Skip to content Skip to navigation Skip to footer

10 Cybersecurity Tips for Small Businesses

What Is a Cyber Threat and Why Should You Bother?

A cyber threat is an attempt to maliciously steal data and cause disruption. In 2019, the number of data breaches in the United States amounted to 1,473, with over 164.68 million sensitive records exposed, according to Statista.

Awareness of cyberattacks has certainly increased. As individuals and businesses become more conscious of the need to protect their devices and data and take measures to secure what they can, cyber criminals have stepped up their game significantly. Cyber threats have escalated in number, complexity, and sophistication.

Cyber threats may or may not happen, and the fear of the unknown continues to pervade most organizations. However, taking precautions after a breach has occurred may be a little too late. PayPal CEO Dan Schulman is quoted as saying that in the cyber community, there are two types of companies: those who have been hacked and those who do not know they have been hacked.

Types of Cyber Threats for Small Businesses

The ways in which cyber threats infiltrate small business devices and networks continue to increase. Some of the tried and true, such as phishing, still plague organizations of all sizes. Here is a look at a few cyber threats small businesses need to be aware of.


A phishing attack usually targets users directly through email, although other forms of communication, including text messaging, have been used for phishing. Social engineering is at play in a phishing attempt, as attackers disguise themselves as trusted contacts or sources to get victims to part with personal data such as passwords or banking/credit card numbers.

For small businesses, phishing can have far-reaching consequences. If a single cyber criminal can gain entry to just a single device used by a business or its users, that cyber criminal can gain access to the entire network of devices, leaving the organization vulnerable to loss. 

For more information on the different types of phishing scams and what businesses can do to stop them, download our Phishing Education Guide.

Watering Holes

Though not the most common cyberattack, in a watering-hole attack, the cyber criminal targets a specific group of individuals or businesses that share the same interests and frequent the same website types. It will then infect one of those sites with malware. The idea is that if one of the individuals or businesses visits the website and gets infected, then all of the others will as well.

Like with phishing, social engineering is at work in this type of attack. Since the individuals or small businesses in the group trust each others' choice of websites, there is no reason not to visit them—unknowingly downloading malware to their devices at the same time.

Drive-by Downloads

Drive-by downloads occur when a user downloads software to their computer inadvertently. Many times, the software might not be malicious, but other times, the download is intended to do one or more of the following:

  1. Spy on activity, such as recording keystrokes to capture passwords
  2. Hijack the device by exploiting security flaws
  3. Infect the device by downloading even more software or files that ultimately render the device useless

Drive-by downloads often occur when operating systems have not been updated or software patches have not been installed.


Malware is an umbrella term for any form of malicious software. Viruses are the most common, but malware also includes spyware, ransomware/hostageware, malvertising, worms, and Trojans. Many businesses are unaware that malware has been installed on one or more of their devices, or even on their entire network. 

Why Do Small Businesses Need Cybersecurity?

Cyber criminals are well aware that small businesses might not have the resources to spend on security staff and software as would a much larger enterprise. This is what makes them a prime target, as hackers see small businesses as particularly vulnerable, especially those without even basic security measures like antivirus software in place.

Cyber criminals are also aware that many small businesses work with large companies, so access to a small business's network might mean access to that of a larger corporation. Further, small businesses, including restaurants and franchises, store vast amounts of bank account and credit card information, so a hack into a small business could prove valuable for those with malicious intent.

The Risks Involved for Small Businesses

Money is behind the vast majority of cyberattacks. According to the 2020 Verizon Data Breach Investigations Report, 86% of the 3,950 breaches last year were financially motivated. For businesses, cyberattack risks include:

  1. Compensating customers for theft of banking or credit card information
  2. Losses due to business disruption (i.e., shutting down operations while an investigation is underway)
  3. Costs related to adding new security systems and software or replacing devices
  4. Reputation damage, including informing customers of the breach and losing potential new business

The Impact of a Cyberattack on Small and Midsize Businesses (SMBs)

Losses to the business can vary. In a review, the U.S. Securities and Exchange Commission estimated that half of small businesses that suffer a cyberattack go out of business within six months. A small business may not have the time or resources to address the fallout from the breach—paying for customer losses, litigation, or upgraded systems—and so will have to shut down.

Cybersecurity Tips for Small Businesses: The Ultimate Checklist

Small businesses have several opportunities to strengthen their defenses against a cyberattack. Below are a few that can be incorporated with little to no additional expense.

1. Regular Software and Patch Updates

Most people never consider that software or systems need to be manually updated because they are used to automatic updates on their PCs and laptops, especially from Windows or Windows-based programs.

However, some software, such as the Wi-Fi router's firmware, needs to be manually updated. Software updates include security patches, which are necessary in the fight against cyber threats. Without these new patches, a router—and the devices connected to it—remain vulnerable. As such, businesses should update their wireless routers' firmware, in addition to all of the devices in the workplace—printers, scanners, and the like.

2. Train Employees

According to a study cited by a CNBC report, employee negligence is the main cause of data breaches. Nearly half, 47%, of businesses pointed to human error, such as accidental loss of a device by an employee, as the reason behind a data breach at their organization. Therefore, it is imperative that businesses take the time to train employees on cybersecurity measures.

3. Passwords and Authentication

Strong passwords that are hard to figure out—20 characters in length, including numbers, letters, and symbols—are a must in the fight against cyber threats. The more difficult to crack a password, the less likely a brute-force attack will be successful. As an additional measure, small businesses should incorporate multi-factor authentication (MFA) into their employees' devices and apps. 

There are password keepers, apps for storing and managing passwords, that not only keep track of passwords but also set reminders when they are due for an update.

4. Timely Risk Assessments

Risk assessments might sound like something only large enterprises have time and money to carry out. Yet, small businesses should consider incorporating them into their cybersecurity processes.

Businesses should brainstorm "what if" scenarios for cybersecurity, especially as they relate to data storage. Data is most likely stored in the cloud. As such, businesses can lean on their cloud storage provider to help them perform a risk assessment to determine what threats, if any, exist and what measures can be taken to strengthen data security.

5. Use Virtual Private Networks (VPNs)

A VPN allows employees to securely access a company's network when working from home or traveling. This is necessary because employees often use the internet for access, which is not as secure as the company's network. 

VPNs mitigate the effects of a cyberattack because VPNs also encrypt data. As such, they can serve as an extra measure of security when employees are using their home wireless network, a network at another worksite or a café or restaurant, or a public internet access point. 

6. Regular File Backups

Backing up files might seem like a rather 1990s way to protect data, but even in the modern world of cloud storage and backup, it is relevant. According to the National Cybersecurity Alliance, small businesses continue to evaluate the decision to trust their data to AWS, Microsoft Azure, or Google, expecting these companies to provide backups. However, storing copies of data offline is not a bad idea and can even provide cost savings in the long run.

7. Deploy Antivirus

The number of viruses has multiplied exponentially over the years, so businesses should ensure that antivirus software is installed properly. Antivirus software should be installed not only on corporate-owned devices but also on devices owned by employees that are used for work-related purposes. 

The antivirus software also needs to be updated regularly. Updates could be automatic or may need to be performed manually.

8. Secure Your Wi-Fi Networks

Businesses must secure their wireless networks in as many ways as they can. Two easy things they can do is change the router's default name and password. It is important to change the router's name to a name that does not automatically give the name of the business away. 

Next, encrypt the wireless network to the strongest protocol available, which is currently Wi-Fi Protected Access 3 (WPA3), as advised by the Wi-Fi Alliance. Yet another way to ensure that the Wi-Fi network remains secure is to constantly check that all of the devices connected to the network are also secure—using strong passwords and data encryption. 

9. Employ Best Practices on Payment Cards

Small businesses rely on their banks and card processors to make sure that all anti-fraud measures are in place. In addition to physically handling customers' cards with extra care, the security protocol of the business's wireless network—again—needs to be set to the strongest, WPA3. 

The PCI Security Standards Council prohibits retailers from processing credit card data using the older Wired Equivalent Privacy (WEP) protocol, which was abandoned in 2003. 

10. Limit Physical Access to Computers

As with access to a building or physical assets, unauthorized individuals should be prevented from potentially gaining access to laptops, PCs, scanners, and other devices the business owns. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft.

For devices that are used by multiple employees, businesses should consider creating separate user accounts and profiles for additional protection.

How Fortinet Can Help

Small business security does not need to be difficult. While the tips above are tried-and-true methods for strengthening the security of an organization's devices and data, a simplified, consolidated security solution is an additional measure worth investigating. 

Fortinet Small Business Security Solutions help businesses amplify their security efforts by unifying and managing their network, applications, and endpoints—cost-effectively in the cloud.

FortiGate entry-level next-generation firewalls (NGFWs) integrate comprehensive security protection with SD-WAN networking capabilities onto a single appliance. FortiClient endpoint protection natively integrates with FortiGate to provide antivirus, visibility, control, and remote VPN access for the Fortinet Security Fabric.