The Small Business Guide to Cybersecurity

March 02, 2021
CCB_CommunityHero_026221_SMB Cybersecurity Playbook-With Text

Small businesses don’t have big-business cybersecurity resources, but they still face the same threats. Fortunately, through education, technology, and best practices, small businesses have the tools at their disposal to help protect their businesses, employees, and customers from an ever-changing array of cybersecurity threats. In this practical guide, we’ll explore user education, threat monitoring and mitigation, device management and incident responses, with clear takeaways to help you improve security across your business.

User education

When hackers succeed, it’s often because they targeted unsuspecting end users. Well over half of the breaches that happen in the US, in fact, involve company insiders – either intentionally or accidentally. Keeping employees trained on current threats is one of your strongest lines of defense against cybersecurity risks.


of small business owners who suffered a breach attributed it to human error.

Source: Shred-it, 2019
  • Conduct training on a regular basis. Threats evolve over time, so make it a regular practice to formally train employees on online hygiene. If you don’t have anyone on staff, consider bringing in an outside trainer.

  • Show employees what’s in it for them. Good online hygiene doesn’t just protect company information – it protects their personal information, too

  • Start training during onboarding. Make new hires aware of your security policies and best practices from the outset.

  • Share updates in real time. Keep your team in the loop about new threats and encourage employees to report threats or attacks.

Key tips for employees:

  • Beware of suspicious emails
  • Verify purchases
  • Don’t click suspicious links
  • Be careful about the information you share on social media
  • Threat monitoring and mitigation: Threat monitoring tools actively intervene to block malicious threats like malware, ransomware, phishing, and botnet infections. They also block employees and guests from accessing compromised websites and infected links. It’s important to select tools that frequently update to help protect against the newest threats, and cover every connected device on your network.

  • Anti-virus: Anti-virus tools detect and block malicious files, but many only block malware they recognize, based on signatures that have been written into the AV software.

  • Firewalls: Firewalls allow only authorized traffic or content using configured controls, like access denial to IP addresses known to deliver malware. Even if a malicious payload is delivered, firewalls can prevent it from communicating with control and command servers.

Password and device management

Think about all of the connected devices on your business network. From company devices to employee’s personal phones, to guest devices, each of them represents a potentially vulnerable endpoint, and each contains myriad pathways into your network through apps and systems. One weak password, bad password management, or a few errant keystrokes on a suspicious website can invite a breach. Here are key tips.

  • Force employees to change passwords often and use strong passwords. Some experts recommend changing passwords every three months. That way, even if a hacker does access an account or system, their access window is shortened.

  • Use multi-factor authentication. Adding another layer to a log-in process, through an SMS-delivered or emailed code, helps ensure that the person attempting to log in is in fact who they say they are.

  • Leverage a password management solution. Strong passwords are essential, but documenting and remembering them can be a challenge. Password management tools not only generate strong passwords, but store them for easy access.

  • Be careful with external devices like flash drives. Flash drives and other external devices can carry malware that’s loaded onto your device when connected – some even coming from disreputable sources preloaded with malicious programs. If they’re used with multiple devices on your network, infections can spread quickly.

  • Finally, don’t neglect physical security. Lock your device when you aren’t using it, but also ensure storage areas, server rooms, and other locations with sensitive information or devices are secured.

Enact strong policies and practices

Embed a proactive security stance into your company’s DNA. By codifying certain elements of your cybersecurity approach through policy and process, you can ensure that cybersecurity remains an ongoing priority.


of hacks exploit unpatched vulnerabilities

Source: Ponemon Institute, 2019
  • Patch management: Software and system updates often close previous security loopholes. Not updating in a timely fashion can open you up to threats, as hackers become aware of loopholes and try to exploit them. Enact strong patch management policies, or even better, automate software updates

  • Encrypt data where appropriate. All businesses should encrypt any personally identifiable information they collect, as well as any other potentially sensitive information, like company financials or intellectual property.

  • Backup your data. It’s a best practice, but can also help with recovery in the event of a breach or ransomware attack.

  • Use VPNs when accessing sensitive applications remotely. Especially in a remote work setting, virtual private networks allow employees to access company networks and systems through a secure connection.

  • Operate in a zero-trust environment. Zero-trust is a decade-old security model built around the idea that no device or user, either inside or outside an organization, should be trusted inherently. All access is cut off until identities are verified, dismantling the traditional inside-outside view of security: that anything inside the company’s perimeter was safe, and anything outside wasn’t.

Incident response planning

Strong defense capabilities are essential, but no defense is ironclad. It’s essential to not only mount defenses, but to prepare a detailed plan outlining what to do if you do find yourself the victim of a cyber attack.

  • Designate cross-functional team members who should respond in the event of a breach, or have a cybersecurity consultant or contractor easily accessible to assist.

  • Clarify roles: For an in-house response team, ensure each member knows their roles and responsibilities in the event of a breach. Jobs would include identifying and isolating affected systems and devices, diagnosing how far an infection has spread, and more. Ensure that team members have the access and authority they need to carry out their responsibilities.

  • Define what you consider a security incident. Does an attempted, but unsuccessful, hack count as an attack? Determine the parameters that warrant a coordinated response for your organization

  • Specify procedures. Your plan should be detailed and clear in its prescribed steps for recovery. Include contingencies such as having to resume operations from an alternative location and how to respond if the breach occurs after hours or when response team members are away.

For peace of mind and to help protect against costly malware, ransomware, and bots, small businesses need to implement cybersecurity measures that include anti-virus programs, firewalls, and network security solutions that proactively help protect all devices connected to your network. See how Comcast Business SecurityEdge can help protect the Internet-connected devices that employees and guests use from malware, ransomware, phishing, botnets, and more.

Comcast Business can help.

Download the PDF

Get clear takeaways to help you improve security across your business

This article is available exclusively to
Comcast Business Community Members.

Join the Comcast Business Community to read this article
and get access to all the resources and features on the site.

It's free to sign up

Sign Up

to get our newsletter


Help your business Bounce Forward™

Take on whatever’s next with technology solutions and services to help you Bounce Forward.


to get our newsletter