Accelerating Our Economy Through Better Security: Helping America’s Small Businesses Address Cyber Threats


By Eric Goldstein, Executive Assistant Director for Cybersecurity

Our nation’s economic strength and future is grounded in the vitality and prosperity of America’s 33 million small businesses. Entrepreneurs and families across our country invest time, energy, and priceless resources in building and sustaining their businesses. With so much at stake and so much to do, it’s understandable that cybersecurity may not be a top priority for every small business and may be too expensive for those organizations that seek solutions. But criminal groups and other malicious cyber actors are constantly looking for any insecure organizations as an opportunity.

As one example, thousands of small and medium businesses (SMBs) have been harmed by ransomware attacks, with small businesses three times more likely to be targeted by cybercriminals than larger companies and total cost of cybercrimes to small businesses reached $2.4 billion in 2021.

There are steps that we can take to address these risks, but we must take them together:

  • First, every owner or leader of an SMB should talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security must be an “every day” activity, not an occasional one.

  • Second, SMBs must bear less of a burden for cybersecurity. One major improvement is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure. CISA has seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all SMBs with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.
  • Third, enable Multifactor authentication (MFA) for all accounts and services.  When you enable MFA for your online services (like email), you provide a combination of two or more authenticators to verify your identity before the service grants you access. Common forms of MFA are SMS text messages sent to your phone, 6-digit codes generated on a smartphone application, push notifications sent to your phone, and physical security keys. Users who enable MFA are MUCH less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.
  • And finally, get to know your local CISA cybersecurity advisor and ask for help with a free Cybersecurity Performance Goal assessment. These assessments are designed to assist organizations of any size identify areas for near term improvement prioritized by Cost, Impact, and Complexity.

For more helpful tips that every SMB can use to improve their cybersecurity posture, check out our SMB webpage: Cyber Guidance for Small Businesses.

While CISA is here to help SMBs make the most cost-effective and impactful investments to improve their cybersecurity, we also know that under-resourced organizations can’t secure themselves alone. That’s why the National Cybersecurity Strategy calls for a re-balancing of accountability in which those most able to bear the burden of cybersecurity are expected to take necessary steps in driving needed change. Today, many technology products used by SMBs and organizations across sectors come out of the box with weaknesses that can be exploited by cyber criminals and lack default security features to help prevent intrusions. This model is unsustainable. As a country, one of the most important steps we can take to advance cybersecurity for SMBs is to rapidly evolve toward a model in which technology products are safe and secure by design and default, as described in CISA’s recent product developed with our partners in the NSA, FBI, and six other countries. SMBs should be expected to take the fewest number of cybersecurity steps possible and rely upon those with the resources and expertise to bear the weight of the cybersecurity burden. That’s a recipe for a sustainable future, and one in which we all have a stake.

This Small Business Week, take steps to improve your organizations’ cyber posture. You work hard to build a successful business, so don’t let any cyber attacker take that away. For more information and resources for small business, visit Small and Medium Businesses | Cybersecurity and Infrastructure Security Agency CISA.