How to Create a Cybersecurity Plan for Your Small Business

Most businesses don’t plan to get hacked; they fail to plan for one. That could be a costly mistake. Small businesses spend an average of $690,000 to clean up the mess created by a cyberattack. Not only do they risk the loss of their own data but they put their customers’ confidential information in jeopardy too. Feeling a little insecure about your cybersafety? Face it head-on and create a cybersecurity plan for your small business. Here’s how.

Assess Your Risk

The first step in your cybersecurity plan is to assess your risk. Where are you most vulnerable? Identifying those weak points helps focus your resources on where they can make the biggest difference.

Gather information by asking these questions:

  • What digital assets do you have? The list might include: customer data, contracts, financial records, supply orders, emails, project work files, HR records, contacts, calendars, website, videos, documents. Identify which are highly confidential, sensitive, or for internal use only.
  • How do you access them? Is it through an in-house or remote server, in the cloud, on mobile devices or laptops? These points of entry and exit are particularly vulnerable.
  • Who can access them? Besides you, it might include employees, suppliers, customers, the general public. Also think about apps you use, like accounting systems that have access to your accounts receivable and payable.

You can get outside help with assessing your risk. For example, the Department of Homeland Security (DHS) has a Cyber Resilience Review. Complete it yourself or request an on-site evaluation by DHS staff.

Drafting Your Plan

Don’t be intimidated by this step. Your plan doesn’t have to be 100-pages long. It just has to lay out a roadmap. How will you address each of the risks you identified in the first step?

The Federal Communications Commission (FCC) has a free, online Small Biz Cyber Planner 2.0. They partnered with leading experts from government and private companies to identify best practices. With it, you can organize the information you’ve gathered and create a custom plan for your business.

Use this tool to pick the areas where you’re most vulnerable: network/website security, scams and fraud, email, mobile devices, employees, payment cards and others. When you’re finished, you’ll generate a PDF you can implement. Here’s a sample plan.

Implementing Your Plan

The Small Business Administration (SBA) suggests businesses address these key areas when implementing a cybersecurity plan:

  • Maintain good cyberhygiene – This can include: maintaining updated antivirus software, securing your network with firewall and encryption, addressing Wi-Fi security, using strong passwords and multifactor authentication.   
  • Train staff – This is perhaps the most important aspect of preventing attacks. The SBA offers training materials on phishing emails, good browsing practices and passwords. They also offer a free, 30-minute online course. The National Cyber Security Alliance (NCSA) offers CyberSecure My BusinessTM, a program offering tips on what to do if a breach occurs.
  • Protect sensitive data and back up the rest – The focus here is on backing up data, securing premium processing and controlling physical access to your digital assets.

Remember, implementation is not a one-time event. It should include on-going training and monitoring.

Cyberattack incidents pose a significant threat to your small business. Just like how you protect your physical assets, it’s important to lock-up your digital ones too. Start with these guidelines and create a roadmap to secure your business’ future.