The Essential Guide to Cybersecurity for Small Businesses

There’s a serious disconnect happening right now in the world of cybersecurity. Despite the fact that small businesses are more frequently targeted for cyberattacks, they’re also among the least prepared.

That may explain why one study revealed that as many as 60% of small businesses closed their doors just six months after a successful cyberattack.

But why is this happening? It’s no secret that the frequency and the expense of cyberattacks have grown year after year. If small businesses aren’t prepared, it’s not because they’re not aware of the threat.

Rather, we believe this phenomenon is the result of multiple factors putting small businesses in a difficult situation:

1First, the owners and decision-makers of small businesses tend to wear too many hats. Rather than having a dedicated technology officer, cybersecurity may fall to someone filling multiple roles, and inadvertently be given short shrift.

1Budget is another concern. Even for small businesses that make a point of investing in cybersecurity, it can be difficult to know what has real value. Which processes, technologies, and services offer real protection, and which are just a big waste of money?

1Finally, there’s the question of prioritization. If you’ve never implemented a cybersecurity plan before, where do you begin? What are your “must-haves,” and what measures can wait? The uncertainty can lead to a kind of paralysis by analysis as small business leaders try to sift through the data.


That’s why we’ve created this guide. We’re going to walk you through the threats to your business and where you might be exposed to the most risk.

We’ll also help you understand not just how much you should budget for cybersecurity, but also what measures are worth the investment. 

Finally, we’ll suggest a solution that can help your small business stay protected without blowing your budget.

Ready? Let’s get started!

Chapter 1: The Cybersecurity Threats to a Small Business

When news of a cyberattack hits the headlines, it’s usually a high-profile incident. Companies like Target, Equifax, and Microsoft have all been the victims of security breaches. And that’s probably not surprising — it only makes sense that attackers would choose high-profile, high-revenue businesses that can afford to pay ransoms and who often hold tremendous amounts of sensitive (and potentially lucrative) data.

But to think attackers only (or even primarily) target giant corporations would be a dangerous mistake.

Small businesses are also frequently victims of this kind of crime, with often more devastating effects. While the Microsofts of the world may be able to absorb the financial hit of a cyberattack, small- and mid-size businesses can’t.

It’s not hyperbole to say these attacks represent an existential threat to your business. And unfortunately, a lot of business owners are realizing their well-meaning choices can actually increase their risk.

Cybersecurity Threats to a Small Business


How are you putting your small business at risk for cyberattacks?

First, understand it’s not a question of if you’ll be the victim of a cyberattack; rather, it’s a question of when. Ransomware alone strikes a new business every 11 seconds, leaving U.S. companies to pay out more than $20 billion in 2021.

What accounts for businesses being so vulnerable?


Inadequate Training

Inadequate Training

When your people aren’t properly trained in cybersecurity, it leaves you in serious danger. More than 90% of all cyberattacks begin with phishing, a practice that requires the participation of you and your employees to be successful.

Why do so many people fall for phishing schemes? It’s not because they’re stupid or don’t know any better; it’s simply a lack of proper training. Today’s cybersecurity threats are persistent and subtle; your employees need cybersecurity training that’s ongoing and up to date, making it much easier for them to act as your first line of defense.

Misunderstanding the Impact of an Attack

Misunderstanding the Impact of an Attack

Good cybersecurity is an investment. For cost-conscious businesses, that sometimes means it becomes treated as an optional expense. After all, even if an attack happens, how bad could it be? Won’t it be less expensive to simply pay for a fix than to pay for ongoing cybersecurity services?

In practice, however, things don’t work out that tidily. Successful cyberattacks impact every area of your business, from legal and financial to customer satisfaction and brand reputation.

Then there are the potential fines you could face from regulatory bodies if you’re found to be out of compliance. The reason so many businesses fail after a cyberattack is that they simply can’t afford to keep going.

Insufficient Investment in Cybersecurity

Insufficient Investment in Cybersecurity

If you underestimate the potential impact of an attack, then it only stands to reason you’re not likely to properly invest in cybersecurity. In the face of paying for tools, services, people, or training, many small businesses opt for the least expensive option – if they pay for anything at all.

Of course, no small business has an unlimited IT budget. If you’re trying to manage and implement cybersecurity all on your own, the costs can add up quickly.

How, then, should you go about determining your budget for cybersecurity as well as how to effectively spend it?

Chapter 2: How Much Should You Spend on Cybersecurity?

How Much Should You Spend on Cysersecurity?

There’s a clear reason to invest in good cybersecurity: Attacks are only becoming more common. Just last year, in fact, a report published by IBM Security found that the cost of data breaches had reached a 17-year high.

Then there’s the damage cyberattacks do to your reputation, your brand, and the trust you’ve built with your customers. In the face of that kind of threat, of course you want to do what it takes to protect your business.

But the question remains: How much should you spend?

The answer depends in part on your business.

For example, the financial industry spends more on IT as a percentage of its revenue than any other sector, up to as much as 11.4%. And that makes sense – given the nature of the industry, it has proven to be a popular target, accounting for about 13% of cyberattacks. When you’re under that kind of siege, it makes sense to invest in some serious fortifications.

Most industries, however, don’t face that kind of threat. As a general rule of thumb, most organizations spend an average of 3%-4% of their revenue on IT services. Of that IT budget, you should plan to dedicate at least 10% to cybersecurity.

In real terms, that means if you’re generating $10 million in revenue, your IT budget should be $400,000, with $40,000 dedicated annually to cybersecurity. (On a monthly basis, that comes out to about $3,300).

The idea here is not to spend beyond your company’s means, but to dedicate a reasonable and consistent portion of your annual budget to shoring up your cybersecurity.

But how do you spend it? If you’ve done some research, you already know there’s a whole sea of options out there.

Chapter 3: How Should You Spend Your Cybersecurity Budget?

How Should You Spend Your Cybersecurity Budget?

Imagine you’ve just bought a new home, and now you’d like to make it secure. Would you just update the deadbolts and leave it at that? Of course not.

Instead, you’d consider the problem from every angle. You might update your doors, ensure your windows aren’t easy to access, install a home security system, add exterior cameras, and replace the batteries in your smoke detectors. You’d also make a plan with your family for what to do in case of an emergency.

In other words, you’d strategize around multiple possibilities, invest in equipment, and be proactive about your plan.

The same should be true for your business’s cybersecurity.

Here are four key areas to keep in mind as you’re budgeting for cybersecurity protection.

1. Build Up Your Cybersecurity Processes and Solutions

Protecting yourself from cyberattacks begins by building up your processes and solutions. Use this table as a checklist to help you get started.

Update Your Assets

Update Your Assets

Back Up and Harden Your Systems

Back Up and Harden Your Systems

Implement Real-World Protections

Implement Real-World Protections

Keep Technology Assets Updated
 Whenever possible, automatically update your PCs, applications, network routers, and other assets.
Require Multifactor Authentication (MFA)
A vulnerable password puts your whole business at risk. Protect yourself with MFA.
Guard Physical Devices & Records
Security threats can start offline. Keep your physical devices and records safe.

Eliminate Outdated Hardware & Software
Server consolidation and virtualization can dramatically reduce your risk of attack.
Minimize Administrator Privileges
Not everyone needs full admin rights. Don’t grant more access than necessary.
Screen Potential Employees & Contractors
Complete thorough background checks and audits on anyone who’s working for you.
Install Antivirus Software
It won’t stop every threat, but antivirus software is still a must-have for your business.
Set Automatic Backups & Encryption of Data
If an attack happens, backups and encrypted data can help you recover.
Get Cybersecurity Insurance
Even if you do everything right, you may still be attacked. Cyber Insurance can help you get back on your feet.
  Enable Email Encryptions
Protect your confidential data with email encryption.

Download the Checklist

2. Strategize and Plan for Cyberattacks

No matter how careful you are, your business may still fall victim to a successful cyberattack.

When that happens, your ability to recover will hinge on the steps you’ve taken to prepare for the worst.

By planning ahead and adhering to a strategy now, you can be ready for whatever comes your way. Here are four steps you can take right now to prepare.

Create BDR PlanStep 1: Create and Document a Backup and Data Recovery (BDR) Plan

A backup and data recovery plan is vital to your business continuity. Create and document your plan now, then be sure to revisit it annually for review as technology evolves.

Create Business Continuity ProgramStep 2: Create and Document a Business Continuity Program

Your business continuity program provides a roadmap for how your organization will provide normal levels of service even in the face of severe disruptions. Some organizations are required to have these plans to meet industry regulations, but any small business can benefit by putting such a plan into place.

Create Breach Response PlanStep 3: Create and Document a Breach Response Plan

In the event your data is compromised, it’s important to have a formal response plan in place. This should also include an internal and external communications plan to keep your stakeholders and customers informed.

Hire an Information Security ExpertStep 4: Outsource or Hire an Information Security Expert

It can be difficult for small businesses to afford full-time cybersecurity personnel, despite being prime targets for attackers. Outsourcing offers a solution that provides you full access to senior security experts while staying within your budget.

3. Be Proactive About Cybersecurity Scans and Audits

They say the best defense is a good offense. That’s certainly true when it comes to your cybersecurity. Rather than waiting to see if your business can endure an attack, here are some ways to be proactive about security scans and audits to identify your potential vulnerabilities.

Cybersecurity Scan

orange-checkmark-circle-lg Identify Access Points and Be Prepared to Defend Them

If you can find the access points attackers might use, you can stay one step ahead of them. One way to do that is to create a device and software inventory to get a full view of what your business needs to protect and who has access.

Of course, most businesses have dozens or even hundreds of remote endpoints, such as computers and services. These can be difficult to monitor with traditional antivirus software, but endpoint detection solutions can help by using artificial intelligence to quickly identify suspicious activity.

orange-checkmark-circle-lg Automate and Deploy Early Defenses

Automating your security systems can help reduce the chances of human error. For example, an automated vulnerability scan can reveal missing security patches, insecure settings, and more.

Another powerful automated tool is an intrusion detection and response (IDR) solution. IDR detects attacks in real-time and reacts before a loss can occur, helping to keep your business protected.

orange-checkmark-circle-lg Perform Routine Security Audits

Cybersecurity is constantly changing, which is why it’s important for your organization to perform an annual audit of your practices.

Likewise, you should keep updated accounts of all your data locations – that means everything from thumb drives to workstations to the cloud – and limit who has access.

Your industry may also have specific privacy and compliance standards for customer data security and more. In that case, you may want to hire or outsource an expert to ensure you remain compliant as standards, technology, and threats continue to evolve.

4. Invest in Your Team Policies and Training

Your people can be your best line of defense … or your greatest vulnerability.

It all depends on how well they’re trained in cybersecurity and how you support and reinforce the right behaviors.

To that end, investing in an employee education strategy can be one of the smartest decisions you make to protect your business from cyberattacks. We’d even recommend using simulation tools to test employees regularly and keep their skills sharp.

Create, Document, and Enforce Technology Policies

orange-checkmark-circle-lgCreate, Document, and Enforce Technology Policies

You can’t blame employees for mistakes if they don’t know where to find information or aren’t being regularly trained on best practices.
Like any other internal policy, your cybersecurity practices need to be documented and routinely enforced. Be sure to have and promote IT policies around computer and Internet usage, remote access, privacy, BYOD, and encryption. If it’s possible to enforce these policies through automation, such as by requiring strong passwords and regular password updates, all the better.

orange-checkmark-circle-lg Help Your Team Connect to Data Securely

With more digital nomads and hybrid workers than ever, it’s important to train your staff on how to connect securely to company data when they’re not in the office. Many workers – and business owners – are still unaware just how risky public WiFi can be. At a time when many choose to work in the local coffee shop instead of the office, there’s no excuse for not training your team.

Chapter 4: Is a Managed IT Security Model the Answer?

As you’ve probably realized by now, cybersecurity poses real challenges for small businesses. Even those with a healthy IT budget may feel overwhelmed by the steps necessary to protect themselves from cyberattacks.

Unfortunately, this is exactly what attackers are counting on.

Fortunately, small business owners have better options than either ignoring cybersecurity or being completely overwhelmed by it.

The managed IT security model allows small businesses to have full access to a robust suite of cybersecurity services and experts without needing to hire a massive internal staff. For a predictable monthly cost, managed cybersecurity services provide 24/7 security monitoring, layered protection, skilled consultants … everything the big enterprise companies have, but without the big enterprise cost.

Here are a few of the most beneficial managed IT security services Ntiva offers to our small business clients.

Cybersecurity Risk Assessment

Cybersecurity Risk Assessment

We’ll provide you with an in-depth look at your current security posture, identify where you’re most vulnerable, and create a plan to get you protected.

Virtual Chief Information Security Officer (vCISO)

Our Virtual Chief Information Security Officer (vCISO) makes top-tier security experts available to you on an as-needed basis for strategic and operational leadership.
Multifactor Authentication

Multifactor Authentication

Passwords alone are no longer enough to protect your company against cyberattacks and data breaches. MFA ensures only verified users can access your applications and services.

Intrusion Detection and Response

Ntiva’s IDR solution (also known as SIEM) actively monitors your network 24x7 for signs of attack before they happen, alerting our experts with no interruption to your business.

Endpoint Detection Response (EDR)

Antivirus software can only go so far. For sophisticated attacks, endpoint detection response (EDR) uses powerful artificial intelligence to stop the bad guys in their tracks.
Phishing Prevention Training

Phishing Prevention Training

Most security incidents start with a phishing attack aimed at employees. Our cybersecurity services include managed antiphishing training for your people.
Vulnerability Scanning and Remediation

Vulnerability Scanning and Remediation

Our vulnerability scanning and remediation solution scans your network for vulnerabilities so that you can take steps to protect them.
IT Governance, Risk & Compliance

IT Governance, Risk & Compliance

Our cybersecurity team can help you create a strategy for managing your organization’s governance, enterprise risk management, and compliance with regulations. 

Start protecting your small business from cyberattacks.

Contact Us Today!