13 essential cybersecurity tips for small and medium enterprises

Think hackers only have eyes for the big companies? Think again. While the giants grab the headlines with their deep pockets, there’s a twist: cybercriminals are actually far more likely to prey on small businesses. 

While these smaller players might not be swimming in assets and customers, they often lack strong security measures, making them easy targets. And those assets are worth a lot on the black market: according to a recent study, all it takes is 10 stolen credits per hacked site to bring in a yield of up to $2.2m per month.

Myth: “We’re too small to target.”

Truth: Small to Medium-Sized Businesses (SMEs) are hackers’ top targets, according to a recent report. Even more worryingly, 60% of small businesses hit by a cyberattack go out of business within six months.

In this article, we’re going to take a closer look at cybersecurity for small and medium enterprises, helping you keep your customer’s data off the dark web. 

What is cybersecurity?

Cybersecurity refers to the practice of protecting your digital assets from hackers. These cybercriminals usually have three approaches and three goals: accessing, changing, or destroying sensitive data, with the wider end game of extorting money from users, disrupting business, or influencing politics. 

Cybersecurity is an enormous and growing field, covering everything from the security of your internet connection to the integrity of the data. It includes technologies like firewalls and antivirus software, as well as practices like regular software updates and user education (which we’ve covered in more detail in our beginner’s guide to cybersecurity).

Understanding cybersecurity means recognizing the threats and knowing how to protect your business. And it’s something that should be top of your list, whatever size your business. 

Why is cybersecurity important for small and medium businesses?

With their wealth of data and often weaker, less sophisticated security systems, SMEs represent low-effort, high-impact prey for hackers. Concerned? You should be! 

Protecting valuable data

What would it mean for your business if a hacker gained access to your customer information? Financial records? Intellectual property? One breach is all it takes. Identity theft, financial loss, and the legal ramifications are devastating for anyone.

Maintaining customer trust

Customers expect their data to be kept secure. If you don’t do due diligence, you’ll be sued for negligence. Direct financial losses aside, a loss of trust can be more damaging than any fine. A reputation for poor security means customers and partners may take their business elsewhere. 

Staying compliant 

Many regions and industries have strict regulations governing the handling and protection of data. Small businesses are not exempt from these rules and are often disproportionately hit by the penalties.

Cost of cyber attacks

Bigger corporations might have the resources to recover from a cyber attack. For small businesses, the cost can be crippling. According to IBM’s 2023 Cost of a Data Breach Report, the average impact of an attack on a company with fewer than 500 employees is $3.31 million, with the average cost per breached record coming in at $164.

Operational continuity

SMEs tend to have fewer resources for continuity. From locking out essential data to forcing a complete shutdown of network systems, the operational impact can be severe and lasting. 

Evolution of threats

Attackers constantly mastermind new methods for stealing data. Small businesses need to stay on top of these developments.

Essential cybersecurity ips for small and medium enterprises 

Cybersecurity might seem daunting, but setting up a strong strategy is the only way to keep your data safe. Here are 13 practical tips you can do today. 

1. Educate your team

People tend to be the weakest link when it comes to security, especially those who aren’t educated about threats. Regularly train your team about the latest phishing schemes, how to handle suspicious emails, the importance of not sharing sensitive information, and the protocols to follow when they suspect a threat. Simulated cyber attacks are also a practical, hands-on way to prep your team for real-world scenarios.

2. Use strong passwords

Every year, security companies publish a list of the most commonly used passwords. But just because yours hasn’t popped up yet, doesn’t mean you’re safe.

Strong, unique passwords are the first line of defense against unauthorized access to your systems. Train employees to create complex passwords that include a mix of letters, numbers, and symbols and are at least 12 characters long (a password generator can help). Avoid using easily guessable information like birthdays or common words, and implement a policy requiring regular password changes, every 60 to 90 days or so, to add an extra layer of protection. 

Top tip: A password manager can help staff store and generate complex passwords, lowering the temptation to reuse across multiple sites. Just make sure you use a reputable provider.

3. Keep software and systems up to date

Hackers exploit vulnerabilities in outdated software. Make sure all your business software and apps are kept up to date with the latest security patches. Regularly check the software vendors’ websites for any updates you might have missed, and set up automatic notifications. 

4. Implement multi-factor authentication (MFA)

MFA adds an extra layer of security by asking users to provide two or more verification factors to gain access to a resource. This could be something the user knows (password), something the user has (a security token or a mobile phone), or something the user is physically (biometric verification like a fingerprint or facial recognition). Even if a password gets compromised, unauthorized users won’t be able to access the system without additional verification.

5. Regularly back up data

Having your data held hostage stings a lot less when you have a safe copy elsewhere. Backups are a lifesaver (or business-saver) in the event of a ransomware attack, where attackers encrypt your data and demand a ransom for its release. 

In saving your data to a secure, separate location — whether it be the cloud, or a physical external hard drive — you can dodge downtime while you deal with the attack. Make sure the backups are encrypted and test them regularly. 

6. Secure your wifi networks

An unsecured wifi network is an open door for hackers. Make sure your business’s wifi is secure, hidden, and encrypted. 

Use strong passwords and consider setting up a separate network for guests. Regularly update the router’s firmware to protect against vulnerabilities, and consider using a VPN for additional encryption security. Don’t forget to educate employees about the risks of using public wifi for business (ideally, they shouldn’t ever use public WiFi). 

7. Use antivirus and anti-malware solutions

Antivirus software works by detecting and blocking known threats before they infiltrate your network. There are lots of great tools out there, but they only work if you keep them up-to-date, so don’t snooze those updates. 

Choose a reputable solution that offers real-time protection and covers all devices, including computers, laptops, and mobiles. Remember, no solution is 100% effective, so combining this with other security measures is a must.

8. Limit user access and privileges

Not every employee needs access to all areas of your network. Implement the principle of least privilege, giving employees only the access they need to perform their jobs. Regularly review access rights, especially after an employee changes roles or leaves the company. Additionally, use administrative privileges sparingly and monitor the use of these accounts closely. This includes stakeholders. 

9. Develop a response plan

Breaches happen, even with the best defenses in place. Your response plan should include how to locate and contain a breach, who to contact internally and externally, and how to break the news to stakeholders. Regularly review and practice the plan to ensure everyone knows their role during an incident. A swift response and good organizational communication can be the difference between sinking and swimming during an attack. 

10. Stay informed about the latest cyber threats

Cybercriminals are smart — so smart they keep on their toes. You don’t have to compete with hacker masterminds, but you do need to take advantage of the solutions offered by those who do. 

Subscribing to cybersecurity news, attending relevant webinars, and participating in industry forums will help you stay abreast of developments. Understanding what you’re up against will help you stay prepared. 

11. Get cyber insurance

No one is completely protected. So, mitigate the financial impact of a cyber attack by covering costs related to data breaches, network damage, and legal fees. 

When choosing a policy, understand what’s covered and what’s not. Work with an insurance provider who understands the complexities of cyber risks and can offer a policy that matches your business’s specific needs. Remember, insurance isn’t a substitute for good security, but it’s an important safety net, especially for SMEs.

12. Safeguard assets

You wouldn’t leave your front door unlocked, so why take the risk with your data? Make sure your servers, routers, and devices are in a secure, access-controlled environment. Keep a detailed inventory of all your hardware, so you know what needs to be protected, and can spot when something’s missing. 

Additionally, consider using encryption for laptops and mobile devices, especially those that hold sensitive data and can be easily lost or stolen. Simple measures, like using cable locks for laptops or keeping servers in a locked room, can also add an extra layer of security. 

13. Leverage the latest tech

When it comes to software, look for companies that take your data seriously. Enterprise-grade encryption keeps your data protected to the highest level of security, while regular updates lower vulnerabilities that are the savvy hacker’s best friend. 

Cybersecurity resources for small businesses

Still feeling daunted? You don’t have to navigate this minefield alone. There are plenty of resources out there to help you bolster your defenses. Here are some for starters. 

• Global Cyber Alliance’s (GCA): Cybersecurity toolkit for small businesses with free resources.

• National Institute of Standards and Technology (NIST): NIST offers a cybersecurity framework that gives guidelines and best practices for improving your organization’s cybersecurity. 

• Microsoft Cybersecurity Resource Center: Tips and tech for small businesses.

• Federal Trade Commission (FTC) Cybersecurity for Small Business: Tips, videos, and articles covering a wide range of cybersecurity topics, specifically for SMEs.

• Cybersecurity & Infrastructure Security Agency (CISA): A library of publications and resources aimed at helping businesses, including small ones, improve their cybersecurity practices. You can find guides, checklists, and training materials.

• Small Business Administration (SBA) Cybersecurity: Guidance on creating a cybersecurity plan, securing your business, and understanding cyber insurance.

• StaySafeOnline: Tools and resources to help small businesses protect themselves online. You can access tip sheets, webinars, and training materials.

• FICO and U.S. Chamber of Commerce Assessment of Cyber Security Risk Report: A run-through of the most pressing cybersecurity issues of the moment. 

• Local cybersecurity organizations: Consider reaching out to local cybersecurity organizations or associations. They often provide resources, workshops, and networking opportunities to help small businesses stay secure.

• Managed Security Service Providers (MSSPs): If managing cybersecurity in-house feels overwhelming, consider partnering with an MSSP. They offer expertise, tools, and around-the-clock monitoring to protect your business.

• Industry-Specific Associations: Depending on your industry, there may be associations or organizations that offer industry-specific cybersecurity resources and guidance. Look for these groups to access tailored support.

Strengthen your defense with Nulab Pass 

Nulab Pass is the ultimate ‘set it and forget it’ security tool, which is ideal for SMEs with limited resources. It seamlessly runs in the background but gives admins full control thanks to SAML single sign-on, user provisioning, and audit logs. It also comes with enterprise-grade credentials, so you can rest assured it’s up to the job. Ready to give it a try? Get started with a free trial today.