In 2020, the FBI's Internet Crime Complaint Center received 791,790 complaints — a 69% increase over 2019 — with reported losses exceeding $4.2 billion. Small businesses absorbed a disproportionate share of that damage. The Verizon 2020 Data Breach Investigations Report found that 28% of data breaches involved small businesses. If you're running a company with fewer than 500 employees, these cybersecurity tips for small business aren't theoretical. They're survival tactics.
I've worked with organizations that assumed their size made them invisible to threat actors. That assumption is consistently, expensively wrong. Attackers don't discriminate by revenue. They discriminate by vulnerability. And small businesses tend to have more of it — thinner IT teams, older systems, and employees who've never seen a phishing simulation in their lives.
This post lays out the specific, practical steps I recommend to every small business owner I work with. No vague advice. No "just be careful." Real actions you can take this week.
Why Threat Actors Target Small Businesses First
There's a persistent myth that cybercriminals only go after large enterprises. The reality is exactly the opposite for many attack types. Small businesses are softer targets. They're less likely to have dedicated security staff, endpoint detection, or even basic security awareness training.
Attackers know this. Ransomware gangs in particular have shifted focus toward small and mid-size organizations because they're more likely to pay — they can't afford weeks of downtime, and they rarely have the backups to recover on their own. The Coveware Q4 2020 Ransomware Report noted the median ransom payment was $110,532, a figure that would cripple most small operations.
Credential theft is another favorite. An employee reuses their work email and password on a compromised third-party site. An attacker harvests those credentials. Suddenly they're inside your Microsoft 365 tenant, reading your invoices, and redirecting wire transfers. I've seen this exact scenario play out at companies with as few as 12 employees.
The $4.2 Billion Problem: Social Engineering Still Wins
The FBI IC3's 2020 Internet Crime Report makes one thing painfully clear: social engineering remains the most effective attack vector. Business email compromise (BEC) alone accounted for $1.8 billion in losses — more than any other category.
BEC doesn't require sophisticated malware. It requires a convincing email. The threat actor impersonates a vendor, an executive, or a client. Your employee, under time pressure, sends a payment to a new bank account. By the time anyone notices, the money is gone.
Phishing — the broader category — feeds almost every other attack. Ransomware deployments start with a phishing email. Credential theft starts with a phishing email. Data breaches start with a phishing email. If you only address one vulnerability in your organization this year, make it this one.
What a Phishing Simulation Actually Looks Like
A phishing simulation sends realistic but harmless phishing emails to your employees. You measure who clicks, who reports, and who enters credentials. Then you train based on actual results. It's not a gotcha exercise — it's a diagnostic tool.
If you've never run one, start with phishing awareness training built for organizations. It walks your team through real-world scenarios and teaches them to spot the red flags before they cost you six figures.
10 Cybersecurity Tips for Small Business Owners in 2021
Here's the practical playbook. Every recommendation below is something I've either implemented for clients or seen prevent a breach firsthand.
1. Enforce Multi-Factor Authentication Everywhere
If there's a single control that prevents the most damage per dollar spent, it's multi-factor authentication (MFA). Microsoft has stated that MFA blocks 99.9% of automated attacks on accounts. Enable it on email, cloud storage, VPNs, banking portals — everything that accepts a login.
Don't rely on SMS-based MFA if you can avoid it. SIM-swapping attacks are real and growing. Use an authenticator app like Microsoft Authenticator or Google Authenticator instead.
2. Train Your Employees — Repeatedly
One-time training during onboarding doesn't work. Security awareness training needs to happen regularly — quarterly at minimum. The Verizon DBIR consistently shows that human error is a factor in the majority of breaches.
Your training should cover phishing recognition, password hygiene, physical security basics, and how to report suspicious activity. A comprehensive cybersecurity awareness training program gives your team the foundation they need without requiring an enterprise budget.
3. Patch Everything Within 48 Hours
When CISA issues an advisory, attackers are already scanning for unpatched systems. The SolarWinds incident in late 2020 demonstrated how quickly exploitation follows disclosure. Your small business may not be running SolarWinds, but you are running Windows, Chrome, Adobe, and dozens of other products that issue critical patches regularly.
Set up automatic updates where possible. Where it's not, designate someone to check for patches weekly. Prioritize anything marked critical or actively exploited.
4. Use a Password Manager
Your employees are reusing passwords. I guarantee it. A password manager eliminates that risk by generating and storing unique, complex passwords for every account. LastPass, 1Password, and Bitwarden all offer business plans. Pick one and mandate it.
5. Implement the Principle of Least Privilege
Not everyone needs admin access. Not everyone needs access to the finance share drive. Grant the minimum permissions each role requires and review those permissions quarterly. When an employee leaves, revoke access the same day — not the same week.
This is a core concept behind the zero trust security model. Trust nothing by default. Verify everything.
6. Back Up Data Using the 3-2-1 Rule
Three copies of your data, on two different media types, with one stored offsite. If ransomware encrypts your file server, your backup is your lifeline. But only if the backup isn't also connected to the network that got hit.
Test your backups. I can't stress this enough. A backup you've never restored is a backup you can't trust.
7. Secure Your Email Gateway
Enable SPF, DKIM, and DMARC records for your domain. These email authentication protocols help prevent attackers from spoofing your domain in phishing attacks against your employees, clients, and vendors.
If your business runs on Microsoft 365 or Google Workspace, both platforms offer built-in tools to configure these settings. CISA provides clear guidance on implementation at cisa.gov.
8. Segment Your Network
Your point-of-sale system shouldn't be on the same network as your guest Wi-Fi. Your security cameras shouldn't share a subnet with your accounting software. Network segmentation limits lateral movement — if an attacker gets into one system, they can't easily pivot to everything else.
Even basic VLANs on a managed switch make a significant difference. This isn't expensive. It's just often overlooked.
9. Create and Test an Incident Response Plan
When — not if — something goes wrong, your team needs to know what to do. Who do they call? What systems get isolated? Who contacts your cyber insurance provider? Who notifies affected customers?
Write it down. Print it out. Run a tabletop exercise once a year where you walk through a simulated ransomware attack or data breach. The NIST Cybersecurity Framework provides excellent guidance for building this plan at nist.gov/cyberframework.
10. Get Cyber Liability Insurance
This won't prevent a breach, but it will keep your business alive after one. Cyber liability insurance covers incident response costs, legal fees, notification requirements, and sometimes even ransom payments. In 2021, premiums are rising fast because claims are surging. Lock in a policy now before your industry's rates climb further.
What Are the Most Important Cybersecurity Tips for Small Business?
The single most impactful cybersecurity tips for small business come down to three actions: enable multi-factor authentication on every account, train employees to recognize phishing and social engineering attacks, and maintain tested offline backups. These three controls address the root causes behind the vast majority of small business breaches reported in the Verizon DBIR and FBI IC3 data. Everything else — network segmentation, patching, least privilege — layers on top of this foundation.
The Zero Trust Mindset: It's Not Just for Enterprises
You've probably heard the term zero trust and assumed it's a million-dollar enterprise initiative. It's not. Zero trust is a mindset: never trust, always verify. You can apply it at any scale.
Verify every user before granting access. Verify every device before allowing it on the network. Verify every email before clicking a link. When your receptionist gets an email from the "CEO" asking for W-2s, zero trust means they pick up the phone and confirm before sending anything.
That phone call costs nothing. Skipping it has cost companies millions.
Building a Culture That Catches Threats
Technology solves part of the problem. Culture solves the rest. Your employees need to feel empowered — not embarrassed — when they report a suspicious email. They need to know that flagging something weird won't get them in trouble, even if it turns out to be legitimate.
I've seen organizations where a single alert employee stopped a six-figure BEC attack mid-execution simply because they thought an invoice "felt off" and said something. That instinct doesn't develop by accident. It develops through consistent training and a culture that rewards caution.
Start building that culture today. Enroll your team in structured cybersecurity awareness training and pair it with regular phishing simulations to measure and improve their readiness over time.
Your 30-Day Action Plan
Don't try to do everything at once. Here's a realistic 30-day timeline:
- Week 1: Enable MFA on all email, cloud, and financial accounts. Audit who has admin access and remove unnecessary privileges.
- Week 2: Deploy a password manager to all employees. Run your first phishing simulation to get a baseline click rate.
- Week 3: Verify your backup strategy meets the 3-2-1 rule. Test a restore. Configure SPF, DKIM, and DMARC for your email domain.
- Week 4: Deliver your first security awareness training session. Draft a one-page incident response plan with contact numbers and escalation steps.
Every one of these steps is achievable with a small team and a modest budget. The cost of inaction is the one you can't afford.
The Breach You Prevent Is the One Nobody Talks About
Nobody writes a headline about the ransomware attack that didn't happen because an employee spotted the phishing email. Nobody tweets about the credential theft that failed because MFA was enabled. The best cybersecurity outcomes are invisible.
That's the goal. Invisible success. The kind where your small business keeps running, your customers' data stays protected, and your bank account remains intact because you made the unsexy, practical decisions laid out above.
These cybersecurity tips for small business aren't groundbreaking. They're proven. The organizations that implement them survive. The ones that don't become the next case study in next year's FBI IC3 report.
Start today. Your future self will thank you.