Skip to Content

How to Protect Your Small Business From a Cyberattack

How to Protect Your Small Business From a Cyberattack

Most SMBs are not fully prepared to defend themselves against a cyberattack. Start with these three areas to build a layered defense and a strong cybersecurity strategy for your business.

This article was written by Joe Galvin, Chief Research Officer at Vistage, a Salesforce partner.

Like a heart attack, a cyberattack can strike at any moment — and cause almost instantaneous damage to your company’s productivity, credibility, financial security, and more. Beyond the trouble, this threat is expensive. According to the National Center for the Middle Market (NCMM) at The Ohio State University Fisher College of Business, hackers cost the global economy a staggering $350 billion each year.

As Chief Research Officer at Vistage, I know that the majority of cyberattacks happen to small and midsize businesses (SMBs). Hackers call these companies “soft targets” because they often lack sufficient security measures and personnel to thwart an attack. Some SMBs don’t back up their files offsite, which makes them vulnerable to ransomware and many have data that can be leveraged to break into larger companies.

The problem is, most SMBs are not fully prepared to defend themselves against a cyberattack. According to a Q4 2018 Vistage survey, 57% of SMBs don’t have an up-to-date or active cybersecurity strategy. Of the 1,257 CEOs who participated in the survey, only 43% said their company had a cybersecurity strategy in place that was both current and reviewed on a regular basis.

If you fall into that majority, it’s time to mitigate the risk. Start with these three areas for a layered defense and strong cybersecurity strategy for your business.

1. Bring awareness and training to employees

Train your employees to abide by basic security principles, such as using strong passwords, maintaining appropriate internet use, and handling customer information and data with care. Teach them how to spot an attack by using internal phishing simulations. Communicate why this training is important and what’s at stake for the company by making it personal.

Why is training so important? Because 90% of breaches, whether in the form of ransomware, BEC or another type of cyberattack, are caused by employees that fell for a phishing attempt, notes Cynthia James, CEO and principal consultant at Cyberus Security.

“Training users not to fall for phishing is really, really important,” James says. “Once people learn the things they need to do better, they will do them eagerly.”

Our Vistage survey showed that 67% of SMBs work with an external partner to manage their cybersecurity. If you’re on a budget, hire a fractional CIO (contract or third-party service provider) to get IT experts when you need them. Or maybe you can build a team of unofficial deputy IT managers who shadow IT personnel to create more redundancy in security by spreading out responsibility.

2. Implement robust policies, processes, and procedures

Develop an acceptable use policy concerning how employees are allowed to use technology assets, from hardware to software programs. Provide guidelines for social media use as well. Limit employee access to sensitive data and information by tailoring their access to fit individual roles. Create a playbook for different cyberattack scenarios and work through them like fire drills each quarter.

Put someone in charge of checking firewall and anti-malware logs. Meet with a cybersecurity expert on a biannual basis and conduct an external review of IT to ensure the data and network of your organization are secure. Set up an RSS feed to tune in to the latest cybersecurity news. 

3. Make smart technology choices

Invest in technology solutions like antivirus software, which defends against most types of malware. Or investigate endpoint security solutions, which cost about the same as anti-virus software and can be more effective in practice. Put firewalls in place to prevent an unauthorized user from accessing a computer or network.

Back up data so you can recover information lost in an attack. Use encryption software to protect sensitive data, such as employee records, client and customer information, and financial statements. Incorporate two-step authentication or password-security software to reduce password cracking. When sourcing technology, be sure to choose service providers with strong security. 


Creating a layered defense that supports your people, process and technology is the best way to protect your business. For more insights for how to protect your small to medium-sized business, download the Vistage report Cyberthreats and solutions for small and midsize businesses.

And remember, Salesforce Essentials can help you find more customers, win their business, and keep them happy so you can grow faster than ever. Learn more about our small business CRM solutions by following us on TwitterLinkedIn, and Instagram.


Get the latest articles in your inbox.