Security · February 06, 2025

Small business cybersecurity plan checklist

With an increase in remote work, companies using third-party cloud solutions with unforeseen security vulnerabilities and gaps in cyber-awareness among employees, it's more important than ever to have a cybersecurity plan in place.

While today's cybersecurity threats aren't much different from those in the past, hackers are now using more sophisticated means—including AI—to automate how they attack devices and systems. Here's what you need to know as you create your own cybersecurity plan.

What is a cyberattack?

Before creating a cybersecurity plan for your small business, it's important to know the top cybersecurity threats facing most companies today. The following are considered cyberattacks, or external breaches by hackers with a goal of exposing or deleting sensitive information.

There are four common types of cyberattacks.

  • Phishing: This type of attack, which gives hackers access to sensitive data, involves malicious links sent by a seemingly legitimate email address.
  • Smishing: Similar to phishing but with texts instead of emails, smishing attacks often ask to select a link or provide personal information.
  • Ransomware: Now the leading threat for companies, ransomware attacks involve hackers gaining access to sensitive data, encrypting it and then demanding a ransom to restore access.
  • Data breach: This tends to be the most potentially destructive form of cyberattacks affecting small businesses—and it can get expensive quickly, with the average cyberattack in the US costing $9.36 million.

Increased usage of cloud solutions may also open your business to more types of cybersecurity threats, especially if you don't have strong endpoint security. Cloud solutions store and transmit data on virtual servers, which may give hackers an easier entry point compared to a physical server—especially if the provider you're using doesn't practice strong enterprise security.

Creating a cybersecurity plan for small business

While these threats exist, there are ways to protect your business. Use the strategies below to create your plan, and view the National Institute of Standards and Technology's list of free and low-cost cybersecurity training resources to help build company-wide awareness of the importance of having a cybersecurity plan.

Monitor cloud applications

Cloud-monitoring tools can watch out for activity on your network and send alerts when there's something suspicious. Some types can even isolate these threats from your network so hackers can't access sensitive information.

Encrypt up-to-date systems and devices

Keep all computer systems, software applications and devices up to date, and ensure everything is protected by a password. Also make sure you and your employees use passwords that are complex, unique and difficult to guess. Change usernames, logins and passwords every 90 days, and use a secure password manager app to store them.

Infographic with tips on protecting your accounts with stronger passwords
  • An eight-character password consisting of only upper and lowercase letters can be cracked in just 2 seconds.1
  • Dictionary words, number sequences and personal information may make passwords easier to crack.
  • More than 50% of people reuse passwords,2 and weak, reused, or stolen passwords are the cause of 81% of confirmed breaches.3
  • The longer and more complicated your passwords are, the stronger they'll be.

Here's an example:

  • Weak: RockyCat
  • Better: R0ckyCaT2
  • Best: b3stC@tR0C|<Y!

Tips:

  • Make your password easy for you to remember but hard for anyone else to guess.
  • Avoid using actual words or popular phrases.
  • Create a unique password for every account.
  • Enable multifactor authentication.
  • Change your password every 3 months.

Source:

1 Hive Systems 2023 password table
2 Google/Harris Poll Online Security Survey
3 LastPass The Password Exposé

Use firewalls

Often considered the first line of cybersecurity defense, firewalls block incoming traffic and network requests originating from malware or unsecured sites. All hardware and software—including payment terminals, smartphones and tablets—should have the most up-to-date firewall software, as well as antivirus and anti-malware software. Also consider using a virtual private network, or VPN, for additional network encryption—especially if your business has remote employees.

Plan daily backups

Set a schedule that includes daily backups of important business data and transactions onto a separate hard drive, server or the cloud for an additional layer of protection. Also determine if you need separate networks and authentication processes for your payment terminal and the rest of your business operations, as well as network monitoring to detect unusual activity.

Enable security features

Consider adding a layer of protection with two-factor authentication. Many financial institutions and online payment services have settings that allow you to authenticate your account activity by entering a single-use code that's sent to your phone or email. You can also request text alerts from your bank to notify you of any suspicious activity, including whenever your email address is changed or your login and password are reset.

Encrypt data for transfers

When employees send confidential data to each other, make sure they encrypt the information so it's more difficult to steal. They should also avoid sending data using public Wi-Fi networks and should instead only use your company's secured network.

Limit computer and data access

Don't let third-party vendors access systems with private data unless it's essential. The same applies to employees. Limit access to data wherever possible.

Hire a security consultant

For additional support, consider hiring a cybersecurity consultant for advice on how to prevent a data breach, especially if your business doesn't have its own in-house IT team.

Consider cybersecurity insurance

Cybersecurity insurance can help protect your business against significant financial damage from technology-related crimes.

The importance of educating employees

Businesses of any size can implement technology to protect themselves, but these systems and processes are only as good as the people who use them. Your employees are the front-line responders who are most likely to deal directly with cybercriminals, so they should all be included and active participants in your cybersecurity incident response plan.

Make sure employees are aware of the threats and security measures you've put in place, and give them clear directions for how to report suspicious activity—no matter how seemingly small or innocent. Hold training sessions regularly so the message sticks, and make your cybersecurity plan for small business available to all team members. All it takes is one downloaded attachment from an untrusted source to cause serious problems.

The bottom line

As more organizations digitize their operations, cybersecurity threats will continue to increase. Implement these best practices so you can reduce your risk—and protect your business.

Insights
Financial insights for your business

Insurance

Why you need cyber insurance

Cyber insurance can help your business recover after a security breach.
A cyber insurance policy may cost significantly less than recovery costs associated with a security incident.
Security

Is your business prepared for common risks?

Companies need to prepare for risks like PR crises, supply chain failures and legal challenges.
The World Economic Forum expects that business uncertainty will remain high in the near future as companies continue to grapple with many types of business risks.
Security

Cybersecurity for small business leaders

Learn how to help protect your small business from top cybersecurity threats and safeguard your data.
By understanding the key threats and addressing cybersecurity vulnerabilities, you'll be able to better safeguard your business.

This material is for informational purposes only and is not intended to be an offer, specific investment strategy, recommendation or solicitation to purchase or sell any security or insurance product, and should not be construed as legal, tax or accounting advice. Please consult with your legal or tax advisor regarding the particular facts and circumstances of your situation prior to making any financial decision. While we believe that the information presented is from reliable sources, we do not represent, warrant or guarantee that it is accurate or complete.

Third parties mentioned are not affiliated with First-Citizens Bank & Trust Company.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.

First Citizens Bank is a Member FDIC and an Equal Housing Lender icon: sys-ehl.

NMLSR ID 503941