Welcome to our Small Business Cyber Security Guide. Many small businesses are just starting out and don’t have the same resources large corporations have to protect their data. Not only do they likely not have the funds to support a diverse security program, but they also likely don’t have the people or the time.

Cyber criminals know that small businesses lack these resources and use this to their advantage. After a cyber attack, small businesses are left far worse than bigger companies. Your reputation is likely less stable, so it can be swayed easily by a breach, and upfront costs from operation shutdowns or ransom payments will have bigger effects on a small business’s books. 

So, what should a small business prioritize with their limited budget, team, and time? Here’s everything we think small businesses should focus on in their cyber security program: 

1) Security awareness

Security awareness is your number one defense against cyber scammers. Security awareness is the training and education of your employees (and other stakeholders) on the importance of security.

Someone scanning a QR code on their phone

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

Think of it this way: The more your team is knowledgeable about cyber attacks, the more likely they will be able to spot and stop them. By providing your team with cyber security awareness training, they become your first line of defense against cyber criminals. 

The most impactful way to conduct cyber security awareness training largely depends on your team. So, before designing your modules, talk with your team members. Are they tech-savvy? Would they prefer all the training at once or spread out? What worries them the most about cyber security? 

However, some topics should always be covered. We believe that these are essential in all foundational awareness programs:

  • Phishing 
  • Social engineering
  • Passwords & MFA 

For your type of training, interactive training is more engaging for all individuals and results in more impactful learning. Interactive awareness training uses psychological drivers, like winning a leadership board, to motivate behaviour change. It also gives immediate feedback to the employees, allowing them to change incorrect behaviours in the moment. Small businesses that take advantage of interactive training can properly train their first line of defense, without taking up too many resources.

Screenshot of QR code phishing simulation

If your small business needs quick and easy-to-implement awareness training, check out our Small Business Quickstart Bundle. Small businesses gain access to ten weeks of training on five different foundational topics for up to 25 employees.

2) Software

There are some essential software that every business should be using. The most beneficial thing about software is that it typically only needs to be installed once for it to be useful long-term. They are worth the initial investment, to save you money later when you don’t need to fix the issues security breaches bring. 

Antivirus software 

Antivirus software can act as a part of your security team as it prevents, scans, detects, and cleans viruses from your computers. As mentioned, antivirus software is typically a one-time download but has indefinite use. Once downloaded onto all employee computers, you can set it to run routinely, meaning it will regularly check all computers for any viruses that made it past your employees’ awareness. 

Since you likely don’t have a big enough team to check every desktop regularly, let this software do them for you.

Firewall software

Install firewall software (there are some great free ones) to protect your network from outside intruders. This is another one-time installation that once installed, monitors your network and controls all traffic going in and out. This is an essential investment for all businesses. 

Many small businesses also choose to work remotely to avoid workspace costs. If this is the route you have decided on, ensure that all remote working employees also have the proper firewalls on their networks. 

3) Data protection

As a small business, it’s tempting to keep everything on Google Drive. But with just one Google password guess, a cyber scammer would have immediate access to all your data. In other scenarios, it could be internal employees having access to sensitive information and purposely or accidentally leaking it. 

Take into consideration which data needs to be protected the most (think financial information, customer and employee SINs, and passwords) and ensure that it has the highest priority on your security list. Consider keeping these pieces of data off-network and storing them on hardware. Also, limit employee access to data that is not needed by them, lessening the chance of internal or external leaks. 

While reorganizing your data, it’s best to upload all data onto hard drives, so even if your business does experience a breach, you aren’t desperate to get it back. 

Free and easy security boosters

There are other quick, free, and easy security boosters any business can use to improve its security program: 

  • Casual security conversations: Organic security conversations are the number one signal of a healthy security culture. To increase these conversations, create a Slack #security channel where you share security news stories and answer questions. If your team isn’t on Slack, try sharing a news story in every weekly roundtable you have. By integrating security into everyday activities your employees become more aware of vulnerabilities and will have an easier time spotting attacks, making your security stronger. 
  • Passwords & MFA: A lot of cyber security incidents aren’t a result of “break” ins, they’re just results of “log-ins”. Weak and repeated passwords are the easiest ways for cyber criminals to get into your accounts. Require all employees to have strong passwords and support that strong password with MFA. These two things cost you no money and with these simple password tips also cost very little time. 
  • Get leadership onboard: Although your leadership team is likely small (it may even just be one person), getting them on board will replace the hard work of a security marketing team. Instead of using communication strategies to reach your team and sell them the importance of security, use your leadership to communicate the message. If they speak highly of the importance of security, everyone else will follow suit. 
  • Don’t reinvent the wheel: Take into account what already exists inside your organization. What communication channels does your team use? What other training do they do? You might be able to take advantage of these things instead of starting everything from the ground up, saving you time and money. For example, if your team already meets in person every year to go over KPIs, consider taking advantage of the rented space by squeezing a quick social engineering workshop. If your team already uses Slack to communicate, use some of the Slack ideas we’ve mentioned throughout the article. 
  • Keep systems up to date: Lastly, it’s important to keep all systems up to date. Consider having a monthly “update day” where you send out reminders to all employees to take time to update all their systems. 

Even with limited resources, a small business can still have a thriving security program. If you have the basics, like security awareness, software, and data protection, down, then you are off to a great start! Top off your foundation with free and easy boosters like a #security Slack channel and MFA. Not only will this keep your data safe, but you’ll also sleep better at night knowing you’re protecting your business. 


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.