reason, small business owners may find cybersecurity too advanced or unnecessary for their operations.

However, it doesn’t mean that small businesses are automatically safe from cyber threats. Hackers like to target smaller businesses because there is less sophistication in their cybersecurity  systems. This makes it easier for cyber criminals to gain access to their computer systems and steal information or financial resources.

Aside from stealing information, threat actors use ransomware attacks to obtain easy money. They hold your network hostage to prevent you from accessing important information until you pay the ransom. 

The last thing you want is to lose brand reputation because of a cyber attack or pay ransom to get your network running again. How? Implement a cyber security plan to protect your business from the risk of cyber attacks.

What is an SMB Cybersecurity Plan?

A cyber security plan is a written document that details the security controls, rules, procedures, and countermeasures to protect small businesses from cyber threats. The goal of this plan is to maintain the integrity of your company’s critical data and the security of your assets.

An SMB cybersecurity plan doesn’t have to be as sophisticated as that of large enterprises. It will depend on the type of business you have and the sensitiveness of the information you’re protecting.

For example, a healthcare company would have a different security program approach from an online store, bank, or educational institution.

Why is a cybersecurity plan important for small businesses?

Just like any venture, a plan or blueprint is necessary to guide you in protecting your business, particularly its security. The main goal of an SMB cybersecurity plan is to protect your customers’ personal and financial information and the company’s own business data from cyber attacks.

More specifically, a cybersecurity plan protects your business from potential damaging consequences, such as:

Financial cost

A successful cyber attack – whether it’s data breach, ransomware, identity theft, or outright theft of funds – always ends up with financial costs. Ransomware payments are expensive. You’ll have to settle funds stolen from your clients.

Businesses that suffer from data breach incidents will also incur associated costs on disruption of business, repair of affected systems, and other recovery efforts.

Damage to business reputation

Consumer relationships are built on trust. Cyber attacks can harm your company’s brand and diminish your clients’ trust in you. As a result, there’s a chance that:

• Customers will leave
• Sales will decline
• Profits decrease
• Reputational harm can have a negative impact on your suppliers, partners, investors, and other stakeholders in your company.

Legal consequences

Data protection and privacy rules require you to keep track of the security of any sensitive information you have on your employees and clients. Small business owners could face fines and regulatory punishments if any data is unintentionally or intentionally compromised because you fail to implement proper security measures.

Step-by-Step Process for Developing a Cybersecurity Plan

The cybersecurity plan lays out the responsibilities and expectations of all employees and other stakeholders of your small business. It also describes the consequences of failure to comply with the policies.

We have outlined a step-by-step process to help you craft your cyber security plan. We have also included the basic elements that should go into your plan.

Step 1 – Understand your business

It’s critical for a small business to recognize which of its assets are the most valuable.

Understanding the business framework and the resources that support it is important to protect important functions from cyber attacks.

This can be accomplished by analyzing technology and tools that may be obsolete and pose a risk to your small business.

People

Everyone in your team is accountable for managing cyber risks, including temporary workers and third party partners. Integrate cybersecurity into your employee orientation. Emphasize key security practices and the consequences of misbehavior in the workplace, such as:

• Sharing passwords
• Falling for email phishing scams
• Exposing laptops and USB storage devices to theft 
• Neglecting to observe data security policies

Implement reasonable procedures to ensure that third parties have the capacity to protect sensitive data before entrusting it to them. This entails choosing only service providers who are capable of protecting personal information. This should be expressed explicitly in their agreements.

You should also require your vendors to produce proof of insurance in order to safeguard you in the event of a loss caused by them.

Data

Data is the foundation of a cybersecurity policy. What data do you have on hand that a bad actor would find useful or valuable?

Sensitive data can be kept on a laptop or on external storage devices. It can also be saved to a cloud storage service such as Google Drive. Take note of the security measures in place to gain access to this information, such as passwords, multi-factor authentication, IP whitelisting, and so on.

Some examples of critical data that are vulnerable to data breaches are:

• Personal identifiable information
• Bank/credit/debit card information 
• Personal health Information 
• HR records 
• Business plan documents 
• Proprietary resources like patents, designs, and product research and development 

Devices

Determine what devices need protection. What devices do you currently use that could be exploited to breach your security? Do they contain any sensitive information? 

Make a list of every single device that stores sensitive information. Devices with specific purposes are often harder to protect and update.

Technology

Make sure you have a technology usage policy in place in your entire organization. This policy outlines what employees are allowed and not allowed to do with company-owned technology. Technology policy includes operating systems and software. 

Operating systems

Check that all of your operating systems have been patched, updated, and are still supported. For example, Microsoft Windows and macOS versions from the past no longer offer updates. 

Your company should not be running on versions of operating systems that are no longer supported. Make certain that all your devices have been upgraded to the most recent version. 

This also applies to mobile devices. It’s time to upgrade if your device doesn’t support the most recent version. A data breach is inevitable if you use an unsupported or unpatched device.

Software

Software, like operating systems, has supported versions and updates on security. Out-of-date backup and storage software could provide threat actors access to your data. Credentials may be exposed if you use an older version of a password manager. 

It is critical to keep all business software up to date, just as you would with operating systems. Even if an operating system is properly patched, obsolete software may still provide remote access.

Step 2 – Assess current and potential risks and vulnerabilities

Risks and vulnerabilities

The next step in building your security plan is to identify and assess all potential attack vectors. Map out your entire attack surface to understand where your small business is most vulnerable.

Take note of the most common attack vectors where cyber criminals can launch data breach exploits, such as:

• Poor encryption
• Weak passwords
• Compromised credentials
• Outdated software
• Misconfigurations
• Malicious insiders
• Employee negligence
• Technical failure

There may be more attack vectors that your business might face. Let your security team assess every possible risk that your business might encounter. If your team isn’t capable, bring in trusted third parties to find other vulnerabilities.

Be aware of threat intelligence

Threat intelligence is the gathering of information that a business uses to better understand past, present, and future threats. This information is used to anticipate, prevent, and identify cyber threats attempting to exploit valuable digital assets and intellectual property.

Threat intelligence can help businesses gain useful information about these threats and develop effective defense systems. It helps mitigate risks that could harm their bottom line and reputation. Cyber threat intelligence provides businesses the ability to defend themselves more proactively because it helps them build defenses for specific threats. 

How does threat intelligence work?

Threat intelligence tools do their job every second of every day, scouring the vast and diverse expanse of the cyber threat landscape. They collect raw data from a variety of sources on emerging threats and threat actors. This information is then processed and filtered to create threat intelligence feeds and management reports that automated security control systems can use. 

The main goal of threat intelligence is to keep businesses informed about the dangers of advanced persistent attacks, zero-day threats, and exploits, as well as how to protect themselves.

Threat intelligence comes in three levels: operational, tactical, and strategic.

Operational threat intelligence uses machine-readable data usually gathered from active campaigns and the threat intelligence community. Some serious intelligence gatherers may get their information from honeypots or even the dark web.

Operational intelligence data include URLs, domain names, file names, IP addresses, among others. They are also called indicators of compromise (IOC).

Tactical threat intelligence covers the tactics, techniques, and procedures threat actors use. It also identifies the places for threat hunting.

Strategic threat intelligence tracks the trends in the threat landscape. It also aims to identify who are behind the threats and why they do them.

Step 3 – Understand regulatory policies

Businesses have a legal obligation to operate according to regulatory and compliance standards, such as data protection and privacy. 

When prioritizing your risks, threats, and remediation’s, it’s critical to understand the compliance standards of your business niche. You’ll need to understand how those standards impact the security solutions you’ll implement so you don’t violate regulatory policies.

Regulations specific to your business niche should be considered when responding to a breach. For example, if your business is found to have been irresponsible in its handling of data security, legal and regulatory consequences may follow.

Having a detailed audit log of what transpired before, during, and after the breach can assist your company avoid being accused of failing to meet its security obligations.

Step 4 – Do an inventory of your cybersecurity infrastructure

Software and hardware is the bedrock upon which security systems are built. You can’t secure something if you don’t know it exists. This is why you need to know what security assets you have, including their whereabouts and working condition.

Firewalls

To filter traffic in and out of the network, include a firewall in your small business cyber security strategy. 

Firewalls restrict data based on the protocols they employ. Traffic should be terminated if the protocol does not match the port being used. To prevent intruders from joining the business network, your firewall should strictly limit open ports.

Virtual private network (VPN)

Virtual private networks (VPNs) allow users to establish secure, private connections over a public network like the Internet. On each platform, you can use a variety of technologies to convert regular Internet connections into VPNs. VPNs encrypt and verify data sent between remote nodes of a business network, allowing remote users, branch offices, and corporate partners to communicate securely.

Endpoint protection

Include endpoint protection in your cybersecurity plan. Endpoint protection (EPP) is the process of protecting the data and operations associated with particular devices connected to your network. Endpoint protection software inspects files as they enter the corporate network. EPP can detect malware and other threats fast.

Endpoint devices include:

• Desk tops
• Laptops
• Tables
• Mobile devices
• Printers
• Servers
• Medical devices
• ATM machines

Email gateway security

Email gateways are firewalls for emails. They scan emails at different aspects to determine whether they contain threats. If they detect malicious content and flag down the emails to prevent their intended recipients from receiving them.

Step 5 – Patch vulnerabilities

A vulnerability is a defect in a computer system that cybercriminals can exploit to obtain unauthorized access to the corporate network to do unlawful actions.

Patching closes the holes in the system. It fixes bugs and prevents malware, ransomware, and endpoint breaches, all of which can happen even if your antivirus software, firewalls, and operating system are all up to date and working.

Patches safeguard your business from known security incidents and avoid zero-day cyber attacks. Patching also promotes a cybersecurity-aware culture, which is critical for safeguarding stakeholders.

Step 6 – Write your cybersecurity plan

Now that you’ve prepared your security infrastructure, it’s time to document your cyber security plan. Here, you’ll want to incorporate all the following security safeguards:

User access control

Today’s businesses must be able to connect employees to the data they require no matter where they are. It’s critical to limit data access to only those who require it for work, and to control levels of access to the right employees on the right devices.

Encryption

Every business should adopt encryption to protect company data against unwanted access. Encryption makes data unreadable to unauthorized users. It improves data security by preventing data theft especially in a workplace atmosphere in which such devices can be used outside of the office.

Passwords

Strong passwords are the first line of defense against break-ins to your online accounts and devices. Strong passwords are long phrases or sentences that combine uppercase and lowercase letters, numbers, and symbols.

Weak passwords can make your information vulnerable to criminals.  Criminals often use automated programs to break into accounts with simple passwords. 

NordPass password manager | Zero password stress. Forever. | NordPass

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

Two factor authentication

Two factor authentication improves account security significantly. It should be used whenever possible. 

Text message and token verification are now supported by the majority of Internet services.

In text message verification, you will receive a text message from the online service with a number to authenticate your identity.

Token verification can be obtained from a variety of third-party applications, such as Google Authenticator. Your online account is linked through the app. It will ask for the code created by the associated app when you login using your password. This method is safer than texted codes because the token codes change every 30 seconds or less. 

Data storage and backups

It’s critical to properly store and back up customer information and other digital data. Businesses waste a lot of time and money trying to recover lost or compromised data, with little success.

Security must be considered when storing data to comply with the requirements for privacy. Depending on your industry, you may need varying levels of administration and management, including data backups and recovery. 

Managing them on your own requires expertise and a dedicated team.  However, cloud-based storage and backup services have built-in security and privacy controls, making them more affordable for small businesses.

Vendor security and compliance

Implement reasonable procedures to ensure that third parties have the capacity to protect sensitive information before entrusting it to them. This entails choosing only security vendors who are capable of protecting personal information. This should be expressed explicitly in their agreements.

You should also require your vendors to produce proof of insurance in order to safeguard you in the event of a loss caused by them.

Penetration testing

Penetration or pen testing is a form of ethical hacking. It is a simulated cyber attack used to discover exploitable issues before attackers do. It can also be used to test the robustness of an organization’s security policy. 

Pen testing can be automated or done manually. Automated testing tools produce better results than manual results. They can do their job faster than humans and can be depended upon to look for vulnerabilities continuously.

Website whitelisting

A system administrator uses website whitelisting to prevent users from accessing all websites except those that are required. He or she compiles a list of safe and approved websites for the user. The end-user can only visit the pre-approved websites once the website whitelisting policy is in place.

Security awareness training

You should train and educate employees on cybersecurity best practices on a regular basis. They should receive training when they are hired, annually, and as needed.

If your company experiences an incident that shows bad cybersecurity decisions, you should devote extra time to teaching your workers on how to effectively respond to cyber attacks. There are numerous free and accessible cybersecurity training resources.

Step 7 – Monitoring and auditing

You should monitor and audit your plan from time to time for a brief internal audit or a more in-depth one.

Here are questions you should consider:

Is the plan still relevant?

Perform a document-based evaluation of the plan. Examine whether the policies and processes are still relevant, complete, and applicable. Ascertain that each plan’s component parts serve a specific function and that all roles and duties are properly defined.

Are there new risks?

Look for any new threats to your company’s cyber assets that may have surfaced after your cybersecurity plan was prepared. Additional vulnerabilities can arise when changes in the company happen. It could be a change of management, reorganization of personnel, or the introduction of technology. Be sure to account for new risks to your security assets and create new protective measures if needed.    

Is the plan actionable?

Try to find out if employees are comfortable in using the plan in an emergency or during normal times. Is it available to them anytime? Do they know what to do if they discover a major breach? Is there a ready support team that can assist them?

It may be a good idea to digitize the plan so that employees can easily and quickly access the appropriate plan details through their mobile devices whenever and wherever they need them.

Step 8 – Incident response plan

A good cyber security plan includes an incident response strategy. Incident response involves taking the appropriate steps to manage a cyber attack. Investigation is the first step to learn how the attack happened. It also gives you information on who did it and when, where, and why the attack happened.

After investigating, the incident response team should move to contain and eradicate the threat. After making sure that all affected systems are cleared, the team can allow the resumption of normal operations but will continue to monitor abnormal activity. 

Finally, the response team should submit an incident report so that management can develop new defense policies to prevent similar incidents in the future. The team should also comply with the reporting requirements of pertinent government agencies.

Step 9 – Disaster recovery plan

If you don’t have a strong response team, now is the time to convene one. This team should be a robust group composed of IT experts to help put together a comprehensive plan to address all issues after a cyber disaster.

The response team should immediately go to work with the following tasks:

• Identify what is lost
• Assess the extent and impact of the damage
• Notify affected individuals, such as customers
• Replace or update the anti-virus software
• Report the incident to the appropriate government agencies
• Replace old systems with more resilient ones
• Resume operations using alternative network circuits
• Retrain employees

Our final thoughts. The rapid pace of technology is clearly evident in all aspects of doing business. Advances in mobility, social media, and cloud computing are changing the way people make purchases. For businesses, this trend brings increased growth and productivity—but it also brings added exposure to risk.

Cybercrime has reached epidemic proportions, resulting in a massive increase in the number of small and mid-size businesses being impacted. This is one big reason why businesses need a comprehensive cybersecurity plan.