Cyber Security for Small-Mid Size Businesses

February 1, 2022

Cyber-attacks are a growing threat for small businesses and the US economy. According to the FBI’s Internet Crime Report, the cost of cyber crimes exceeded $4.2 billion in 2020.

The most successful cyber-attacks typically utilize the same tactics used against individuals - social engineering, phishing, and exploiting weaknesses in your network protection. That’s why protecting your business requires strict control of information security and educating your employees.

This article will focus on common cyber security threats, understanding where your business might be vulnerable, and low cost resources available to small business owners.

While cyber-attacks are becoming much more sophisticated, surprisingly, the most common threats haven't changed much over the years and include:

  • Malware, or "malicious software," is an umbrella term that describes any malicious program or code that is harmful to computers, networks, servers, tablets, and mobile devices, often by taking partial control over a device's operations. Malware can include:
    • Viruses, which are harmful programs intended to spread from computer to computer (and other connected devices) and
    • Ransomware, a specific type of malware that restricts access to a computer, or an entire network, until a ransom is paid.
  • Phishing is a common cyber-attacks that uses email, malicious websites, text messages, phone calls, phony apps, and social media quizzes to infect computers (and networks) with malware. Phishing schemes tend to be the starting point of a large percentage of successful cyber-attacks.
  • Data breaches, which occur when confidential user information is exposed. Small businesses are an attractive target for data breaches as hackers can access the business' information in addition to any client information stored on a network.
  • Password attacks, or an attack where a hacker attempts to steal a user's password, are on the rise because they are an effective means for gaining access to a network or account.
Best Practices

There are many steps you can take to protect your company from cyber-attacks.

  1. Secure your networks. Safeguard your internet connection by using a firewall (a set of related programs that prevent outsiders from accessing your data) and encrypting information. If employees work from home, ensure their home system(s) are protected by a firewall.
  2. Use antivirus software and keep it updated. Having the latest security software, web browser, and operating system is key to protecting your network. Make sure each of your business’s computers is equipped with antivirus and anti-spyware software. Configure all software to install updates, and run a scan after each one, automatically.
  3. Secure your files. Back up important files offline, on an external hard drive, or in the cloud. Make sure you store your paper files securely, too. Prevent access to business computers by unauthorized individuals - especially laptops as they are easy targets. Set up a separate user account for each employee and require strong passwords. Administrative privileges should only be give to trusted IT staff and key personnel.
  4. Require strong passwords and authentication. Employees should use unique passwords and change them frequently. (Many companies require password changes quarterly.) Consider using multi-factor authentication, especially with sensitive data. (According to the Verizon 2021 Data Breach Investigations Report, more than 61% of data breaches originate with user credentials, such as weak passwords.)
And arguably the most important step you can take to protect your business from cyber-attacks?

Employees and emails are a leading cause of data breaches. Training your employees can go a long way in preventing cyber-attacks. Topics to include in your training program:

  • The importance of password security and creating strong passwords
  • Identifying various threats like phishing, social engineering, and spam
  • Your company's email, internet, and social media policies
  • The protection of company data
  • How to identify and report cybersecurity threats
  • How to maintain good cyber hygiene

Provide online security training for all new employees, then update and repeat training regularly.

Passwords Dos and Don'ts

Password manager NordPass released their most common password list for 2021, and if you think a lot of the passwords look familiar, you're right.

2021 Top 10

1. 123456
2. password
3. 12345
4. 123456789
5. password1
6. abc123
7. 12345678
8. qwerty
9. 111111
10. 1234567

2011 Top 10

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon


While protecting your network - and your company - from cyber attacks might feel daunting, there are quite a few resources available to you, and you don't have to be an IT professional to take advantage of most of the offerings. Best of all, many of these resources are available to small business at no cost!

  • Cybersecurity & Infrastructure Security Agency – works with partners to defend against today’s threats and collaborates to build a more secure and resilient infrastructure for the future

    • Cyber Resilience Review (CRR) – a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices

    • Resources for Small and Midsize Businesses (SMB) - includes Cyber Essentials (a guide for leaders of small businesses as well as leaders of small and local government agencies) and Cybersecurity Resources Road Map – a guide for critical infrastructure

  • National Cybersecurity Alliance - a non-profit organization on a mission to create a more secure, interconnected world that offers

    • CyberSecure My Business™ - a national program helping small and medium-sized businesses (SMBs) learn to be safer and more secure online

    • Resources Library - which includes tip sheets, videos, free online courses, infographics and more to help you put together an employee training program
  • National Institute of Standards and Technology SMALL BUSINESS CYBERSECURITY CORNER – where you can get cybersecurity basics, guidance, solutions, and training to protect your information and manage your cybersecurity risks
  • Stop. Think. Connect. - a global online safety awareness campaign to help all digital citizens stay safer and more secure online

    • Their Resources Library includes posters, tip sheets, videos, research, and blog articles

The views, information, or opinions expressed in this article are solely those of the author and do not necessarily represent the views of Citizens State Bank and its affiliates, and Citizens State Bank is not responsible for and does not verify the accuracy of any information contained in this article or items hyperlinked within. This is for informational purposes and is no way intended to provide legal advice.