Cyber Guidance for Small and Midsize Businesses

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to or (888) 282-0870.

Even a small business can be a prime target for threat actors. Any internet-connected computer or device is at risk of a cyberattack. In fact, cyber incidents have surged among small and medium sized business that often do not have the resources to defend against these devastating attacks. Amid heightened geopolitical tensions, CISA urges all business owners to implement a heightened security posture.

Whether you are small business owner or leader considering implementing a cybersecurity plan or already have one in place, CISA has tips and resources to meet all needs.


Tip #1: Practice Good Cyber Hygiene

  • Establish and enforce strong password requirements for all users and require multi-factor authentication (MFA) for all remote users and those with administrative access. 
  • Enable auto-update for software where possible. Where auto-update is unavailable or infeasible, prioritize updating applications that are accessible via the Internet. 
  • Consider using a Managed Security Provider (MSP) for many security services.
  • Consider using a Cloud Service Provider (CSP) to host your organization’s data, applications, and services. Particularly consider using a Software-as-a-Service provider for email and workplace productivity solutions, such a Google Workspace or Microsoft Office365.
  • Update applications that are accessible via the Internet.   

Tip #2: Train Your Staff 

  • Avoid phishing schemes by educating your employees about thinking before they click. More than 90% of successful cyber-attacks start with a phishing email. 
  • Ensure that resources are in place to identify and quickly assess any unexpected or unusual network behavior, whether via MSP or the organization’s own personnel device.  

Tip #3: Prepare to Respond If an Incident Does Occur

  • Assure availability of key personnel; identify means to provide surge support for responding to an incident. 
  • Develop a cyber incident response plan and conduct an exercise to ensure that employees understand their roles during an incident. 
  • Ensure that critical data is backed up. Test backup procedures to ensure that critical data can be rapidly restored and ensure that your backups are isolated from network connections. 

CISA Resources for Small and Medium Sized Businesses

CISA makes available several resources, at no cost, to organizes and businesses looking to improve their cybersecurity practices.

Cyber Essentials

CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Free Cybersecurity Tools and Resources

CISA offers a list of free cybersecurity tools and services that serves as a living repository of cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.

Risk Management Considerations

For businesses and organizations, considering using a Managed Security Provider (MSP) for your security services, review CISA’s guidance on important risk management considerations.

Cloud Security

For businesses and organizations, considering using a Cloud Service Provider (CSP), review CISA’s guidance on cloud security.

CISA Cybersecurity Awareness Program Resources for Small Businesses

The CISA Cybersecurity Awareness Program links to several resources for small businesses including a social media guide, a cybersecurity for small businesses presentation, and an entrepreneurs tip card just to highlight a few.

As part of the whole-of-government approach to combatting ransomware, CISA also created, a one-stop-shop of free resources for organizations of any size to protect themselves from becoming a victim of ransomware.

Cybersecurity Resources Road Map

The Cybersecurity Resources Road Map is a guide for identifying useful cybersecurity best practices and resources based on needs.

Note to cybersecurity trainers and small business advisors:

To professionally print the Cybersecurity Resources Road Map at a print shop (trifold brochure) for distribution to businesses at training events and workshops, use this print shop version of the Road Map and these printing instructions.

Additional Resources


Was this webpage helpful?  Yes  |  Somewhat  |  No