Hacks at companies like Uber or Marriott may make headlines more than breaches at small businesses, but that shouldn’t lull any business owner into a false sense of security.

Statistically, small businesses (SMBs) are almost just as likely as big companies to experience a data breach—43% of cyber attacks are aimed at small businesses, but only 14% are prepared to defend themselves.  

In honor of Cybersecurity Awareness Month, we’ve gathered our top nine tips to help small businesses protect their customers’ sensitive information.

“My SMB doesn’t have a lot of data. We won’t get hacked.”

It’s normal for a small or mid-sized business owner to think they don’t have enough data to be worth a hacker’s attention, but it’s not accurate. 

Data proliferates in all businesses, and thinking otherwise can be extremely costly. Before we get too far into how cybersecurity measures can improve your data privacy program, let’s discuss why you need them.

You might be wondering—why wouldn’t hackers target megacorporations instead? They have huge treasure troves of customer information or millions of credit card numbers and highly valuable intellectual property on their servers. 

But there are three main reasons hackers go after SMBs instead of big businesses:

  • Less security

SMBs often have minimal cybersecurity protections in place, so hackers can gain system access more quickly and easily than they can at a large corporation.

  • “Breach one, hack many”

Hackers often use a breach at an SMB as a way into a larger target. Known as a supply chain attack, this method was used to expose the names, email addresses, phone numbers, Social Security numbers, and loan numbers of more than three million Audi and Volkswagen clients last year. Hackers couldn’t easily get directly into Volkswagen Group of America, Inc.’s system, but they could through a vendor who had left data unprotected in the cloud.

  • Ransom

SMBs are less likely to have cybersecurity insurance or redundant servers, which means a hack can seriously disrupt, even paralyze, their operations. The panic that comes with being locked out of their systems and wanting to get back to work makes SMB owners more likely to pay a ransom.

Researchers recently found that nearly half of all small businesses (42%) had experienced a cyber attack in the previous twelve months. Experts estimate that in 2021, companies faced 50% more cyberattacks every week than they did in 2020. 

The heightened threats haven’t yet translated into much action. Even though 69% of SMB owners are concerned about being the victim of a cyberattack in the next year, 45% of them say their processes aren’t strong enough to protect them.

And these are costly events—according to IBM, data breaches cost SMBs an average of $3M per incident.

Too many business owners get overwhelmed by what they see as the difficulty or expense of implementing a new cybersecurity program. 

Here are simple, cost-effective steps you can take to protect access to your business’ data:

  1. Keep current on software updates
  2. Implement multi-factor authentication
  3. Set strong passwords 
  4. Avoid public Wi-Fi networks (and use a VPN)
  5. Secure your mobile device
  6. Back up your data
  7. Create a policy for personal and work devices
  8. Restrict data access
  9. Train your teams

1. Keep current on software updates

One of the most important ways to protect your user accounts and sensitive data is to install software updates and patches as soon as they come out. These fixes are issued in response to known vulnerabilities that have been and will be exploited by hackers. 

We aren’t just talking about your antivirus software or firewall software patches, either. Using any outdated or unsupported programs and apps dramatically increases your breach risk. 

(So stop pushing that “remind me later” button and set aside time at least weekly to make sure all your software is up-to-date.)

2. Implement two-factor or multifactor authentication

Two-factor authentication (TFA) and multifactor (MFA) authentication are effective ways to protect sensitive data. Most TFA and MFA programs—Authy is a great option for many businesses—won’t grant system or database access without a time-sensitive, one-time code that is sent to a mobile phone number or email address after a username and password are entered.

MFA can be expensive, but it doesn’t have to be. Microsoft 365 and Google Workplace include free MFA, and there are multiple high-quality, low-cost programs out there that are well worth the price—and the peace of mind.

3. Set strong passwords

Your password protection is only as good as your password. 

It seems ridiculous that in 2022 we’d still have to be saying this, but as long as 123456 and qwerty are the two of the top three most popular passwords in the world, we have to bring it up. 

While the best passwords are totally random, make sure your employees are using passwords that at the very least:

  • Are eight characters long (ten is better)
  • Include at least one number, symbol, and capital letter
  • Do not include birthdays, anniversaries, family names, or any other easily sourced information
  • Phrases make great passwords (e.g., greenisthenewblack7$)

Passwords should also be changed once or twice a year and shouldn’t be reused for different platforms. If this feels burdensome, consider using an encrypted password manager to keep track of all their passwords. If your employees need to share passwords, they should do so verbally and not via a method that can be hacked, such as shared documents, email, texts, etc..

4. Avoid public Wi-Fi networks (and use a VPN)

It won’t do you much good to secure your Wi-Fi networks if you also use unsecured, public Wi-Fi networks. To allow everyone on these networks, they usually don’t have anything remotely resembling adequate cybersecurity measures, especially for sensitive information like payment cards, birthdays, and contact information.

During the COVID-19 pandemic, it became apparent that employees who work from home can be vulnerable to some of the same risks that come with public Wi-Fi networks. Using a virtual private network, or VPN, like NordVPN, can mask your employees’ IP addresses and provide a higher degree of security.

5. Secure your mobile device

If you and your employees use cell phones to take payments, access company databases, market to customers, or communicate sensitive information to each other, invest in an end-to-end encryption program (Virtru, Kaspersky, and VGS Platform are popular options). And if your team uses personal mobile devices for work, make sure they are installing regular updates and are cautious about which apps they download.

6. Backup your data

Fire, flood, theft, glitches, a spilled cup of coffee—there are plenty of reasons backing up data is just good business practice. But backing up your data is also a good cybersecurity practice.

You don’t have to pay a ransom if you have an up-to-date copy of your data easily accessible. 

7. Implement strong security practices for personal devices

At SMBs, phones and laptops often pull double-duty as personal and work devices. While this might be a cost-effective solution, it’s not a cyber-secure one—at least not without the right precautions. 


If your employees conduct work on a personal device, it’s critical that they implement the correct privacy and security settings. Creating an easy-to-follow policy for setting up their devices along with robust training programs can help prevent hackers from accessing your system.

8. Restrict data access

Not all your employees need access to all your data. Like multifactor authentication, setting aggressive permissions that grant access to the least amount of data needed to complete any given task is an added layer of protection against unauthorized access.

9. Train your teams

You could spend $10M on a state-of-the-art cybersecurity system and still get hacked if your employees fall for a phishing scam. No matter which of these steps you choose to use, it’s absolutely critical that you train your employees on cybersecurity best practices so they don’t inadvertently click on a bad link that takes down your entire network. (Curricula is an excellent—and free—option for SMBs.)

Don’t click “remind me later.” Get started today.

The longer you wait, the greater your risk of a breach. Cybersecurity Awareness Month is a great time to make a few small changes that will yield big gains in your ability to protect your employees, your business, and your customers’ data.

With years of experience helping companies navigate the intersection of business and privacy, Red Clover Advisors has the expertise you need to maximize your cybersecurity dollars. Contact us today to get started.