Cybersecurity Tips for Your Small or Medium Business

Your 10-Step Cybersecurity Checklist

Attacks on small and medium-sized businesses are on the rise. It's crucial that SMBs build a strong cybersecurity foundation to protect themselves, their employees, and their data. Use our checklist, tips, and resources to take stock, streamline your processes, and keep your business ahead of modern malware.

1. Invest in effective cybersecurity.

In our recent survey of small and medium-sized businesses (SMBs), an astonishing 20% of respondents admitted they don't have (or don't know if they have) endpoint security. Reliable, effective endpoint protection is the first step to building your business' cybersecurity foundation.1


16% of IT decision makers base their cybersecurity purchase choices on strong reviews and peer recommendations.1

22% of SMBs think a product with machine learning or AI capabilities is superior to traditional alternatives.1

2. Decide how many protection layers to deploy.

While an effective endpoint solution can protect an organization from many different types of malware, a layered security approach is crucial to cover all the attack vectors criminals use to breach businesses. By combining endpoint protection, DNS-layer web filtering, and security awareness training for end users, you can protect your whole organization, inside and out.


Only 26% of small to medium-sized businesses deploy enough layers of security to cover their users, networks, and devices.1

3. Establish an internal incident response plan.

According to our survey, the most common cybersecurity concerns are phishing scams, ransomware, and employee naiveté. Treat these threats as an inevitability, and proactively develop incident response and disaster recovery plans. As the expression goes, "hope for the best, plan for the worst."


24% of businesses with 1-19 employees aren't prepared for the top threats to their network.1

4. Evaluate your IT security resources.

According to Endurance International Group, 83% of small businesses with under 10 employees handle cybersecurity on their own.2 To combat increasingly targeted threats, you need to designate dedicated IT security resources, either in-house or outsourced to a managed service provider. 


41% of small to medium-sized businesses do not have any dedicated IT security resources.1

5. Create and enforce strong password policies.

According to ITProToday, only 36% of businesses are using multi-factor authentication for internal access.3 Bolster your password policy through the use of tools like single sign-on (SSO) and multi-factor authentication (MFA), which add further layers of security and prevent a single stolen password from compromising sensitive information.


81% of small to medium-sized businesses have a "strong password" policy in place.1

6. Train employees to avoid risks.

A simple truth is that 90% of network breaches are caused by user error.4 Security awareness tools offer phishing simulations and basic cybersecurity training for employees to both educate and allow an organization to identify the weakest links for additional training. Ponemon has found that even the least effective program still resulted in a 7-fold ROI including lost productivity time.4


65% of small to medium-sized businesses currently give no employee training on cybersecurity best practices.1

7. Create a crisis response for your client base.

One of the worst consequences of a data breach is the loss of your customers' trust. While you may have already implemented a behind-the-scenes internal recovery plan, don't neglect your public image. In the wake of an attack, your customers will need transparent communication and steady reassurance that you're taking care of the issue and their data is safe.


55% of SMBs believe that their public image would be difficult to restore following a cyberattack.1

8. Implement secure data retention policies.

According to the Business Performance Innovation Network, less than one-third of businesses said their company was effectively securing documents.5 Your organization should have clear guidelines on data and file classification, storage, access, and disposal. In addition, patch management and frequent secure backups are essential.


The approximate cost to an organization for each individual record lost in a data breach caused by human error in 2018 is $128.6

9. Control facility, network, and device access.

Breaches are most frequently caused by inattentive or unaware behavior. Enforce a clean desk and whiteboard policy and implement physical barriers such as managed entry systems for your facilities. Use clear guidelines, educate employees, and stay alert to avoid social engineering attacks.


93% of modern data breaches now involve a phishing attack.7

10. Continuously update and revise policies.

The cybersecurity landscape is an ever-changing arms race. For every protection enhancement cybersecurity vendors make, criminals find new ways to hack networks and endpoints. It's crucial to continually re-examine your policies and procedures and pay attention to emerging threats to keep both your organization and customers secure.


94% of malicious executables detected were unique, making them near impossible for traditional, signature-based antivirus to detect.8

Want more info?

Visit our solutions page or download the full SMB survey today.

Additional Resources:
Webroot. "SMB Pulse Survey." (April 2018)
2 Endurance International Group. "2015 Small Business & Cybersecurity." (May 2015)
3 ITProToday. "Most Organizations Have Password Policies, But Half Don't Enforce Them." (October 2017)
4 Webroot. "Why Your Clients Need Security Awareness Training." (April 2018)

5 Business Performance Innovation Network. "Exploring Exposure and Risk In Document-Related Data Breaches." (March 2017)
6 Ponemon. "Cost of a Data Breach Study." (July 2018)
7 Verizon. "2018 Data Breach Investigations Report." (April 2018) 
8 Webroot. "2018 Threat Report." (March 2018)