Breaches in Cyber Security happen every day all around the world. These can lead to disastrous consequences if they are not detected quickly. Small businesses are the segment most frequently targeted by professional hackers and, for these companies, a cyberattack can cause mayhem. It could cause the business to fail, resulting in financial ruin for shareholders, creditors and employees. 

Even if a business continues operating after a cyberattack, serious damage can be inflicted on customer trust. The company's reputation, into which so much time and effort has been invested, can be irreparably damaged. 

Here we list our 10 tips to help all SMBs improve their cyber resilience, ensure their data is safe and retain the trust of their stakeholders.



It is widely accepted now that a cyberattack is inevitable for most companies. It is simply a matter of when. Whether you are a small or large organisation, you should ensure you are prepared for a cyberattack. 

No cybersecurity is perfect, and the threat environment can change at any time, so you need to ensure that your entire team is prepared. This includes conducting regular cyber training and awareness exercises for all staff and having a tested Incident Response Plan that sets out the steps to be taken in the event of a cyberattack. 



When disposing of sensitive information, you must take the appropriate steps, securely removing any personally identifiable information or sensitive information whether held in a digital or physical format. 

Secure shredding and disposal of physical records is a must. Digital devices such as computer hard drives can only be partially wiped clean of data. Only physically destroying the device guarantees that no data will ever be recovered by criminals.



Physical access to computers and devices is still a very popular method for cyber attackers to exploit your business. This can easily happen through theft or loss of a device.  

Perhaps surprisingly, the Verizon Data Breach Investigations Report found that “an asset is lost over 100 times more frequently than it is stolen.” Other research found that 39% of incidents involve devices stolen from the victim’s workplace. 

Also, when devices are removed from the office, they can be stolen from employees’ cars or homes. If your employees need access to sensitive company information when they are off-site, you should consider investing in professional business laptops which offer a wide range of security features. 

Full drive encryption on all devices, such as computers, laptops, tablets, flash drives and memory cards, is worth considering. This will prevent malicious access to information even if cybercriminals have possession of the device.



You should control the level of access granted to business information on a 'need-to-know' basis. Negligence continues to play a big role in data breaches and hackers are increasingly gaining access to huge volumes of personal information through employees. 

One of the best ways to control this risk is to control access to sensitive information. Create unique accounts for every employee and ensure that appropriate access privileges are set for everybody. Restrict administrator access to those employees who really need this privilege. 

These measures will reduce the chances of unauthorised employees accessing sensitive information. You should also encourage a strong password policy and enforce it throughout the company.


“Flexibility might be more convenient for employees. It can create cyber risks for the company”. 

A lot of companies now offer “working-from-home” flexibility or remote working opportunities. While this flexibility might be more convenient for employees, it creates cyber risks for the company.  

When employees are in a public place, like an airport or restaurant, they may be offered free internet in exchange for sharing some personal information.  Keeping your information safe can be a challenge when accessing the internet using public Wi-Fi.

Unfortunately, sensitive data, such as passwords, might be accessible. Staff should be warned about the risks and consider very carefully whether to connect to the internet using public Wi-Fi unless they can use a Virtual Private Network (VPN).



A huge part of cybersecurity resilience is to ensure that your staff are educated on the risks and threats they could face in their day to day activities. Your staff are your first line of defence against many forms of cyberattack, such as phishing and malware. Train your staff to identify and recognise the threats and encourage them to report incidents every time, by establishing a 'no-blame' culture. 

Educating staff to spot common signs of phishing such as misspelt email addresses, poorly written copy and unexpected attachments, can be highly effective. It is quite common for malware to be hidden in documents created using popular software programmes, such as Microsoft Word. With the benefit of training, your staff will know never to download something suspicious or to click on suspicious links.



It is important that you test your company’s cyber resilience regularly. Testing your cybersecurity as if you were a malicious attacker will help give confidence in the company’s ability to survive a real attack. 

Penetration testing can be arranged with specialist firms who will take on the role of the professional hacker and try to penetrate your defences. This will give you a 'point in time' picture of your resilience. For more regular visibility, a continuous intrusion detection and prevention system is required.



The cyber environment is continually changing, both on the attack and the defence side. Important new technologies, such as artificial intelligence, big data analytics and machine learning are used by cybercriminals to attack and are also being used by the biggest companies as defence mechanisms. 

Before long, these tools may be within the reach of SMBs. In the future, it is hoped that automated systems may orchestrate the protection of networks as soon as a cyber threat is detected, and advanced behavioural analytics could ensure new levels of protection are put into place automatically. 

As soon as these tools become viable for SMBs to use, they will be offered by Managed Service Providers. In the meantime, it's worth keeping an eye on developments.


Given the fact that cyberattacks are becoming increasingly common, you should consider cyber insurance sooner rather than later. It ensures a transfer of the risk that you do not wish to retain to an insurance company. If your company suffers a cyberattack, you will have access to a panel of expert responders and won’t incur significant financial losses. Your commercial insurance broker should be able to advise on this important risk management issue.



Staying up to date on an ever-changing threat environment is a challenge for SMBs. Lots of information is available but SMBs often need help to focus on what's really important to them.  Businesses such as Surviving Cyber can help you to find the essential information that you need.  

If you are a small business owner and interested to learn how you can create your pathway to peace of mind from cyber risk, check out our pilot educational course,  Surviving Cyber – the small business owner’s Pathway to Peace of Mind from cyber risk.  

You can register for the course here. If seats on the pilot course are not available at that time, you can join the Surviving Cyber email list to receive ongoing communication from me. I look forward to getting to know you.