Cybersecurity best practices for small to mid-sized businesses

With SMBs increasingly at risk from cyberattacks, we offer tips and strategies that business leaders can use to protect their company

It’s tempting to think that cybersecurity is something for larger organizations, but small and mid-sized businesses (SMBs) should be careful not to fall into the trap of thinking that they are too small to be noticed by hackers. Hiscox's Cyber Readiness Report 2019 revealed that the number of small and mid-sized businesses reporting at least one attack has continued to rise year-over-year, reaching 47% for those with less than 50 employees and 63% for those with 50 to 250 staff members.

October is Cybersecurity Awareness Month, and there's never been a better time to become more educated about business protection and how to stay safe from complex breaches. 

Why do small businesses need cybersecurity?

It is common knowledge that small businesses are often run on very limited resources. This can mean that they feel there isn’t the time or budget available to prioritize security measures to the same degree as day-to-day operations. As a result, it becomes part of an individual's role, rather than a dedicated position, training and software risks become outdated, and ultimately, data security becomes an afterthought. 

To solve this problem, small businesses need to ensure that cybersecurity is treated as a high priority in the same way that physical security of the office space is regarded. To do this, it is key that best practices are defined and regularly updated in a small business cybersecurity plan.

Improving security doesn’t necessarily mean huge expenses, but it does require a company’s focus to avoid becoming the next victim of a cyberattack. With cybersecurity best practices, small and mid-sized businesses can improve both their protection and the company culture around the importance and implementation of effective security measures.

What are the best practices for small business security?

Create policy documents

To ensure that cybersecurity policies become part of your business’ culture, they should be thoroughly documented, and supported with schedules and checklists to make sure that the new processes are implemented, and staff are aware of their responsibilities. We’ve previously created a cybersecurity policy template to get you started.

Review access permissions

A simple but effective measure is to restrict access permissions to shared files and essential applications. This minimizes the number of possible routes to sensitive data. Access should only be provided to those who need it for their work, and it should be revoked when no longer required. This means that no one should have blanket admin privileges on only the basis of seniority. 

You should also set up processes for revoking access as soon an employee leaves or a contract ends with a freelancer or other third-party.  

Backup your data

The mantra of ‘use a strong password’ is now as common as ‘be sure to backup your data.’ This is especially true for small businesses that wish to avoid ransomware attacks, where the hacker will steal and encrypt data, threatening to destroy it if a fee is not paid for its return. With no guarantee that the data will be returned in a usable state, small businesses are put in a dilemma where they could end up paying both a ransom and for downtime they cannot afford.

This situation can be avoided simply by keeping comprehensive backups so data can be recovered, minimizing any potential financial and reputational damage, and the stress felt by employees during a ransomware attack.

Cloud services are a popular option for backups. Not only does the cloud allow documents to be accessible from anywhere, but the security offered by these services is likely to be far more sophisticated, making them an affordable way to significantly improve data security.

Consider BYOD and remote working risks

Adding points of entry to a network increases the potential risk of a breach, simply because there are more angles for cybercriminals to exploit. With that in mind, trends toward non-traditional office working could be seen as a concern - though it is important to note that remote work has been increasing for many years. 

Avast Business’ Mobile Workforce Report 2018 demonstrated that staff felt working from home increased productivity and reduced stress to the point that 52% of small business staff said they would prefer to take a pay cut than be restricted to an office.

This problem has become more immediate with the sudden increase in remote working due to COVID-19. With the majority of office workers working from home, personal devices and WiFi are now integral to the modern work environment, allowing staff to complete tasks beyond the bounds of a traditional working day. 

So how can this balance between increased risk and the prevalence of personal devices and remote working be found? The simple answer is setting out clear guidance on the use of personal devices. A ‘Bring Your Own Device’ (BYOD) policy should be included in your data security best practices, ensuring that all your employees are required to maintain a high level of security on any device that accesses the company’s documents and network - from installing security software to applying patches as soon as they are available.

Training and education

Including guidance in documentation is one thing, but for it to become ingrained as a part of the day-to-day, training and education are vital. In a small business, responsibilities are often shared, and the same has to be true of security if it is to remain effective. Anyone with an account or device connected to the network needs to be trained to a level where everybody is familiar with security policies and how to implement best practices.

Staff training

Employees will have varying backgrounds and levels of ability when it comes to technology. To avoid creating security vulnerabilities, all staff members should know how to update their devices, recognize phishing attempts, and know the procedures for flagging concerns.

Employees should also agree to abide by the policies and, in return, employers should ensure that training is updated regularly to reflect the evolution of cybersecurity. These policies should be explained clearly and transparently, especially if they regard the use of personal devices.

Password protection

Nobody enjoys changing passwords. But strong, unique passwords are crucial to improving security. While there is a lot of important advice on how to create strong passwords, a fundamental rule is to not reuse passwords under any circumstances. It might make it easier to remember, but if it does find its way into a hacker’s hands, they will have access to every single account that shares the same password.To balance convenience and security, a password manager tool can be used to remember complex passwords and refresh them at regular intervals, meaning the user only has to remember one password at a time, and the business’ security is improved.


Increasingly common with banks, online shops, and social media is two-factor authentication (2FA). This extra layer of security requires the user to both know a password, and provide a unique code, which is often sent by text or email, to verify the login attempt is legitimate. Staff should be encouraged to enable it on any services that provide it.

Costing nothing, it is a very simple way to boost security. Training and implementation will also be swift, as many staff are likely to be familiar with this feature on their personal accounts. 

Software and tools

With a wide variety of security tools available, it can be hard to identify which are essential and worthy of investment, and those which are not. So, aside from password managers and cloud backups mentioned above, which other tools can make a big difference to your small or medium business?


Virtual Private Networks (VPNs) are an increasingly common security measure for domestic users. It creates an encrypted ‘tunnel’ through which data and online activity can travel without being viewed by third parties, or traced back to the user’s IP address. Once installed, a VPN is often as simple to activate as flicking a switch, making it ideal for remote workers accessing sensitive data. 


A firewall is a vital first line of defense. As the name suggests, a firewall provides a barrier between your network and cyberattacks. They can be used in multiple configurations, both internally and externally, and should be a requirement of BYOD or remote working policies for any devices connecting to the business network.

Anti-Malware Software

Due to their notoriety, many people assume that phishing emails are easy to identify. In reality, phishing attacks are still common and are getting more sophisticated. So, alongside staff training, anti-malware software at network and device levels remains essential to minimize the impact of human error.

Install updates

Software can only ever be at its most effective if it is regularly updated to account for new vulnerabilities or types of attack. Ensuring every device - from printers and laptops to smart phones - has the latest patches and updates applied could be a daunting task for a large enterprise, but is very achievable in a small or mid-sized business.

Communal devices, like servers, should be updated by the staff who manage IT security as part of their role, while other employees should be responsible for their own devices. Enforcing this responsibility through training and the company security policy can ensure that known software vulnerabilities do not result in a preventable breach.

Build a holistic security structure

Once you implement these security best practices into your business, the work has only just begun. Ensuring buy-in for every employee will bring security awareness into daily consideration and become part of your company culture, which is crucial for improving security and giving you ultimate peace of mind.

Cyberattacks are evolving continuously, which means that security solutions must keep pace to remain effective. Knowledge around the latest attacks and resulting security measures is vital for your team’s understanding and security, but with little time to spare, business owners are rarely in a position to become cybersecurity experts in their own right. This makes choosing the correct software all the more important. While free security tools can perform rudimentary scans, they will not have the resources to continuously monitor for new threats and vulnerabilities. Instead, look into paid services as an affordable way to ensure your network’s security is always up to date.

Combining new processes, regular training, and software updates for the latest threats will require work, but the resulting holistic strategy can make significant improvements to your business security.

Get Small Office Protection for your workplace

Avast Small Office Protection delivers complete next-gen online security for small businesses that want to keep their devices and data protected against the latest cyberthreats. It provides robust, real-time protection that’s easy to install, cost-effective, and reliable - so you can focus on running your business with confidence and peace of mind. Get 20% off Small Office Protection during Cybersecurity Awareness Month! Click here for complete details and to download. 

--> -->