Complete Guide: Cyber Risk Management for Small Businesses

Cyber attacks are more rampant than ever in the age of connectivity where creating, sending, and receiving data is instantaneous. The cost of cybercrimes is catastrophic, but small to medium businesses suffer the most.

According to the US Small Business Administration survey, small businesses cannot afford cyber defense compared to their enterprise counterparts, which ultimately makes them more vulnerable. They have more assets than individuals, but less security because they do not have enough of a budget to implement professional cybersecurity measures.

This guide aims to help small businesses with efficient cybersecurity tips as well as provide helpful resources and other pertinent information.

  • More than 40% of cybersecurity attacks prey on small businesses.
  • More than 50% of small- to mid-sized businesses that were hacked permanently stop operations within six months.
  • The cost and damage of cybercrime in 2018 is estimated to be more than $2.6 billion.
  • Projected damages from cyber attacks are estimated to reach $6 trillion by 2021.
  • Cyber attacks on computers with internet access happen, on average, approximately every 39 seconds in the US.
  • More than 70% of organizations are ill-prepared for cyberattacks with little to no incident response plan.

A cyber attack is a malicious attempt by cybercriminals to expose, alter, steal, destroy, gain, or disable targeted data or information systems. Cyber attacks can happen anywhere in the United States and around the world.

  1. Advanced Persistent Threats (APT) - A type of targeted cyberattack where an intruder gains access to a system or network undetected for an extended period of time to mine highly sensitive data.
  2. Distributed Denial of Service (DDoS) - A DDoS is an attack meant to maliciously infect machines to disrupt traffic of a server, network, or service, or to flood the bandwidth of targeted resources or systems.
  3. Inside Attack - It is initiated by an insider or an entity with authorized access to system resources to exploit information in a way that breaches the trust of the employee to the organization.
  4. Malware - Short for malicious software, malware is designed to infiltrate computers and systems with the intent to cause damage.
  5. Man in the Middle Attack (MitM) - A MitM or hijack attack is where the intruder positions themselves in-between two parties in real-time to literally become a middle man to alter the communication session to exploit transactions, transfer of data, or conversation.
  6. Password Attack - An attack where a third party gains access to a website or system by cracking the user's password through sheer guessing, social engineering, or exploiting unsecured websites to acquire unencrypted passwords.
  7. Phishing - It is the practice of sending fraudulent emails disguised to appear from trusted sources to obtain personal information including credit card numbers, passwords, and social security numbers.
  8. Ransomware - A type of malware that denies users to a computer system or set of files until a ransom is paid by the victim.
  9. SQL Injection Attack - A type of code injection technique that uses malicious SQL codes to read, extract, or modify data from a database.
  10. Virus - A type of malware that when executed infects and multiplies to affect programs and applications to alter the way the system works or stops it from working permanently.
  11. Zero-Day Attack - Zero-day is a type of a recently discovered software vulnerability that causes a security flaw to programs and systems. Hackers exploit this hole to adversely affect targeted systems, data, or an entire network.

There are plenty of online resources and tools to help small businesses create efficient cybersecurity plans according to their needs.

Cyber Risk Management Best Practices

With the rise of new threats every day, the risks of not securing data and information is harmful not only for smaller businesses but for their clients as well. Data breaches expose personal information that leaves vulnerable individuals at risk for identity theft and other untoward damages.

Companies are urged to prioritize cybersecurity awareness and prevention. Here are some security best practices:

  1. Train Employees About Good Cyber Hygiene

    1. Phishing email awareness and password strength
      1. Recognize phishing scams

        Train employees to recognize messages sent from public email domains. Make it routine to check email addresses for misspelled domain names, grammatical and spelling mistakes as well as suspicious attachments or links.

      2. Turn on two-step verification

        Use complex passwords to keep accounts and personal information safe from cybercriminals. Enabling two-factor authentication provides an additional layer of defense.

    2. Use the right tools

      The right tools for the job exist, and they are necessary when it comes to maintaining good cyber hygiene. A reputable antivirus and malware software, network firewall, device encryption software, and other programs can help protect or completely delete sensitive data from the hard drive.

      Update software like apps, web browsers, and operating systems regularly to eliminate possible glitches and ensure computers have the latest protections. Get in the habit of clearing out files that are not needed and make sure to delete them when no longer needed.

    3. Establish an incident response report

      Keep a checklist for a cyber security incident response plan and report to cover all the bases for cyber attacks in the future. These incidents can negatively affect organizations so the plan should include all areas, including HR, customer service, finance, legal, suppliers, partners, local authorities, and other related entities.

  2. Protecting Sensitive Information

    Small- and medium-sized businesses are the most vulnerable when it comes to cybersecurity because the costs for implementing proper defenses are high. Security breaches are damaging to everyone, but small businesses tend to suffer more because they are more likely to pay a ransom for hacked data.

    1. Secure networks

      Learn vulnerabilities by conducting a network audit. It will identify issues and evaluate the health and security of software, apps, and servers. It's best to physically secure the router away from anyone's reach and update network names and login details instead of default credentials./p>

    2. Develop a data backup strategy

      Create a comprehensive media management program by understanding backup lifecycles. Authorize select employees like managers to prepare data for transfer and backup.

    3. Secure payment processing

      Reputable secure payment gateways not only safely process payments online, but they also provide reassurance and peace of mind to clients. It is better to defer to established payment platforms because their payment processing is already trusted by thousands, if not millions, of merchants.

    4. Data destruction and sanitization

      Reduce the risk of identity theft and data compromisation by minimizing the amount of sensitive data stored in networks. When some personal identifiable information is no longer needed for business purposes, it is recommended to securely delete files. Normal file deletion is insufficient.

      Reduce the risk of identity theft and data compromisation by minimizing the amount of sensitive data stored in networks. When some personal identifiable information is no longer needed for business purposes, it is recommended to securely delete files. Normal file deletion is insufficient.

  3. When Data Is Compromised

    An incident response plan (IRP) should be in place at all times, but especially for events like security breaches. As soon as the breach has been identified, the assigned incident response team (IRT) should convene. Roles and responsibilities should be clearly defined to minimize confusion. The IRP should determine who has the authority to declare an incident and invoke the needed parties.

    1. Post-data breach response

      An action item checklist helps keep the team on the same page. The key actions should include:

      1. Noting the date and time of when the breach happened
      2. Securing the perimeter around equipment, systems, or rooms involved in the breach
      3. Investigating persons involved
      4. Inventory resources and assets
      5. Preparing public statements
      6. Performing other actions detailed in IRP
    2. Strategies to survive future cyber attacks

      There is no better strategy than planning. It is important to have the IRP in place before any emergencies arise. Internal and external elements for planning ahead may include:

      1. Risk assessment
      2. Forensics
      3. Legal counsel
      4. Cyber insurance
      5. Backups

Training and Events

Cybersecurity best practices are best learned from the experts. Companies with IRPs need training, learning, and development so they can apply the latest risk management and cybersecurity strategies.


Downloadable Resources

This document provides a detailed description of a Cyber Resilience Review (CRR) with explanations on how to conduct a CRR self-assessment.

This package contains the fillable CRR self-assessment form and report generator.

This document contains CRR self-assessment questions with guides on how to answer them.

This guide contains additional information regarding the self-assessment process.



(n.d.). Stay safe from cybersecurity threats - Small Business .... Retrieved July 6, 2020, from

(2007, February 9). Study: Hackers Attack Every 39 Seconds | A. James Clark .... Retrieved July 6, 2020, from

(2019, July 16). Cyber-Attacks By the Numbers | Iowa Communications Network. Retrieved July 6, 2020, from

(2018, February 7). Small and Medium Business Resources | NIST. Retrieved July 6, 2020, from