2023 cybersecurity checklist for small businesses

Cybersecurity checklist for small businesses cover web 1400x800

Cybersecurity should be a major theme for small businesses in 2023. We hear about data breaches and exploit attacks targeting smaller organizations every week. And the threat environment constantly changes, presenting new risks for businesses to worry about.

Don't worry, there are plenty of solutions and strategies to help SMBs. This article will help you handle 2023’s most urgent security risks. Our security checklist will cover critical areas of concern, with practical steps to respond effectively.

Importance of cybersecurity for small businesses

Cyber threats to big corporations and government bodies tend to dominate the news media. But SMBs are just as likely to fall victim to digital attacks, and the effects can be devastating.

In 2022, around 43 percent of ransomware attacks and data breaches targeted small and medium-sized businesses. Cyber-attacks hit 42 percent of SMBs in 2021.

The consequences can be dire. According to IBM, the average cost of a data breach has reached $4.35 million. Forbes reports that as many as 60 percent of small businesses targeted by cyber-attacks shut down within 6 months.

Larger corporations may be able to absorb the costs of data security failures, but smaller organizations struggle. When the risks are so high, SMBs simply cannot afford to neglect cybersecurity.

Understand the threat landscape

Small businesses face many potential cyber threats in today’s digital economy. Understanding the main risks is the first step toward improving your security posture.

  • Data breach risks - Malicious software (malware), account hijacking, and disgruntled insiders can all result in data breaches. The results can be financial losses, reputational damage, and even criminal prosecution.

  • Ransomware - Small businesses can also fall victim to ransomware. 2022 saw some high-profile cases, such as co-ordinated attacks on educational institutions, but any type of business is vulnerable.

  • Phishing - Social engineering attacks continue to rise, with a huge spike in Business Email Compromises in 2022. The growth of remote work and SaaS services also presents small businesses with new challenges, from IP spoofing to performance-destroying DDoS attacks.

When you add in DDoS attacks, worms, and viruses, securing business networks has never been more complex. That’s why we’ve come up with a small business cyber security checklist to guide SMBs.

If you check all of these boxes, your systems should be covered against today’s most damaging threats. So let’s get started.

Small business cybersecurity checklist

interactive cybersecurity checklist for small businesses

1. Data protection

Customer data is the number one target for cyber-attackers. So small businesses must prioritize data security when strengthening network security.

To start with, encryption is the most important data protection tool. Small businesses should:

  • Classify and protect all sensitive data with secure encryption.

  • Apply encryption to data at rest and in transit throughout network resources.

  • Couple encryption with Data Loss Prevention (DLP) tools. These tools track critical data and block exfiltration attempts by unauthorized users.

It is also important to limit employee access to confidential data. This restricts the threat surface for cybercriminals. If malicious actors gain access, they will have limited access to the data that matters. Measures to put in place include:

  • Applying the principle of least privilege via access controls. Authorized users should have access to the resources they need. But the rest of the network should be off-limits without authorization.

  • Minimizing the number of accounts with administrative privileges. Users should not be able to make global changes without approval from a user at the same or higher seniority level. Administrators should routinely remove unused or over-privileged accounts.

  • Using network segmentation tools. Segmenting your network creates safe zones for sensitive data. These zones are separated from general network traffic, making a data breach far less likely.

2. Threat reduction

Proactively meeting potential threats is a good way to reduce the chances of a successful attack. There are many ways to counter cyber threats, and small businesses should leverage tools that are both affordable and effective.

  • Email encryption and threat scanning tools make employee emails virtually unreadable to outsiders. And they scan incoming attachments to detect malware. The system quarantines suspicious emails, dramatically reducing phishing risks.

  • Malware scanners track incoming and outgoing network traffic. Intrusion prevention systems actively seek out known threats. Choose regularly updated tools that counter the most relevant attack vectors.

  • Firewalls screen access requests from outside the network. A properly-configured firewall implements tight access controls at the network edge. This creates a primary barrier that excludes users without the right credentials.

3. Incident response

All small businesses are at risk from cyber-attacks. And a natural disaster could occur at any time. Having a robust incident response plan is essential, providing a roadmap to system restoration and threat containment.

Incident response plans activate when attacks take place and generally feature the following steps:

  • Threat identification and containment

  • Protection of critical data

  • Threat elimination and mitigation

  • Restoration of system functionality

  • Mapping network damage or loss of data integrity

  • Auditing the incident response process and learning lessons to improve the security posture.

Carry out testing drills that simulate real-life attacks, and make sure all employees know their role in the incident response. Try to balance thoroughness and speed when responding. Be clear about when to move to the next stage, but move as quickly as possible.

4. Backups

Small businesses cannot afford to spend time and money rebuilding IT systems after an attack. There is no way back for companies that lose all of their customer data. That’s why an SMB cybersecurity plan should require backups of data and critical workloads before attacks occur.

  • There is no need to store all data. Categorize databases and workloads according to their importance.

  • Backup data is required to restore network and website functionality in the event of ransomware attacks.

  • Choose a cloud backup partner that encrypts your files securely and provides rapid access to company data when needed.

Robust data retention policies complement regular backups. These policies record:

  • How long the organization stores user or customer data

  • Where critical company data resides

  • Deletion procedures to safely erase stored data.

Storing too much data wastes valuable space, but it is also a security risk. Attackers may steal valuable data on company servers, even if that data has no business value for the organization itself. Compliance also matters. For instance, healthcare companies need data retention policies that conform to HIPAA standards.

5. 2FA or multi-factor authentication

Authentication protects the frontline of small business network security: user access. Without proper authentication systems, malicious users can easily gain access to sensitive information. And with the technology available today, there is no excuse to leave networks undefended.

Implement multi-factor authentication (MFA) for all critical assets. MFA goes beyond passwords and demands additional identification factors. This could include biometric data, one-time passcodes, or mobile scans. The idea is to add additional protective layers and make it harder to access valuable data.

MFA or 2FA is not advisable for all network actions, such as using SaaS collaboration tools or sending emails. Limit their use to systems that matter. This ensures a seamless user experience while guarding high-value assets.

6. Education

Small business employees may mean well. But good intentions mean nothing without training and access to clear security policies. Staff need to know how to access network resources safely and how to prevent avoidable cyber-attacks.

Ensure staff are aware of phishing risks, and focus on the dangers associated with unsolicited email attachments. Business phishing is becoming increasingly sophisticated. All network users must be aware of how to detect malicious messages.

It also helps to train staff to use access controls safely. Explain why multi-factor authentication exists and how authentication systems work. Write clear policies explaining the security obligations of employees. And include details about how to change security settings via secure channels. Store your security policies centrally, and make them freely available to all network users.

7. Remote access

Remote access allows workers to move around their sales region while staying in touch with their central office. It makes life easier for employees who need to be at home to care for children. And remote work is an appealing feature for new hires.

The problem is that remote access can be insecure. Small businesses need clear security policies for remote access. Security measures should include:

  • User access via Virtual Private Networks or secure remote access software.

  • Denial of access from insecure public WiFi networks.

  • Automated delivery of patched antivirus or DLP tools to remote workstations.

  • Central approval of all remote work devices.

  • IP allowlists and adaptive access controls to block unapproved devices.

  • Training to enforce password hygiene and anti-phishing knowledge.

  • Mandatory reporting of lost devices. Automated removal of access rights for users affected by device theft.

8. Strong passwords

Companies often invest huge sums in threat detection systems and encryption. But if employees use weak passwords, these efforts will have little effect. Enforcing a strong password policy is essential when defending critical resources.

  • Make password hygiene a core part of your security training procedures

  • Require strong passwords with a mix of lower and upper case letters, as well as non-alphabetic characters.

  • Enforce mandatory password changes. Users should change passwords at least quarterly to protect against credential thefts.

  • Source a secure password manager to automate password management. Make this available to all network users.

9. Engaging with cybersecurity professionals

SMBs usually don’t have sufficient resources to hire an IT security team. But they still need access to cutting-edge threat intelligence and advice when securing their networks. Enlisting the help of cyber security professionals is a good alternative strategy.

Businesses can commission security companies to carry out penetration testing and audit existing security systems.

Government agencies are also available to help. For example, the Federal Communications Commission (FCC) also assists small businesses, including the useful Small Biz Cyber Planner. It lets you organize milestones and covers the most important cybersecurity themes.

10. Regularly updating software and systems

Cyber-attackers routinely use exploits in unpatched software to force access to small business networks. It’s vital to deliver patches as soon as they become available. Delays expose your network to attack, resulting in data leaks before you have a chance to respond.

  • Automate updates on all network applications and devices. This includes servers, routers, and hardware firewalls (if you use one).

  • Audit software updates at least once a year. Apply any patches missed by automated delivery systems.

  • Regularly consult threat databases to stay aware of current exploits. Remember to check exploits to SaaS services as well as on-premises applications.

11. Managing vendor and third-party risks

Small businesses rarely work alone. They depend on partnerships with suppliers, maintenance professionals, freelancers, and security experts. But not all companies manage third-party risks effectively.

When choosing third parties to work with, assess potential partners carefully. They should have clear security policies, including information about data collection and sharing. And potential partners should be happy to adapt to your access management practices.

Treat third-party accounts just like employees. Add them to centralized access management systems, and limit their privileges to prevent access to confidential data. Make sure employees gain approval for all third-party access, including non-human APIs associated with cloud services.

How can NordLayer help?

NordLayer is the ideal cybersecurity partner for small businesses. We offer a range of services that will help you tick off the boxes in your cybersecurity checklist. And our solutions can adapt to suit almost any SMB.

  • IP allowlisting makes it easier to limit employee access and block unapproved addresses.

  • Our Cloud VPN lets users connect securely from homes or public locations.

  • IAM systems authenticate access requests and provide users with privileges matching their roles.

  • Device Posture Checks assess remote work devices and highlight vulnerabilities. And admins receive instant alerts about connections from unknown devices.

With the right technology and expert assistance, SMBs can protect data, block malware, and avoid damaging data breaches. Get in touch with NordLayer today. Together we'll find a way to solve your cybersecurity concerns.


Can small businesses be targeted by ransomware attacks?

Yes, they can. Small businesses often fall victim to ransomware attacks. Stats from the UK suggest that a quarter of SMBs suffer ransomware attacks annually, while around 50% of targets pay their attackers.

Ransomware attacks can be more damaging for small businesses than established corporations. Small enterprises work on tight margins. The cost of paying ransoms may be ruinous. And they are also sensitive to reputational damage. Putting customer data at risk with poor security practices will hurt any company’s prospects.

How often should I update my passwords?

Small business employees should update their passwords every three months (or once per quarter). Users should change their password if the organization suffers a cyber-attack. And administrative users should change their passwords more often than low-level users.

Share article


Copy failed

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.