7 Helpful Tips to Create a Small Business Cybersecurity Plan

Quick look: October is Cybersecurity Awareness Month, and it’s a great time for organizations to evaluate how they’re safeguarding their data. With nearly half of all breaches affecting SMBs, here’s to develop a well-rounded small business cybersecurity plan—and how external resources, including a PEO, can help.

Cybersecurity is a concern for organizations of all sizes, as the frequency and scale of cyber incidents continue to rise year after year. And when they occur, these incidents can be devastating for companies that are not adequately prepared, leading to significant disruptions and long-term damage.

Small businesses are no exception and must develop strategies to enhance their data security to protect their employees’ and customers’ data.

October is Cybersecurity Awareness Month

In 2004, President George W. Bush in partnership with the United States Congress declared each October to be Cybersecurity Awareness Month. According to the Cybersecurity & Infrastructure Security Agency (CISA), October is “a dedicated month for the public and private sectors, and tribal communities to work together to raise awareness about the importance of cybersecurity.”

As part of its “Shields Up” initiative, CISA has outlined several tactics organizations can follow to prepare for, respond to, and mitigate the impact of cyberattacks:

• Reduce the risk of cyber intrusions by validating remote access, keeping software up to date, implementing strong cloud services protocols, and more.
• Quickly detect possible attacks by swiftly assessing any unusual network activity and utilizing antivirus/antimalware software.
• Prepare to respond to intrusions by designating, confirming availability of, and thoroughly training a crisis response team.
• Maximize organizational resilience by testing backup procedures and confirming critical functions remain operable even if the network becomes disrupted.

SMB cyberattacks at a glance

Unfortunately, being a small business doesn’t mean you’re immune to cyberattacks. In fact, nearly one-third of ransomware breaches in the first quarter of 2024 occurred at organizations with fewer than 100 employees. Further, that same report revealed that 43% of incidents happened at medium-sized companies with 101 to 1,000 employees.

These attacks are costly for small businesses—according to IBM, the average data breach cost for organizations with fewer than 500 employees is $3.31 million.

Business leaders are noticing and planning according to this trend, with over 80% of small- and medium-sized business (SMB) leaders increasing their year-over-year cybersecurity budgets.

7 steps to create a cybersecurity plan

It’s critical for businesses to protect data, and failing to do so could have serious consequences for organizations. A small employer’s brand could be damaged if it does not handle data securely, which can devastate the company’s future.

Small business leaders can enact a cybersecurity plan by following these seven steps:

1. Get support from leadership

Before designing a cybersecurity plan, it’s essential to educate company leaders and team managers on the seriousness of data security and why a strategy must be implemented.

Cybersecurity IT infrastructure safeguards often require additional resources that could be costly but are well worth the investment in the long run.

It’s also important to ensure that company leaders take cybersecurity seriously and receive extensive training on what to look for, how to prepare, what to do if a breach occurs, and how to teach their teams about data security.

Involving leaders and managers in the cybersecurity plan can also result in the following benefits:

• Receiving input and ideas from different perspectives often leads to better strategic solutions.
• Collaboration can increase cybersecurity awareness throughout the organization, decreasing the likelihood of an incident.
• This synergy can help manage costs better while implementing and maintaining the plan and can lead to improved business efficiency.

As with any companywide initiative, failing to get leadership buy-in could put even the best cybersecurity plan at risk.

2. Build the right team

Most small employers don’t have an in-house Chief Information Officer (CIO) or team to manage cybersecurity or other compliance-related tasks.

For this reason, leaders from multiple departments and/or various subject matter experts should be involved in strategy planning—not just a singular internal or external IT resource.

If additional data security help is needed, small business leaders can add members to their current team or explore external and outsourced solutions that specifically address data and cybersecurity.

Once the company cybersecurity team is in place, undergoing extensive training should be mandatory for all members. After the team is fully prepared, training should be extended to every employee in the company.

3. Set the scope of the cybersecurity assessment

This new team’s first project should involve a cybersecurity/data security risk assessment.

The assessment aims to identify data that is used and created, understand how this data is distributed and maintained, recognize the data security hazards that could affect the organization and/or its customers, and account for legal/contractual obligations regarding this information.

Most risk assessments will identify two distinct types of cybersecurity threats: internal and external. While many business leaders believe that external cyber threats are their biggest concern, almost 70% of breaches involve non-malicious human error, like someone falling victim to a social engineering attack.

Crafting a cybersecurity policy that understands internal threats and has tactics to minimize these risks is essential for employers of all sizes.

Small business leaders also need to identify external risks that can cause a data breach and how to prevent them from occurring. Some of the most common external threats are:

• IT systems and network threats
• Web application
• Social engineering
• Third-party partners

Another area the assessment should address is physical security. This includes putting safeguards in place that limit who can enter an organization’s facility, installing video surveillance systems, limiting authorization to any areas that contain data or servers, and maintaining access control records for a set amount of time.

4. Decide who will conduct the assessment

Once the cybersecurity team has developed the risk assessment, leadership must decide who will conduct it: cybersecurity team members or an external organization.

Data security companies often specialize in cybersecurity prevention and can help small employers conduct the assessment. These professionals have ample experience in identifying potential data security vulnerabilities and can offer a different perspective that can highlight areas of risk.

Partnering with an external cybersecurity company could be especially valuable for a small business whose initiatives are in their infancy, but even those with established strategies can benefit.

Continuous monitoring and improvement are critical for a modern cybersecurity plan, and third-party companies can routinely try new ways to identify potential risk areas.

5. Involve legal counsel to obtain attorney-client privilege

Business leaders should involve legal counsel whenever possible as they develop their cybersecurity prevention strategies. Not only will legal counsel be able to ensure all related documents meet legal standards, but small employers will also receive the protection of attorney-client privileges.

These privileges confirm that any details shared between the business and its attorneys remain confidential and help legal counsel provide the most accurate advice and representation.

Additionally, legal counsel can be vital in a data breach as they can assist with incident response and help employers navigate this delicate process.

It’s important to note that involving legal counsel is best done in the preventative stage of cybersecurity before an incident occurs. It’s also recommended that legal counsel be included in an Incident Response Team (IRT).

6. Maintain a consistent scope and timeframes

As leadership and cybersecurity teams begin their efforts, they must ensure that the overall strategy and plan remain consistent with the job’s scope and desired completion timeframes.

Creating a new cybersecurity plan is time-consuming and should be kept on schedule and completed within a specified period. That’s why leaders should confirm that the process continuously meets its deadlines and addresses all relevant areas of cybersecurity for the business.

It can be easy for a team to miss timeframes or lose scope of the project, which puts the company and its customers at risk. By creating and sticking to a plan, business leaders can be better prepared to keep their cybersecurity plan moving forward and on schedule for completion.

7. Document all steps and procedures

The last step in building a small business cybersecurity plan is to document each step and procedure.

This documentation helps company leaders, cybersecurity team members, and other employees reference relevant information should a question or concern arise. This leads to less confusion in a situation where time is of the essence.

Additionally, having accurate documentation will help when looking to bring in external individuals (legal counsel, data security organizations, etc.) to assist with planning and assessments.

Another reason to document steps and procedures is so business leaders can look at current policies and identify ways to improve. The best cybersecurity plan continuously monitors for ways to make enhancements and further decrease potential risks.

Clear, easy-to-review records allow small businesses to be better organized and prepared if a document is needed, especially in an emergency.

It’s also useful to have a list of external parties that must be notified in case of an incident and their contact information. These include insurance carriers, regulators, law enforcement, legal counsel, forensic investigators, crisis communications/PR firms, and/or response vendors.

Staying protected is a team effort

Whether it has 10 employees or 10,000, every business has data that must remain secure. A data breach jeopardizes the company and the well-being of its employees and customers. A cyberattack also negatively impacts an organization’s brand image, no matter how positive it was before the incident.

For these reasons, small business leaders must build, review, and continuously improve their cybersecurity plans. Employers should leverage outside help throughout the process, including cybersecurity consultants, legal counsel, and more.

A professional employer organization (PEO) can also help SMBs stay current on compliance requirements. For example, ExtensisHR’s Information Protection Plan (a part of its Employer Protection Plan) ensures a company’s technology platform is monitored and updated with the latest enhancements to cybersecurity, data protection, incident response, operational risk management, controls assurance, client security management, workforce protection, business resilience, third-party management, security testing and analysis, critical incident response team, and awareness training.

Additionally, ExtensisHR offers cyber liability insurance, which covers expenses to defend against damages resulting from your liability to a third party or regulator from a failure in your security, data breach, or privacy violation. This coverage covers costs including but not limited to replacing permanently impacted computer systems, restoration of digital assets, breach response, cyber extortion, business interruption, and extra expenses.

A PEO partnership complements internal and external resources to cultivate a well-rounded small business cybersecurity plan. To learn more, explore ExtensisHR’s risk and compliance services or contact us today.