Every year, new tips come out about small business cybersecurity. But the advice for 2022 isn’t all that different from previous years.

For instance, the U.S. Small Business Administration (SBA) talks about phishing, viruses, ransomware, strong passwords and protecting confidential information this year. Their tips on staying safe are an excellent resource that businesses should read over more than once.

But can small businesses benefit from advice beyond what is now considered basic online hygiene?

To stay safe in 2022, the key is to pay closer attention to some of the basic tips and balance that with some new ways of thinking.

Which Small Business Cybersecurity Strategies Should You Focus On?

Training 

The SBA tips cover some cybersecurity best practices that might seem like they only apply to larger businesses. However, some are equally critical for small ones. For example, leaders at smaller companies often don’t think they need security awareness training. If your company only has five employees, do you really need to invest in security training? Yes.

Does this mean that you have to conduct formal training? Not at all.

The small business cybersecurity training topics the SBA tips suggest are precisely what all employees should know:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene.

If your small company seems too small for ‘training’, how about holding a lunch-and-learn type session over pizza? Make the training as interactive, fun and engaging as possible. Even with a business as small as five, if the session prevents one ransomware email, it may save your business.

Assessing Risk 

Knowing where your business stands from a risk perspective may be the most important piece of knowledge you have regarding small business cybersecurity. As noted in the SBA guide, “the first step in improving your small business cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.”

Risk assessments, especially when conducted by a third party, let you know where your business is at risk and put you in a better position to create a defensive plan or strategy. The process needn’t be in-depth or comprehensive, but there must be some strategy.

Vulnerability scans determine how vulnerable your critical systems and sensitive data are to compromise or attack, given your state of software patching and/or misconfigurations. But, you might ask, how can my business afford to pay a third party to perform a vulnerability scan?

For small businesses, the DHS offers free cyber hygiene vulnerability scanning that produces a weekly report from which you can take action. Sign up for the free service by contacting the Cybersecurity and Infrastructure Security Agency at [email protected]. They’ll send you documents to sign, confirm a scanning schedule and send you a pre-scan notification. 

Using MFA

When accessing any service, website or application, we highly recommend multifactor authentication (MFA). Remember, MFA provides another critical layer of small business cybersecurity by sending a unique one-time code via email or text. Anyone doing online banking is probably familiar with using MFA, so it shouldn’t be challenging to deploy within your company systems.

Attackers love low-hanging fruit and prefer to attack businesses that don’t have security measures in place. So, MFA represents a major stumbling block.

Beyond the SBA Small Business Cybersecurity Recommendations 

Much like training and assessing risk, third-party risk management doesn’t sound like it belongs in a small business cybersecurity tip list. But think about how many companies you do business with and which may have access to your sensitive data. When you share your company’s confidential data and customer data with third parties, it is only as secure as the business handling it.

Take your tax information, for example. For cyber criminals, your tax data is like the holy grail. The tax preparer, accountant or firm you deal with must handle your data with as much due care as you do. Just like you would invest time to ensure that person or company understands small business cybersecurity, you need to be diligent about other third parties like cloud providers and vendors.

Your business cannot afford to be shy about asking third parties who can access your data how data is stored and exchanged and what security measures they have in place.

Social Media Use 

Social media is a treasure trove of useful information for fraudsters and criminals.

No matter where they’re using it, employees may be revealing sensitive business information on social media without even knowing they could be harming the business. It’s an under-appreciated aspect of small business cybersecurity.

Every social media post and photo could be exploited. For example, how about that team photo you posted after the strategy meeting in the boardroom? What if it contained confidential information or revealed intellectual property by mistake? Even a LinkedIn post congratulating a co-worker on a successful project or new role could be used against you.

The more data that threat actors have about your employees’ interests, jobs and activities, the better opportunity they have for exploiting it to their advantage and using it in a phishing or ransomware attack.

The Cybersecurity Mindset Shift Required for 2022

No company is too small for cybersecurity to be a top priority. The risks are far too great. For instance, in the last month of 2021, a Log4j software bug was disclosed, which could cause “incalculable” damage in 2022. The technical details can be found here, along with ways to defend against it.

At the time of this writing, the risk to small businesses from the bug was minimal. But what about in 2022?

The point is, developments in the threat landscape occur frequently. While keeping up may seem difficult, knowing about the potential threats is crucial — regardless of your company’s industry or size.

Small businesses should consider cybersecurity developments as equally crucial as industry developments. As cybersecurity becomes an essential part of your business strategy — much like marketing, accounting or human resources — your risk of being breached or attacked decreases drastically.

Finally, prioritizing security isn’t possible without prioritizing mental health. Tech burnout transcends the cybersecurity industry and applies to almost everyone, especially in today’s chaotic business environment. When employees are happy, they typically make fewer mistakes. In the cybersecurity industry, the notion of employees making fewer mistakes means everything.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today