There are plenty of scary stories about zero day exploits, overseas hackers, and zombie networks out there to keep you up at night. But by far the biggest security risk that you should be concerned about is the people sitting in front of the computers on your network.
No matter how much you’ve spent on security—regardless of which firewall, malware blocker, or compliance tool you’re using—end users are still the easiest target.
And that’s why you need a cybersecurity plan.
Creating a SMB cybersecurity checklist and response plan
While it’s easy to bang the “You Need More Security Now!” drum, real life is a little more complicated. Cybersecurity is a very personal decision and every small business owner has to make tough choices based on parameters that vary wildly between different business owners, even within the same industry.
In general, the tradeoffs come down to security, convenience, and cost. This guide is meant to give you a place to start thinking about those choices and how they can affect you and your business.
Take stock of your assets and sensitive data
The first step in any cybersecurity plan is to make a list of what you need to protect. Categorize your assets based on how important they are to your business, and how much downtime you’re willing to tolerate in the event you lose that asset, either permanently (if a company laptop is lost or stolen, for example), or just temporarily (like a service outage). If your business lives and dies by email, for example, you might want to prioritize protecting your email infrastructure above anything else.
Perform vulnerability and risk assessments
Each business asset comes with it’s own set of potential risks, so it’s important to figure out which potential attack vectors are most likely to be used. As we pointed out in the introduction, your biggest security risks tend to be your end users.
Why bother hacking encryption, trying to decipher a strong password, or defeating multifactor authentication (which are all great and very useful tools, by the way) when cybercriminals can just call your CFO and ask him to wire money to an account? This scenario is precisely why employee training and testing is one of the smartest places to spend your IT security budget.
Establish security policies and procedures
Once you know what’s most important and how it could be compromised, establishing policies and procedures will help set expectations for your staff. If you’re in an industry that must adhere to compliance standards like HIPAA or SOX, follow their guidelines. Otherwise, start with the basics.
The server closet should be locked at all times. Limit personal use of sensitive work equipment. Require antivirus software on all computers. Patch your software and hardware regularly. Enforce multifactor authentication on all services that offer it. Have a strong password policy in place. These are all basic, low or no cost security measures that you should have in place before doing anything else and then you can build up from there. Think of cybersecurity as having layers, with each layer guarding against a specific type of threat. The more layers you have, the more protected you are, so it’s critical to have a lot of layers.
You’ll also want to have a procedures in place to deal with different types of breaches. What happens if your server is compromised and all of the data is encrypted with ransomware? What happens if your mail server goes down? Established procedures serve two purposes:
- 
It helps management to understand how much downtime is going to result from a specific type of outage. 
- 
It gives users a roadmap of what to do in the event of an outage. 
The last thing you want when an unexpected outage hits is to get caught without a plan, trying to figure it out on the fly, with management demanding answers and employees and customers looking for direction that isn’t available.
Review and update IT security policies
Once your policies are in place, it’s crucial to periodically review those policies across your company. This type of audit helps ensure that your staff is up-to-date and compliant, that new risks are accounted for, and you have an opportunity to update your existing policies and procedures if necessary.
No policy is completely future-proof so you can’t just establish your policy once and then forget about it until you need it. The threat landscape is constantly shifting and evolving, and you need to stay up to date on the latest threats and trends in cybersecurity. Believing that your policies from five years ago will protect you from the newest threats today is unfortunately a woefully naive approach, and will almost certainly leave you vulnerable to data breaches, phishing scams, and ransomware attacks.
How much should a small business spend on security?
This is a tough question to answer objectively, as every business is different and has different cybersecurity needs. Start with the basics and deploy low and zero cost security measures as outlined above. Once those are in place, you should strongly consider installing antivirus/EDR software.
Next, look at business-class firewalls and end-user training.
The best way to get an accurate assessment of how much you should budget for sufficient cybersecurity for your business is to consult a top-rated cybersecurity service provider.
Strengthen your network security and prevent cyber attacks by being prepared
Cybersecurity is a difficult (and oftentimes overwhelming) topic for most business owners to tackle. But if you think it’s a lot to think about now, wait until you’ve had an actual breach. After the damage has been done it’s easy to justify the time and cost, but hopefully you don’t need to learn this the hard way.
Start small, build your cybersecurity in layers, and don’t fall into the trap of thinking that you’re safe just because you’re using a firewall and antivirus software. Cyber threats are constantly changing and so you must be constantly vigilant.
If you don’t have the resources to handle all of this in-house, don’t panic: there are plenty of experienced, professional cybersecurity providers out there who are ready to do the hard work for you so can rest easy and focus on running your business.

