Celebrating Small Business Week: Cybersecurity Help for Small Businesses

There are more than 32 million small businesses in the United States, each one of them a representation of the great ingenuity, hard work, and passion that exemplifies our nation.

During my 25 years working at the Small Business Administration, and now leading our field force at CISA, it’s been my passion to help small businesses thrive. I’ve come to truly appreciate that small businesses are the backbone of the economy.

Sadly, small businesses are increasingly under threat by cyber bad actors. They face the challenge of integrating cybersecurity best-practices into their very specialized operations. So, in recognition of Small Business Week, I want to share tips that small businesses can use to strengthen their cyber posture.

Tip #1: Practice Good Cyber Hygiene

• Establish and enforce strong password requirements for all users and require multi-factor authentication (MFA) for all remote users and those with administrative access. 
• Enable auto-update for software where possible. Where auto-update is unavailable or infeasible, prioritize updating applications that are accessible via the Internet. 
• Consider using a Managed Security Provider (MSP) for many security services. Consider using a Cloud Service Provider (CSP) to host your organization’s data, applications, and services. Particularly consider using a Software-as-a-Service provider for email and workplace productivity solutions, such a Google Workspace or Microsoft Office365.

Tip #2: Train Your Staff 

• Avoid phishing schemes by educating your employees about thinking before they click. More than 90% of successful cyber-attacks start with a phishing email. 
• Ensure that resources are in place to identify and quickly assess any unexpected or unusual network behavior, whether via MSP or the organization’s own personnel device.  

Tip #3: Prepare to Respond If an Incident Does Occur

• Assure availability of key personnel; identify means to provide surge support for responding to an incident. 
• Develop a cyber incident response plan and conduct exercises to ensure employees understand their roles during an incident. 
• Ensure that critical data is backed up. Test backup procedures to ensure that critical data can be rapidly restored and ensure that your backups are isolated from network connections. 

Tip #4: Read and Use CISA’s Free Cybersecurity Resources

CISA makes available several resources, at no cost, for organizations and businesses looking to improve their cybersecurity practices. Here are a few:

• CISA offers guidance on important risk management considerations. 

• When adopting a cloud service, review CISA’s guidance on cloud security. 
• CISA’s Cyber Essentials guide helps small businesses owners and leaders just starting their journey to implement cybersecurity practices into their organizations.

• Review and use our list of free cybersecurity tools and services - a living repository that houses cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
• We also recommend following our 4 Things You Can Do To Keep Yourself Cyber Safe tips, reading the Bad Practices to avoid, and checking out our Cyber Hygiene Services.
• Lastly, small business owners should sign up for the National Cyber Awareness System to ensure that your business has access to timely information about security topics and threats. 

While ransomware and cyber attacks are on the rise among small and medium sized businesses, the good news is that these businesses can take steps NOW to avoid becoming a victim in the first place and lessen the impact if an incident does occur.

For more information, visit CISA’s small business webpage – cisa.gov/small-business - which includes specialized information and resources. If your business does fall victim to a cyber incident, you can contact CISA 24/7 at report@cisa.gov or (888) 282-0870.