Employee benefits and retirement plan solutions Trends and Insights Cybersecurity: 6 steps for small business

Cybersecurity: 6 steps for small business

Businesses of every size can improve their cybersecurity incrementally, without spending a fortune. Just one stronger password can make a difference. 

Person logging into a laptop using a two-factor authentication app.
3 min read |

Small business owners often face the same burn of a cybersecurity breach without as many resources. It can be tough to know how to prepare and where to fortify your defenses.

The Principal Financial Well-Being IndexSM finds that smaller businesses (under 500 employees) are half as likely as larger businesses to employ somebody whose sole focus is cybersecurity. Yet the 32.5 million small businesses in the United States make up 99.9% of all businesses and employ 46.8% of workers.1

More than half of small businesses say they either don’t have or are uncertain if they have a plan for recovering from cybertheft.

That lack of clarity could be costly: 43% of all cyberattacks are aimed at small businesses at an average cost of $200,000. Even worse: 60% of those targeted go out of business within six months of a successful attack.

In many ways these companies represent the front lines of improved national cybersecurity. We’re seeing progress, with just over half of all businesses spending more money and resources on cybersecurity in 2021 compared to the previous year—23% of them significantly more.2

Even businesses without budget to spend on a cybersecurity boost can pursue many of the following practical strategies.

Watch our webinar on cybersecurity for small businesses.

1. Strengthen passwords and add multi-factor authentication.

Eighty-five percent of data breaches involve human behavior, and 61% exploit employee credentials such as weak or stolen passwords.3  That’s why the added layer of two-factor authentication or multi-factor authentication can make such a difference.

Principal® sponsored a study on multi-factor authentication conducted by the Cyber Readiness Institute (CRI) that found only 46% of small business owners using it and even fewer, 13%, requiring it for most account or application access.

Business leaders can make progress by implementing multi-factor authentication and encouraging employees to choose more complex passwords—phrases rather than words, with a mix of letters, numbers, and punctuation.

Share this article with your employees: “5 ways to protect your online information.”

2. Hire a third-party cybersecurity expert.

More than one-fourth of businesses with fewer than 500 employees outsource their cybersecurity needs to a third party.4  But it’s not always easy to choose the firm that may best serve your business. Start with research to understand the different types of cybersecurity firms (from basic IT to more complex work led by virtual chief information officers) and determine the right level of outside support.

3. Name an internal cyber leader.

With or without the benefit of external cybersecurity expertise, identify a “cyber leader” within the organization. CRI says that every business needs somebody who “builds a culture of security and ensures associated safeguards are implemented with the support of senior management.”

Get started with CRI’s Cyber Leader Certification Program.

4. Create a cybersecurity incident response plan.

Do employees know how to respond to a cyberattack before it strikes? According to CRI, a good cybersecurity incident response plan outlines: 

1. a timeline for preparation (with milestones for regular reevaluation), 
2. the immediate response to a strike, and 
3. steps to rapid recovery that preserve business continuity and restore valuable data. 

Learn better incident response for your business through CRI’s Cyber Readiness Program.

5. Hold regular cybersecurity drills.

Like a fire safety drill, test your business on how it would respond to a cyberattack in real time to flesh out and assess your incident response plan. This helps employees identify their most useful roles and responsibilities in cyber defense—prior to the panic of a true emergency. 

The federal government’s Cybersecurity & Infrastructure Security Agency conducts cyber range training that may offer a template for business drills.

6. Make software updates a habit.

Sudden recognition of the widespread Log4j vulnerability in 2021 reminded cyber experts and businesses alike to keep software up to date to help protect data and operations from trending threats. Regular updates are a core CRI principle of good cyber hygiene and security. Seek out and install timely software patches from trusted vendors.


What’s next?