Every year, new tips come out about small business cybersecurity. But the advice for 2022 isn’t all that different from previous years.

For instance, the U.S. Small Business Administration (SBA) talks about phishing, viruses, ransomware, strong passwords and protecting confidential information this year. Their tips on staying safe are an excellent resource that businesses should read over more than once.

But can small businesses benefit from advice beyond what is now considered basic online hygiene?

To stay safe in 2022, the key is to pay closer attention to some of the basic tips and balance that with some new ways of thinking.

Which Small Business Cybersecurity Strategies Should You Focus On?


The SBA tips cover some cybersecurity best practices that might seem like they only apply to larger businesses. However, some are equally critical for small ones. For example, leaders at smaller companies often don’t think they need security awareness training. If your company only has five employees, do you really need to invest in security training? Yes.

Does this mean that you have to conduct formal training? Not at all.

The small business cybersecurity training topics the SBA tips suggest are precisely what all employees should know:

  • Spotting a phishing email
  • Using good browsing practices
  • Avoiding suspicious downloads
  • Creating strong passwords
  • Protecting sensitive customer and vendor information
  • Maintaining good cyber hygiene.

If your small company seems too small for ‘training’, how about holding a lunch-and-learn type session over pizza? Make the training as interactive, fun and engaging as possible. Even with a business as small as five, if the session prevents one ransomware email, it may save your business.

Assessing Risk 

Knowing where your business stands from a risk perspective may be the most important piece of knowledge you have regarding small business cybersecurity. As noted in the SBA guide, “the first step in improving your small business cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.”

Risk assessments, especially when conducted by a third party, let you know where your business is at risk and put you in a better position to create a defensive plan or strategy. The process needn’t be in-depth or comprehensive, but there must be some strategy.

Vulnerability scans determine how vulnerable your critical systems and sensitive data are to compromise or attack, given your state of software patching and/or misconfigurations. But, you might ask, how can my business afford to pay a third party to perform a vulnerability scan?

For small businesses, the DHS offers free cyber hygiene vulnerability scanning that produces a weekly report from which you can take action. Sign up for the free service by contacting the Cybersecurity and Infrastructure Security Agency at [email protected]. They’ll send you documents to sign, confirm a scanning schedule and send you a pre-scan notification. 

Using MFA

When accessing any service, website or application, we highly recommend multifactor authentication (MFA). Remember, MFA provides another critical layer of small business cybersecurity by sending a unique one-time code via email or text. Anyone doing online banking is probably familiar with using MFA, so it shouldn’t be challenging to deploy within your company systems.

Attackers love low-hanging fruit and prefer to attack businesses that don’t have security measures in place. So, MFA represents a major stumbling block.

Beyond the SBA Small Business Cybersecurity Recommendations 

Much like training and assessing risk, third-party risk management doesn’t sound like it belongs in a small business cybersecurity tip list. But think about how many companies you do business with and which may have access to your sensitive data. When you share your company’s confidential data and customer data with third parties, it is only as secure as the business handling it.

Take your tax information, for example. For cyber criminals, your tax data is like the holy grail. The tax preparer, accountant or firm you deal with must handle your data with as much due care as you do. Just like you would invest time to ensure that person or company understands small business cybersecurity, you need to be diligent about other third parties like cloud providers and vendors.

Your business cannot afford to be shy about asking third parties who can access your data how data is stored and exchanged and what security measures they have in place.

Social Media Use 

Social media is a treasure trove of useful information for fraudsters and criminals.

No matter where they’re using it, employees may be revealing sensitive business information on social media without even knowing they could be harming the business. It’s an under-appreciated aspect of small business cybersecurity.

Every social media post and photo could be exploited. For example, how about that team photo you posted after the strategy meeting in the boardroom? What if it contained confidential information or revealed intellectual property by mistake? Even a LinkedIn post congratulating a co-worker on a successful project or new role could be used against you.

The more data that threat actors have about your employees’ interests, jobs and activities, the better opportunity they have for exploiting it to their advantage and using it in a phishing or ransomware attack.

The Cybersecurity Mindset Shift Required for 2022

No company is too small for cybersecurity to be a top priority. The risks are far too great. For instance, in the last month of 2021, a Log4j software bug was disclosed, which could cause “incalculable” damage in 2022. The technical details can be found here, along with ways to defend against it.

At the time of this writing, the risk to small businesses from the bug was minimal. But what about in 2022?

The point is, developments in the threat landscape occur frequently. While keeping up may seem difficult, knowing about the potential threats is crucial — regardless of your company’s industry or size.

Small businesses should consider cybersecurity developments as equally crucial as industry developments. As cybersecurity becomes an essential part of your business strategy — much like marketing, accounting or human resources — your risk of being breached or attacked decreases drastically.

Finally, prioritizing security isn’t possible without prioritizing mental health. Tech burnout transcends the cybersecurity industry and applies to almost everyone, especially in today’s chaotic business environment. When employees are happy, they typically make fewer mistakes. In the cybersecurity industry, the notion of employees making fewer mistakes means everything.

More from Risk Management

What to know about new generative AI tools for criminals

3 min read - Large language model (LLM)-based generative AI chatbots like OpenAI’s ChatGPT took the world by storm this year. ChatGPT became mainstream by making the power of artificial intelligence accessible to millions.The move inspired other companies (which had been working on comparable AI in labs for years) to introduce their own public LLM services, and thousands of tools based on these LLMs have emerged.Unfortunately, malicious hackers moved quickly to exploit these new AI resources, using ChatGPT itself to polish and produce phishing…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…