Small Business Cyber Security: 5 Best Practices

Submitted by Erica Kastner on Tue, 04/ 13/ 21 - 12: 00 PM

SMB Cyber Security Tips


Though a small business' margins are quite tight, that doesn't mean that cyber security should take a backseat. Poor cyber security can lead to ransomware attacks and other network issues that can have sizable costs to fix. Keep reading to learn 5 cyber security best practices that your business should consider following.

Not enough time? Jump to:

Regularly Conduct Network Assessments

Use Zero Trust Network Access (ZTNA)

Educate Employees About Phishing

Create a BCDR Plan

Consider Managed IT Services

Regularly Conduct Network Assessments

Best Practices for Small Business Cyber Security

Before a business can move forward with implementing a cyber security roadmap, it must first conduct a network assessment. 

Network assessments help organizations determine the following:

  • Network-connected devices that need to be secured or removed
  • Network functionality issues that need to be addressed (ie. bottlenecks)
  • Network infrastructure recommendations (ie. necessary hardware/software upgrades)
  • Network security issues (ie. open ports and active cyber threats)

While initial network assessments can set a roadmap for better securing one's network, the key is to regularly perform network assessments to continually determine what parts of your network infrastructure need security updates, whether that's your firewall or an employee's computer. 

Routine network assessments help organizations catch and patch security gaps before they let cyber threats intrude your network. We recommend conducting network assessments quarterly to ensure that your network infrastructure employs the latest security protocol.

If your business wishes to conduct a thorough network assessment and doesn't know where to start, a Managed Service Provider can help. 

Use Zero Trust Network Access (ZTNA)

Small Business Cyber Security

Zero Trust Network Access (ZTNA) has emerged over the past few years as an alternative to VPN's. While VPN's are a great way to secure a network, issues have emerged surrounding latency, productivity hampering, scaling difficulties, and more.

The central premise of the Zero Trust belief is that organizations shouldn't automatically trust anything inside or outside their network until there is proof that they can. Furthermore, access should be granted on a "need-to-know", least privileged basis.

ZTNA protects against the potential security risks associated with automatically trusting that everything within one's network is safe. When organizations automatically trust programs and software, they potentially open themselves up to cyber breaches. 

Though Zero Trust Network Access can be complex and takes a lot of work to implement, it is currently one of the leading industry security frameworks. ZTNA ensures that users can securely connect to private applications without placing them on the network or exposing those applications online.

There are four core tenets of Zero Trust Network Access that can be applied to an organization's network:

  1. Separate application access from network access.
  2. Only make outbound connections to ensure that unauthorized users cannot see network and application infrastructure.
  3. Once users are authorized, only grant application access on a one-to-one basis. Authorized users shouldn't have full network access.
  4. One's network should be de-emphasized and the Internet should become the new corporate network.

5 Steps to Build a Zero Trust Network Access Policy


1. Segment the Network

This step is arguably one of the most crucial in implementing an effective ZTNA policy.

Organizations should separate systems and devices based on which types of access they allow and what information they process. Based on these segmentations, one can then form the trust boundaries.

2. Strengthen Identity and Access Management

Identity and access management infrastructure needs to be strengthened when a ZTNA policy is built. 

This can be accomplished by utilizing two-factor authentication and role-based security procedures, which ensure that users only have access to the platforms and applications they need to do their jobs.

3. Extend Least Privilege Policies to Your Firewall

A core tenet of Zero Trust Network Access is to not automatically trust anything within or outside of your network. This tenet can be followed by restricting access between networks through your firewall as much as possible.

This is similar to following a closed-door firewall approach, which we'll explain later in this article.

4. Add Application Context to Your Firewall

By adding application inspection technology to your firewall, you ensure that traffic passing in and out of your firewall is verified and safe.

This can mean, for instance, that your firewall checks to verify that outbound traffic corresponds to queries and isn't being abused by a hacker. 

5. Implement a Security Information and Event Management (SIEM) Solution

SIEM solutions let IT managers parse through data collected from security events using a centralized view. 

These solutions help companies quickly identify and remedy network threats that take place across systems, devices, and applications within one's network.

RELATED: What is a VPN?

Educate Employees About Cyber Security Best Practices

Small Business Cyber Security Tips

Employees threaten your company's cyber security. Now what?

Thankfully, there are steps you can take to educate your employees about cyber security best practices.

Start Cyber Security Education During the            On-Boarding Process

Educating employees about cyber security starting from when they're hired helps to build a company mindset around the importance of cyber security. You could have a process as simple as an educational pamphlet that the new hire has to read and take a test about during the first week of their employment.

If an employee is educated about cyber security right from the start, the odds of them becoming a cyber security threat are likely to decrease.

Train and Test Your Employees Regularly

Creating a monthly company cyber security newsletter can serve as an informative and engaging way to constantly educate your employees about the latest cyber security threats as well as serve as a way to share tips on staying safe online.

Another engaging way to see how educated your employees are about cyber security is to utilize penetration testing. Penetration testing is a fake phishing attack orchestrated by your IT company that aims to see which employees fall for the attack by clicking on fake links or downloading fake files.

If employees fall for these phishing attempts then you can send them through cyber security training, again. We recommend conducting this test quarterly.

However, penetration testing is only so effective if your network has inherent vulnerabilities. We find on a consistent basis that many companies have network security issues that were overlooked or unknown. Conducting an annual network security assessment is a great idea to discover these vulnerabilities.

Create and Enforce a Password Policy

Write a policy dictating how company account passwords are created and maintained. Provide guidelines about how to make passwords complex, randomly generated, and how often to change them.

An easy way that employees can test the strength of their passwords is to visit This is a perfectly safe service sponsored by a password protection platform that tells you how long it would take a hacker to decode your password.

When creating a password policy, bear in mind that many people either repeat passwords for multiple accounts or use password managers to keep track of all their account logins. Even though there are password manager programs, they are still vulnerable to hacks that leave your personal information out there for hackers.

Both of these scenarios should be avoided at all costs, so be sure to include warnings against repeat passwords and the use of password managers in your policy.

RELATED: How to Build a Cyber Security Policy [5 Tips]

Create a BCDR Plan

Cyber Security Tips for Small Businesses

BCDR plans are utilized by businesses in the event of network outages stemming from natural disasters or cyber attacks to:

  • Ensure that operations run smoothly
  • Minimize network downtime
  • Minimize data loss 

Business Continuity plans re-direct resources, establish chains of command, and coordinate shifts in employees so that business operations have minimal interruptions during natural disasters and network outages.

For instance, if a tornado swept through and destroyed part of a business' office, how would the company continue to ensure that all employees have web access and know how to continue working?

In this scenario, maybe all employees would be instructed to work remotely, or maybe some business functions would temporarily be put on pause to direct resources to more critical business tasks. 

Disaster Recovery plans mainly focus on how to utilize effective IT to quickly recover one's network with minimal downtime and data loss. A few main tenants of Disaster Recovery plans include server and network restoration and backup recovery.

RELATED: BCDR Plans [Why All Businesses Should Have Them]

How Do I Build a BCDR Plan?

If your company doesn't have a BCDR (Business Continuity Disaster Recovery) plan, you are at a disadvantage for when a natural disaster or cyber attack happens. Building out and regularly testing a thorough BCDR plan puts you a step ahead for when disaster strikes.  

When building a Business Continuity plan, evaluate the workflow for all departments. Since many jobs can now be done online, in the event that your network goes down, many employees should still be able to work remotely from home and use websites and other online platforms to continue working. 

When evaluating each department, answer some of the following questions: How do they communicate with one another? What software and programs do they use? How much of their jobs rely on files within your network? Knowing the answers to questions like these can ensure that there are no gaps in your plan.

When your network goes down, key files may not be easily accessible company-wide. This can hinder productivity, which is why an effective Disaster Recovery plan can make all the difference in the world.

A crucial part of any Disaster Recovery plan is automating backups. Network outages and ransomware attacks can happen at any time. 

In these scenarios, you may have to restore all devices to the most recent backup. If you don't back up data frequently, then you risk losing access to important documents. Automating backups minimizes data loss and downtime.

Additionally, when creating a Disaster Recovery plan, make sure that all executives and any in-house IT staff know the proper steps to take in the event of a cyber attack or network outage.

Will all employees be shifted to remote work temporarily? Do any software vendors need to be contacted? Which employees will be the primary people to handle a network outage, and which tasks will they need to delegate to others?

Answering these questions ensures that staff resources are quickly and efficiently allocated to get your network running again.

Consider Managed IT Services

Small Business Cyber Security Best Practices

While implementing all of the above tips is a great way to better protect your network, cyber security is a complex and evolving process that needs proper care and attention to be implemented and monitored correctly.

Businesses without in-house IT may turn to other employees like secretaries or office managers to perform basic security tasks such as data backups. However, effective cyber security policies are best maintained by IT professionals that know how to monitor and update them to ensure uptime and minimize data breaches.

Companies with in-house IT departments may find that these employees can quickly get overwhelmed with managing their company's network security while fielding employee help requests. 

Managed Service Provider (MSP) can work with both of these types of companies to implement and monitor a layered approach to cyber security.

Usually, an MSP's first task will be to perform a network audit to identify security gaps and build a roadmap to success. This roadmap usually involves securing your current infrastructure and installing new hardware and software when necessary.

Once your network is secured, MSP's will use a variety or remote monitoring platforms to quickly identify and remedy issues that arise, such as network downtime and cyber threats.

The right Managed Service Provider will minimize network downtime, rebuff cyber threats, streamline business processes, keep your business compliant with data privacy regulations, and more.

As a metro-Atlanta based Managed Service Provider, our diverse offering includes:

  • Network monitoring− Consistent observation of all parts of your network ensures that any issues are swiftly identified and mitigated
  • Cyber threat prevention and education− Layers of the latest technology neutralize threats while courses and phishing tests teach employees how to secure company data
  • Data security− BCDR plan implementation and data privacy regulatory compliance ensure that data is backed up and data loss is minimized
  • Network Operations Center− 24/7 assistance from a help desk with higher satisfaction ratings than Amazon and Ritz-Carlton customers 
  • Project management− Get assistance planning office expansions, moves, remote transitions, and more from qualified experts


Since small businesses don't have the financial resources that bigger companies do, the thought of a robust cyber security protocol may sound outlandish.

Hopefully this article has shown that there are steps small businesses can take today to better secure their network without the budget that a Fortune 500 company has.

For more cyber security content, follow our blog!

Get Your Questions Answered Now

Posted by Erica Kastner


small business cyber security, small business cyber security solutions, cyber security