Every year, new tips come out about small business cybersecurity. But the advice for 2022 isn’t all that different from previous years.

For instance, the U.S. Small Business Administration (SBA) talks about phishing, viruses, ransomware, strong passwords and protecting confidential information this year. Their tips on staying safe are an excellent resource that businesses should read over more than once.

But can small businesses benefit from advice beyond what is now considered basic online hygiene?

To stay safe in 2022, the key is to pay closer attention to some of the basic tips and balance that with some new ways of thinking.

Which Small Business Cybersecurity Strategies Should You Focus On?


The SBA tips cover some cybersecurity best practices that might seem like they only apply to larger businesses. However, some are equally critical for small ones. For example, leaders at smaller companies often don’t think they need security awareness training. If your company only has five employees, do you really need to invest in security training? Yes.

Does this mean that you have to conduct formal training? Not at all.

The small business cybersecurity training topics the SBA tips suggest are precisely what all employees should know:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene.

If your small company seems too small for ‘training’, how about holding a lunch-and-learn type session over pizza? Make the training as interactive, fun and engaging as possible. Even with a business as small as five, if the session prevents one ransomware email, it may save your business.

Assessing Risk 

Knowing where your business stands from a risk perspective may be the most important piece of knowledge you have regarding small business cybersecurity. As noted in the SBA guide, “the first step in improving your small business cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.”

Risk assessments, especially when conducted by a third party, let you know where your business is at risk and put you in a better position to create a defensive plan or strategy. The process needn’t be in-depth or comprehensive, but there must be some strategy.

Vulnerability scans determine how vulnerable your critical systems and sensitive data are to compromise or attack, given your state of software patching and/or misconfigurations. But, you might ask, how can my business afford to pay a third party to perform a vulnerability scan?

For small businesses, the DHS offers free cyber hygiene vulnerability scanning that produces a weekly report from which you can take action. Sign up for the free service by contacting the Cybersecurity and Infrastructure Security Agency at [email protected]. They’ll send you documents to sign, confirm a scanning schedule and send you a pre-scan notification. 

Using MFA

When accessing any service, website or application, we highly recommend multifactor authentication (MFA). Remember, MFA provides another critical layer of small business cybersecurity by sending a unique one-time code via email or text. Anyone doing online banking is probably familiar with using MFA, so it shouldn’t be challenging to deploy within your company systems.

Attackers love low-hanging fruit and prefer to attack businesses that don’t have security measures in place. So, MFA represents a major stumbling block.

Beyond the SBA Small Business Cybersecurity Recommendations 

Much like training and assessing risk, third-party risk management doesn’t sound like it belongs in a small business cybersecurity tip list. But think about how many companies you do business with and which may have access to your sensitive data. When you share your company’s confidential data and customer data with third parties, it is only as secure as the business handling it.

Take your tax information, for example. For cyber criminals, your tax data is like the holy grail. The tax preparer, accountant or firm you deal with must handle your data with as much due care as you do. Just like you would invest time to ensure that person or company understands small business cybersecurity, you need to be diligent about other third parties like cloud providers and vendors.

Your business cannot afford to be shy about asking third parties who can access your data how data is stored and exchanged and what security measures they have in place.

Social Media Use 

Social media is a treasure trove of useful information for fraudsters and criminals.

No matter where they’re using it, employees may be revealing sensitive business information on social media without even knowing they could be harming the business. It’s an under-appreciated aspect of small business cybersecurity.

Every social media post and photo could be exploited. For example, how about that team photo you posted after the strategy meeting in the boardroom? What if it contained confidential information or revealed intellectual property by mistake? Even a LinkedIn post congratulating a co-worker on a successful project or new role could be used against you.

The more data that threat actors have about your employees’ interests, jobs and activities, the better opportunity they have for exploiting it to their advantage and using it in a phishing or ransomware attack.

The Cybersecurity Mindset Shift Required for 2022

No company is too small for cybersecurity to be a top priority. The risks are far too great. For instance, in the last month of 2021, a Log4j software bug was disclosed, which could cause “incalculable” damage in 2022. The technical details can be found here, along with ways to defend against it.

At the time of this writing, the risk to small businesses from the bug was minimal. But what about in 2022?

The point is, developments in the threat landscape occur frequently. While keeping up may seem difficult, knowing about the potential threats is crucial — regardless of your company’s industry or size.

Small businesses should consider cybersecurity developments as equally crucial as industry developments. As cybersecurity becomes an essential part of your business strategy — much like marketing, accounting or human resources — your risk of being breached or attacked decreases drastically.

Finally, prioritizing security isn’t possible without prioritizing mental health. Tech burnout transcends the cybersecurity industry and applies to almost everyone, especially in today’s chaotic business environment. When employees are happy, they typically make fewer mistakes. In the cybersecurity industry, the notion of employees making fewer mistakes means everything.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today