Every year, new tips come out about small business cybersecurity. But the advice for 2022 isn’t all that different from previous years.

For instance, the U.S. Small Business Administration (SBA) talks about phishing, viruses, ransomware, strong passwords and protecting confidential information this year. Their tips on staying safe are an excellent resource that businesses should read over more than once.

But can small businesses benefit from advice beyond what is now considered basic online hygiene?

To stay safe in 2022, the key is to pay closer attention to some of the basic tips and balance that with some new ways of thinking.

Which Small Business Cybersecurity Strategies Should You Focus On?

Training 

The SBA tips cover some cybersecurity best practices that might seem like they only apply to larger businesses. However, some are equally critical for small ones. For example, leaders at smaller companies often don’t think they need security awareness training. If your company only has five employees, do you really need to invest in security training? Yes.

Does this mean that you have to conduct formal training? Not at all.

The small business cybersecurity training topics the SBA tips suggest are precisely what all employees should know:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene.

If your small company seems too small for ‘training’, how about holding a lunch-and-learn type session over pizza? Make the training as interactive, fun and engaging as possible. Even with a business as small as five, if the session prevents one ransomware email, it may save your business.

Assessing Risk 

Knowing where your business stands from a risk perspective may be the most important piece of knowledge you have regarding small business cybersecurity. As noted in the SBA guide, “the first step in improving your small business cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.”

Risk assessments, especially when conducted by a third party, let you know where your business is at risk and put you in a better position to create a defensive plan or strategy. The process needn’t be in-depth or comprehensive, but there must be some strategy.

Vulnerability scans determine how vulnerable your critical systems and sensitive data are to compromise or attack, given your state of software patching and/or misconfigurations. But, you might ask, how can my business afford to pay a third party to perform a vulnerability scan?

For small businesses, the DHS offers free cyber hygiene vulnerability scanning that produces a weekly report from which you can take action. Sign up for the free service by contacting the Cybersecurity and Infrastructure Security Agency at [email protected]. They’ll send you documents to sign, confirm a scanning schedule and send you a pre-scan notification. 

Using MFA

When accessing any service, website or application, we highly recommend multifactor authentication (MFA). Remember, MFA provides another critical layer of small business cybersecurity by sending a unique one-time code via email or text. Anyone doing online banking is probably familiar with using MFA, so it shouldn’t be challenging to deploy within your company systems.

Attackers love low-hanging fruit and prefer to attack businesses that don’t have security measures in place. So, MFA represents a major stumbling block.

Beyond the SBA Small Business Cybersecurity Recommendations 

Much like training and assessing risk, third-party risk management doesn’t sound like it belongs in a small business cybersecurity tip list. But think about how many companies you do business with and which may have access to your sensitive data. When you share your company’s confidential data and customer data with third parties, it is only as secure as the business handling it.

Take your tax information, for example. For cyber criminals, your tax data is like the holy grail. The tax preparer, accountant or firm you deal with must handle your data with as much due care as you do. Just like you would invest time to ensure that person or company understands small business cybersecurity, you need to be diligent about other third parties like cloud providers and vendors.

Your business cannot afford to be shy about asking third parties who can access your data how data is stored and exchanged and what security measures they have in place.

Social Media Use 

Social media is a treasure trove of useful information for fraudsters and criminals.

No matter where they’re using it, employees may be revealing sensitive business information on social media without even knowing they could be harming the business. It’s an under-appreciated aspect of small business cybersecurity.

Every social media post and photo could be exploited. For example, how about that team photo you posted after the strategy meeting in the boardroom? What if it contained confidential information or revealed intellectual property by mistake? Even a LinkedIn post congratulating a co-worker on a successful project or new role could be used against you.

The more data that threat actors have about your employees’ interests, jobs and activities, the better opportunity they have for exploiting it to their advantage and using it in a phishing or ransomware attack.

The Cybersecurity Mindset Shift Required for 2022

No company is too small for cybersecurity to be a top priority. The risks are far too great. For instance, in the last month of 2021, a Log4j software bug was disclosed, which could cause “incalculable” damage in 2022. The technical details can be found here, along with ways to defend against it.

At the time of this writing, the risk to small businesses from the bug was minimal. But what about in 2022?

The point is, developments in the threat landscape occur frequently. While keeping up may seem difficult, knowing about the potential threats is crucial — regardless of your company’s industry or size.

Small businesses should consider cybersecurity developments as equally crucial as industry developments. As cybersecurity becomes an essential part of your business strategy — much like marketing, accounting or human resources — your risk of being breached or attacked decreases drastically.

Finally, prioritizing security isn’t possible without prioritizing mental health. Tech burnout transcends the cybersecurity industry and applies to almost everyone, especially in today’s chaotic business environment. When employees are happy, they typically make fewer mistakes. In the cybersecurity industry, the notion of employees making fewer mistakes means everything.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today