Industry insights

Top 5 cybersecurity questions for small businesses answered

Jack Koziol for Forbes Advisor
August 20, 2022 by
Jack Koziol for Forbes Advisor

As the owner of a small or medium-sized business, you know the importance of protecting your employees, your customers and your brand against cyberthreats. But with so many daunting headlines about ransomware, questions from customers about data privacy and security and ever-evolving technology, it can be difficult to know where to begin.

Unfortunately, failing to take action is not an option. Based on Verizon’s 2021 Data Breach Investigations Report, 43% of online attacks are targeting small businesses, resulting in more than half of the businesses with confirmed breaches. In an incident’s wake, businesses are faced with average remediation costs reaching $200,000, which is enough for about 10% to go out of business in the months that follow.

So what can small and medium-sized businesses (SMBs) do to fight back and protect their business and data? To help, I’m answering some of the most common questions I hear from fellow small and medium-sized business owners.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

1. What are the biggest cybersecurity threats for SMBs right now?

In today’s increasingly connected world, SMBs can no longer hide in digital noise made by bigger players in the market. In fact, SMBs are facing the same cybersecurity threats as those making national headlines.

In particular, ransomware is continuing to wreak havoc, threatening the availability of a business’s data if a ransom isn’t paid to unlock it. Unfortunately, ransomware is often the result of another major threat to SMBs, social engineering, which uses phishing techniques to manipulate a legitimate user to share confidential information or credentials with a criminal.

Many businesses are also failing to put proactive maintenance of their systems, applications and hardware on their priority list, allowing criminals to take advantage of commonly known vulnerabilities to gain unauthorized access to your network.

2. Do I have to have a designated information security expert on staff or a third-party trusted information security and risk advisor?

Whether your business relies on an internal IT employee or a third-party provider for security depends on several factors. Chief among them are the qualifications, skills and knowledge that your in-house IT professional has about cybersecurity and your business’s threat environment.

However, given the range of technology that your business uses each day, the security policies that need to be implemented and updated, and the wide range of existing solutions and services out there made for businesses such as yours, bringing in an external team may be worth the investment in the long run. This can also allow your in-house IT team to focus on more strategic business initiatives.

3. How much should we be spending on information security-related tools and controls?

The answer to this question depends on your industry, regulatory requirements, company size, customer expectations and even your business’s appetite for risk. What is more certain, however, is the fact that it is usually less expensive to prevent a cyberattack than it is to recover from the financial and reputational costs of one.

Just as one data point, Deloitte found that the average company spent about 11% of its IT budget on cybersecurity or about $2,700 per full-time employee per year. The same study found that the biggest elements of those budgets were threat monitoring, endpoint and network security tools, and identity access management solutions, respectively.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

4. How much training should we be giving our employees and where should we start?

Even before the dramatic shift toward remote work arrangements and the use of digital services to connect with customers, employees were on the front lines of their business’s cybersecurity.

Although security technology has continued to improve its ability to filter out most threats, it will never fully eliminate all risks from reaching the employees that are often the target of cybercriminals. This is where security awareness and other training can empower your employees and give them the tools to play their part in your cybersecurity strategy.

Begin with providing a foundation of strong security practices, such as the importance of password management, the need to use secure networks, phishing awareness and their role in incident response. Then build out the processes to regularly reinforce their knowledge and emphasize their role in protecting your business’s customers, brand and even their colleagues.

5. How should we respond if we’re breached or experience a cyberattack?

CyberCatch found that 30% of SMBs do not have an incident response plan to call on in the event of an attack.

While there is no universal approach, here are some key elements that should help to get your own incident response plan started:

  • Work to identify the extent of the breach or attack and contain the threat from spreading. This may mean shutting down part or all of your connected systems and cutting over to backup systems if they are in place.
  • Contact any related service providers and, depending on the event, local and federal law enforcement and relevant regulatory bodies.
  • After containing the threat, begin to assess the impact, the initial cause and any consequences for employees or customers. An outside incident response or forensics team may be needed.
  • Begin to recover from the attack by prioritizing repairs, updating stakeholders and implementing new controls to prevent further threats.

Bottom Line: A Focus on Continuous Improvement

Between balancing human resources challenges, developing marketing strategies and handling day-to-day budgeting and operations, SMB leaders have plenty on their plates.

Fortunately, there are a lot of resources out there to help SMBs learn more about the best practices and tools they can employ to strengthen their organization’s cybersecurity. Good places to start are with the U.S. Department of Homeland Security tier-based road map, CISA’s SMB Toolkit and list of related resources and the online and in-person events sponsored by the National Cybersecurity Alliance.

Ultimately, it is important to remember that cybersecurity isn’t a one-and-done exercise; it’s a continuous journey that SMB owners and their employees will be taking together.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Jack Koziol for Forbes Advisor
Jack Koziol for Forbes Advisor

Jack Koziol is the former president and founder of Infosec, a leading security awareness and anti-phishing training provider. With years of private vulnerability and exploitation development experience, he has trained members of the U.S. intelligence community, military and federal law agencies. His extensive experience also includes delivering security awareness and training for Fortune 500 companies including Microsoft, HP and Citibank. Jack is the lead author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with Snort, a best-selling security resource with top reviews from Linux Journal, Slashdot and Information Security Magazine. Jack has appeared in USA Today, CNN, MSNBC, First Business and other media outlets for his expert opinions on information security.