How to Create a Small Business Cyber Security Plan

In 2021, SonicWall registered more than 623 million ransomware attacks globally and more than 442,000 pieces of new malware. What’s your plan to ensure your small business is ready to fight this digital tsunami of cybercrime? Don’t become another statistic — discover how to create a cyber security plan in six easy steps

Do you think your business is too small to fall victim to a cyber attack? If your answer is yes, think again. In 2021 alone, 52% of the small businesses surveyed by Devolutions said they experienced at least one cyber attack. 10% of those respondents have been attacked more than 10 times over the same year!

This is easy money for a hacker attacking several small companies, knowing they usually have limited resources to invest in cyber security. In some cases, it increases the chances of success tenfold compared to trying to breach into a big corporation that has probably invested hundreds of thousands of dollars in security.

Don’t get caught off guard. Learn how to create a small business cyber security plan in six easy steps that will protect your reputation, organization, and customers’ data. Explore our suggestions to build your very own small business cyber security plan template. Because as Jason Wurst, vice president of Tele-Solutions-Inc (TSI) recently highlighted in an interview, you’re never too small for a cyber attack. Small businesses, when targeted en masse, can be very profitable for attackers.

What Is a Small Business Cyber Security Plan?

If you’d ask your small grocer down the street if he has a cyber security plan, he’d probably look at you with a puzzled expression. However, accepting credit and debit card payments and handling customer data make him also at risk of attacks. That’s why all businesses offering card payments must comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

In fact, point-of-sale systems (POS) are increasingly being attacked as malicious actors can easily get immediate access to valuable information like card numbers and personal identification numbers (PINs). A six-year study by Verizon shows that small and medium businesses account for 55% of payment card data breaches. And it doesn’t stop here. According to Sophos, 44% of retailers experienced a ransomware attack in 2020. The average ransom paid by small retailers was more than $107,000.

In some ways, this is understandable. For small and family businesses, cyber security is often considered something too much of a complex topic. It’s always too something — too resource-demanding, expensive, and time-consuming. Thus, it usually ends up being ignored or pushed to the bottom of the priority list for many entrepreneurs. Understanding your risks and knowing how to stop them (or at least minimize them) could save you a lot of money if, and when disaster strikes.

This is where the small business cyber security plan comes in. It’s a document containing best practices, policies, and procedures to protect your business from internal and external threats like malware, data leaks, and other attacks. Having a well-thought out small business cyber security plan will help you:

• Prepare for the worst. By providing you a small road map to help you navigate a breach and limit the damage.
• Be compliant with standards and regulations. Data privacy, and card payments standards, are just a couple of examples of industry regulations that even the smallest business has to observe. We’ll talk more about all this in a minute.
• Show your customers that you care. Customers will trust you more if you demonstrate that you take data protection seriously.

Let’s get started then and check out the six steps to follow to build your tailored, small business cyber security plan template that you can start using today!

How to Develop Your Small Business Cyber Security Plan in 6 Steps

Before we start: cheer up, this won’t take weeks to complete. You’re a small business. You don’t need a three-volume set cyber security plan as detailed as Dante’s Divine Comedy. Follow the steps listed below and you’ll get it sorted in a few hours. And once it’s done, you’ll just have to update and refine it now and then.

Is it still too much? To make things even more practical and easy, we’ve also summarized the steps in the table below.

Steps to Create a Small Business Cyber Security Plan Template	Examples
1. List Your Digital Assets	Computers and mobile devices.Network infrastructure. Databases and customers’ information. Software.
2. Identify Your Vulnerabilities	Malware.Poor or non-existent encryption.Unsigned or unencrypted emails.Weak credentials.Misconfiguration. Outdated or unpatched software.Unsigned software.Employees negligence/misconduct.Poor security training.
3. Determine Compliance With Laws and Regulations	The California Consumer Privacy Act (CCPA). The EU General Data Protection Regulation (GDPR). The EU payment service directive (PSD2).The Payment Card Industry Data Security Standard (PCI DSS).
4. Create a Risk Assessment Chart	Identify the most important aspects of your business and their related threats. Evaluate their risk level. Identify the threats your business could face.
5. Outline Security Policies to Mitigate Risks	Keep your software and operating systems up to date and patched.Encrypt all your web communications.Sign and encrypt your emails with a digital certificate. Encrypt stored credentials and don’t allow default or common passwords.Install and sell only signed software.Manage your employees’ access privileges.Train your employees.
6. Build Your Plans	Incident Response Plan. Business Continuity Plan. Disaster Recovery Plan.

1. List Your Digital Assets

Do you know what digital assets you have? In simple words, these assets represent everything your business owns with some economic value. Generally, digital assets can range from PDF documents to photos and data. As we’re focusing on cyber security in this article, we’ll restrict our list to IT-related assets.

Ensure you create a comprehensive list of your small business IT assets, decide which ones are the most important and identify the most vulnerable ones. As an example, let’s take a small software company developing restaurant management software and check out a few of the IT and digital assets it may have on its list.

• Computers, mobile and IoT devices. Desktops, laptops, smartphones, wireless cameras and smart thermostats. They’re all company assets. Even the smallest business has at least one of them and guess what? They’re all at risk of attacks.
• Network infrastructure. In other words, this term refers to the hardware and software powering your network. Think routers, servers, network cards, DNS, and firewalls — they’re all examples of (potentially) vulnerable network infrastructure.
• Databases and customers’ information. Including the databases storing your passwords and sensitive customer data like credit card numbers, bank account numbers, and email addresses.
• Software. This includes all the software used by your business, like operating systems, applications, anti-virus, and browsers. 

Got it? Once you’re listed your assets, you can move on to the following step.

2. Identify Your Vulnerabilities and Potential Threats

To create an effective line of defense, you must have a clear idea about where you need to focus on. Now that you know your assets, you should be able to map out your vulnerabilities and exactly identify where your business is most exposed to threats and threat actors.

To help you to get started, we’ve prepared a list of some of the most common vulnerabilities and small businesses threats:

• Malware. Are you and/or your employees using your own personal devices for work? Many small businesses take this approach as it saves them some money. However, it also increases the risks of malware attacks caused by malicious downloads for example.
• Poor or non-existent encryption. If you’re selling your products online (like the small software company developing restaurant management software mentioned in the previous point), allowing your website to transmit information unencrypted (i.e., via the insecure hypertext transfer protocol, HTTP) or by using a weak encryption algorithm can be a devastating error. It won’t only put off your customers by showing a warning sign saying, “insecure connection,” it’ll also put your business at risk of man-in-the-middle attacks (we’ll talk more about it in the next section). And both of these issues can cost you dearly in terms of reputational harm and financial damages (direct and indirect). Malicious actors can intercept unencrypted content and you could even be in violation of data protection and privacy laws.
• Unsigned or unencrypted emails. In today’s world, email is used everywhere to do nearly everything from online shopping to sharing sensitive documents and information via private exchanges. Would you send your credit card details on a postcard through the United States Postal Service (USPS)? Of course not. Sending unsigned or unencrypted emails represents more or less the same risk, even if you’re sending them to a trusted colleague or institution.
• Weak credentials. Did you know that Proofpoint says the cost of credential theft to organizations increased 65% in 2021? And that stolen credentials are one of the top factors motivating an attacker? Securing your sensitive information with weak or recycled passwords is setting a feast for hackers who can use them to gain access to your intellectual property, settings, and sensitive information. Examples of some poor password practices include:
  • Using the same passwords again and again.
  • Choosing a common password (12345678 anyone?).
  • Storing passwords as plain text.
  • Relying on deprecated or weak algorithms to secure password data in transit.
  • Infrequently changing your passwords. 
• Misconfiguration. Number five on the OWASP 2021 security vulnerabilities list, a simple security configuration mistake could put at risk your whole system or data. Small businesses sometimes don’t pay a lot of attention to whether default accounts are still enabled or if everybody has the same levels of permissions or access. Another aspect that cannot be underestimated. Default accounts could include well know usernames and passwords making them easy prays for hackers. While failing to implement a form of access control (e.g. principle of least privilege where each user can’t act outside the permission needed to perform a task or a specific job) could lead to unauthorized access to sensitive information.
• Outdated or unpatched software. I get it. Spending time and money to keep all your software patched and up to date can be a challenge, especially when you’re a one-man (or woman) show. However, I’ll never forget that day when, on holiday, I needed to check my email on the hotel’s shared computer. It was only four years ago, but the computer had still Windows XP (yes, you’re reading it right) on it. I ended up checking my email elsewhere. Now, hopefully, you’re not using XP for your business, but if you don’t have a regular patch and updates installation routine, this point should be on your vulnerabilities list.
• Unsigned software. Are you or your employees downloading or installing unsigned software? If this is the case, you’ve probably already seen the “unknown publisher” warning message. Why is this a risk? Because if the software doesn’t have a valid code signing certificate, you can’t verify its integrity and the identity of the vendor. What if the file is infected with malicious code or a hacked version replaced it?

• Employees negligence/misconduct. With 82% of breaches involving human errors, social attacks, and misuse, you’ll probably want to add this point to your list. No matter how strong your defense is and how many employees you have, threats can be introduced into your company in a breeze and without being noticed. Posting sensitive information on social media without thinking, giving away credentials, and clicking on dodgy links. All these actions can end up in a data breach faster than you think.  I remember that one of my former colleagues posted the password of a database, including customers’ sensitive information, on Slack. OK, it was well-meant, but what if a malicious third party had access to that internal chat?
• Poor security knowledge. This is somewhat linked to the previous point. Are your employees aware of cyber security risks? Do they know how to protect your data (both IP and customer’s sensitive information)? Are they aware of internet security policies? Do they change regularly their passwords? These are just a few of the questions you should ask yourself to assess the severity of this last threat.

These are just a few examples of the range of threats small businesses could face. As a business owner, you’re the only one who can select and prepare your personalized threats list. Think about it, discuss it with your employees, and get ready to move on to the next point.

3. Determine Compliance With Laws and Regulations

If you run a business, even as a freelancer or part-time worker, you have to comply with some specific laws and regulations. Therefore, before you start to prioritize assets, assess your vulnerabilities, and think about remediation, you’ll first have to figure out which standards and regulations your business has to abide by. Do you already know? Good. Make sure you also understand how those standards will affect the remediation that’ll be part of your small business cyber security plan. Do you think you forgot something? Check out our list below with the most common laws and regulations that could impact small businesses.

• California Consumer Privacy Act (CCPA). What business isn’t dealing with customers’ personal information in one form or another? If you’re dealing with customers in the state of California (United States), you’ll be required to properly encrypt all customers’ data to avoid data leaks and breaches.
• EU General Data Protection Regulation (GDPR). Are some of your customers located in Europe? Then you’ll also have to protect their sensitive information in transit. How? Using website security certificates and strong encryption can help.
• EU Payment Service Directive (PSD2). Also, related to Europe requires PSD2-compliant digital certificates and two-factor authentication to ensure safe online payments.
• Payment Card Industry Data Security Standard (PCI DSS). Regulating all businesses collecting or processing credit card information in the United States.

Check the Federal Trade Commission’s (FTC) page to learn more about privacy and security compliance for businesses in the U.S.

4. Create a Risk Assessment Chart

Now that you have a list of the following for your business:

• Assets,
• Vulnerabilities, and
• Laws and regulations to comply with

It’s time to put together the pieces of the puzzle. Start building a risk assessment chart by:

• Identifying the most important aspects of your business and their related threats. Take your asset and vulnerabilities list and try to answer the question: “What are the most important risks to my business?” The answer will help you select and prioritize your assets and vulnerabilities to include in the chart.
• Evaluating their risk level. Review the vulnerabilities and assets you’ve entered in your chart and evaluate their potential risk one by one. Keep it simple. Use a risk scale-like low, medium, and high. The question to ask yourself is, “Which level of risk represents it?”
• Identifying the threats your business could face. The question to ask yourself here is, “What could happen if I don’t address this risk?” As an example, think about relying on weak encryption algorithms. Storing or transmitting sensitive data using encryption methods that are easily broken could result in costly data breaches and non-compliance fines and penalties.

To help you pinpoint the potential threats, we’ve put together a list of the most common ones. Later in this article, we’ll talk about possible solutions for the following threats:

• Ransomware. One of the most prominent and feared types of malware. Once a device is infected, all user’s files will be encrypted by the attacker. If the user wants to get his access back, he’ll have to pay a ransom (usually a lot of money).

• Man-in-the-middle attacks. In this type of attack, an attacker hijacks a session or data transfer between two parties and poses as one of the two users without the other knowing it. It’s usually possible because the parties are relying on weak or nonexistent encryption. Transmitting data via an insecure connection enables the malicious actor to access and manipulate sensitive information like credentials, account details, or credit card numbers in real-time.
• Distributed denial of service (DDOS) attacks. Often caused by out-of-date code. A hacker overwhelms a targeted website or server with traffic using a botnet (a network of infected devices). The website crashes and legitimate users are unable to access it (e.g., denied message).
• Phishing attack. The attacker sends an email posing as a reputable source (e.g., by forging their email address) that includes a malicious link or an infected attachment. The email is designed to look like it’s coming from a legitimate company, but since the email message isn’t digitally signed, the user can’t easily verify its authenticity. However, when the user clicks on the link or downloads the attachment, the damage is done. Sensitive information gets stolen or their device becomes infected with malware.

• Structured query language (SQL) injection. Malicious code is injected into a vulnerable web application so that the hacker can access sensitive data such as:
  • Customers’ email addresses.
  • Sensitive company’s data.
  • Whole databases.
  • Customers and users’ credentials.
  • Credit card details, just to name some.

In the case of credentials, the consequences of this kind of attack could be much worse if the stolen accounts are configurated so that they have access to everything rather than limited access.

• Brute force attack. The attacker creates a list of guessed user IDs and password combinations and tests them on various websites and web apps until they find sets that match.  Are your passwords weak or easy to guess? Then your chances of becoming the victim of a successful brute force attack are even higher.
• Credential stuffing. Another form of brute force attack where the attacker uses known credentials (e.g., stolen, leaked or phished) and tests them on different websites and web apps’ login forms. Are you sure that your password hasn’t been stolen? Good. However, make sure you don’t post your passwords, user IDs or hints to your credentials on social media — not even in private chats (yes, it does happen).
• Drive-by-downloads. The malicious hacker exploits outdated or unpatched apps, operating systems, or browsers to embed malicious code and infect devices. And the user doesn’t even have to click on download to enable the attack — they could simply visit an infected site, for example.

The last information to include in your risk assessment chart is the solution. And this is the next step in creating a small business cyber security plan template.

5. Outline Security Policies to Mitigate Risks

This last column of your small business cyber security plan should answer the question, “How can I secure my business to avoid, or at least minimize, the risk that each listed threat will happen?” In other words, you’ll have to figure out potential countermeasures and solutions for each risk you have identified.

As an example, let’s try to list the possible measures that could protect your business from the vulnerabilities and threats listed in the previous point:

• Keep your software, devices and operating systems up to date and patched. Always ensure that you have installed the latest updates and patches, including your third-party plugins and libraries. Don’t download any updates from unknown or unverified sources. This measure will help you address the risk of:
  • Ransomware,
  • Malware,
  • Data breaches
  • DDOS attacks, and
  • Drive-by-download attacks.
• Encrypt all your web communications. If you haven’t done it yet, invest in a website security certificate (SSL/TLS certificate) issued by a certificate authority (CA). I know that as small business money is tight. Don’t worry though, even the cheaper organization validation certificate (OV) will do the job and it won’t cost you an arm and leg. It’ll ensure you’re compliant with the previously mentioned laws and regulations and it’ll protect you and your customers from:
  • Ransomware,
  • Malware,
  • Data breaches, and
  • Man-in-the-middle attacks.

• Sign and encrypt your emails with a digital certificate. An email signing certificate will enable you to sign and encrypt your emails and attachments. How? By using your recipient’s public key. To decrypt the message the recipient will use his private key. This way when you send an email to your employees or customers, they’ll know that the message is authentic and hasn’t been altered. Signing and encrypting your emails (above all when containing sensitive customers’ data) will help you comply with some data privacy and security rules and regulations. It’ll also protect your business and customers from:
  • Ransomware and malware (in case of malicious attachments),
  • Data breaches (e.g., due to employee negligence, poor security training, and more), and
  • Phishing attacks.
• Don’t store credentials and don’t allow default or common passwords. If we would have to list all the measures you could take to protect your passwords we would probably end up writing a few volumes. As we’re talking about small business, let’s keep it simple but smart.
  • Store only the salted password hash value (a string of random alphanumeric characters added to the password), never the password itself.
  • Avoid common passwords.
  • Align password characteristics with the National Institute of Standards and Technology (NIST)’s guidelines (section 5.1.1).

These actions will effectively protect you from:

• Brute force attacks,
  • Rainbow tables attacks (password hashes cracking method), and
  • Stolen credentials (i.e., data breaches),
• Install and sell only signed software. Are you a software development company? Then make sure you always digitally sign the software and executables you’re selling with a code signing certificate. The certificate will confirm your end user that the file or code it’s genuine and hasn’t been tampered with. Do you or your employees regularly download apps and codes from the internet? Always check if the software is signed and teach them how to do so. It’ll minimize the risk of:
  • Installing malware, and
  • Falling prey to a ransomware attack.
• Manage your employees’ privileges. One of my first jobs was a shop cashier. I remember that when I needed to cancel a transaction or do a refund, I always had to call my supervisor. She was the only one who had the right permission level to do those kinds of operations. Why? Because it was safer than giving me unilateral access and control of all transactions. (It’s like requiring the use of two separate keys controlled by two military operators for nuclear launch sequences.) The same goes for employees’ access to systems, databases, and apps. Apply the least privilege principle (users have the minimum rights necessary to do their job) and your organizations will be safer from:
  • SQL injections, and
  • Other authentication-related attacks.
• Train your employees. Knowledge is power. Train your employees on security, and teach them best practices, guidelines, and rules. Make them aware of the consequences of negligence and human error because mistakes will happen. It’s not a matter of if but when. So, if everyone knows the dangers, how to avoid them, and how to respond to security issues (or suspected ones), your business will be more secure.

Do you want more tips and ideas to help you outline your security policies? The resources below offer plenty of information specifically tailored to small businesses:

• Federal communication commission (FCC) cyber security for small businesses page
• Cybersecurity and infrastructure security agency (CISA) awareness program small business resources page
• NIST small business cybersecurity corner
• CISA stop ransomware page
• Federal Trade Commission (FTC) start with security guide for business
• SANS security policy templates

6. Build an Incident Response Plan

Yes! Your risk assessment chart is now complete (including the security policies to minimize risks). You’ve now reached the last step to help you create a small business cyber security plan. Now, it’s time to think about what you’re going to do in case the worse happen. How? By preparing three key plans that’ll enable you to keep your business afloat.

Incident Response Plan

An incident response plan is what you’ll use immediately after being hit by a cyberattack. It’ll basically tell your team what to do when things go wrong. To create this plan, you’ll use your risk assessment chart. Make sure your plan includes at least the following:

• Incident definition. Usually, a checklist that’ll help you determine if you’re facing an incident and what type (e.g., malware infection, data breach).
• Actions. A list of actions to take and procedures to follow (e.g., in case of an infected device, isolate the device from the network) depending on the level of criticality.
• Roles and responsibilities. In other words, who does what in case of a security incident? Once the roles are established, make sure you also rehearse responses so that if and when something happens, everyone is familiar with what they have to do. You don’t want to test procedures for the first time while the house is on fire for real.
• Reporting procedures. How is the incident going to be reported? Through which channels?
• A communication plan. How are you going to inform your customers and internal teams about the incident? You can even create some example incident response templates ahead of time you can use as general guidelines, so you don’t have to start creating your messaging from scratch in the midst of an incident.
• Disclosure procedures. Prepare a checklist that includes any legally required disclosures to the public or regulatory authorities.
• Lesson learned. Describe the steps to follow once the incident is resolved to avoid this happening again (e.g., lesson learned meetings).

Business Continuity Plan

Even if you’re in the middle of an incident, “the show must go on.” To reduce the impact of a cyberattack, you need to know how you’re going to keep the business running. Always start from your beloved risk assessment chart:

• Identify critical operations. Identify the critical operations of your business (e.g., what must keep on running no matter what?).
• Identify resources. Determine the minimum resources needed to work on the incident while maintaining the identified critical operations up and running.
• Create an action plan. Prepare an action plan for each critical operation you have identified to enable you to keep it running with the minimum resources designated. Don’t forget to outline who is responsible for what resources.

Disaster Recovery Plan

Well done! You survived the attack and things are calming down. But your work isn’t done yet. You still have to return to business as usual and recover from the damage caused by the attack. Let’s see some key points that should be included in a disaster recovery plan to help you bounce back stronger than ever:

• Analyze the incident. Assess consequences, determine the root cause of an incident through analysis and lessons learned, and understand its impact.
• Remove the threats. Highlight the steps to follow to remove the identified vulnerabilities and the threats that caused the incident.
• Recovery action plan. List procedures to follow to get your business back to its feet as soon as possible and reduce the likelihood of a new occurrence.

This should have given you enough ideas to help you build your plans. If you want to know more, you can also check the following resources:

• Data Breach Response Guide for Business
• Responding to a Cardholder Data Breach (a how-to-guide for incident management)
• Guide for Cyber Security Event Recovery
• Global Security Alliance (GSA) and MasterCard Small Business Cyber Security Toolkit

Before we get to a close, let’s see why a cyber security plan is so important for small businesses.

Why Is a Small Business Cyber Security Plan Important?

Cyber security incidents can be really overwhelming for small businesses. Being prepared will help you sleep better and prevent your business from sinking or going completely out of control during an attack.

A cyber security plan won’t protect you from all types of attacks, but it can help significantly mitigate the impact and costs associated with attacks. In addition to the benefits already listed in this article, having a small business cyber security plan in place also:

• Enables you to spot potential attacks quickly.
• Improves your responsiveness saving you time, and money, and minimizing impact and losses.
• Helps you discover vulnerabilities in your business that you didn’t know existed.
• Increases customers’ trust by showing your commitment to keeping their sensitive data safe.

Final Thoughts on How to Create a Small Business Cyber Security Plan

As data breaches are becoming more frequent, having an effective, well-prepared small business cyber security plan is something your business can’t do without anymore. Now that you have everything you need to create one, all you have to do is start working on it.

Yes, being a small business means you’ll probably have limited resources and personnel. However, even a short cyber security plan covering the key areas highlighted in this article will go a long way in keeping your business protected.

Because when it comes to cyber security, it isn’t about if, but rather when an incident will happen. Be cyber smart. Prepare your business against cyber threats and have a plan in action for how to get your business back into operational form when things go wrong.