Skip to main content
Suggested Searches

How to improve cyber security for your small business

laptop and card

Just because you run a small business, doesn’t mean you’re beyond a hacker’s notice. Small businesses often hold the same types of sensitive customer information as larger enterprises. That, combined with their perceived lack of cyber security knowledge and resources, makes them an attractive target to hackers.

According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber attack. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cyber security, or they don’t know where to begin.

The best way for small business owners to be adequately prepared is to educate themselves on common threats and the best strategies to defend themselves from a cyber attack.


Common cyber threats to small businesses


Social engineering fraud

Social engineering fraud involves manipulating people into divulging confidential information such as passwords, social security numbers, or credit card information. The most common form of social engineering fraud is phishing emails, which are designed to appear as though they have been sent from a legitimate organization or known individual and trick victims into paying out money or revealing sensitive data. A small business looking into new products and vendors — for example, to help systematize their day-to-day operations — may be susceptible to social engineering fraud. Be sure to check on the credibility of the organization before responding to emails or clicking on any email links.


Remote working options

Many small businesses offer working from home options and, while remote work can have some advantages, it can also expose businesses to a range of cyber security risks. With a distributed workforce, it’s important for staff to be even more careful about maintaining cyber hygiene.



Malware is any software intentionally designed to cause disruption and damage to a computer, network, or gain unauthorized access to private information — such as viruses and ransomware. While ransomware attacks are generally associated with larger companies, in fact 50 to 70 percent of ransomware attacks are aimed at small and medium-sized companies — and most small businesses fail within six months of an attack. 1


Best practices for improving small business cyber security


1. Educate your employees

As cyber criminals evolve and become savvier, it’s essential to regularly update your employees on new protocols. The more your employees know about cyber attacks and how to protect your data, the safer your business will be. Send out regular reminders not to open attachments or click on links in emails from people they don’t know or expect; outline procedures for encrypting personal or sensitive information; and train employees to double check if they get rush requests to issue unexpected payments—a common scam.

2. Implement safe password practices

Many data breaches occur due to weak, stolen, or lost passwords. In today’s world of working from your own devices, it’s crucial that all employee devices accessing the company network are password protected. Have employees change their passwords regularly by automatically prompting them to change their passwords every 60 to 90 days.

3. Make sure you’ve got the right partners and platforms

Your cyber security is only as good as the security of the platforms and partners your business depends on. Check the following:


  • Do you have a WAF (web application firewall) in place – to protect your site?
  • Is your ecommerce platform PCI-DSS (payment card industry data security standards) Level 1 compliant? That will protect you against digital data security breaches across your entire payment network, not just a single card.
  • Does your website hosting company have staff that are regularly patching security vulnerabilities – to reduce the likelihood of attacks?
  • Check to make sure each company computer has antivirus software installed. Even after training employees on how to identify a phishing email, they may be susceptible.


4. Secure your hardware

Data breaches can be caused by physical property being stolen too. If your servers, laptops, cell phones or other electronics are not secured and are easy to steal, you are taking a big risk. Security cameras and alarms will help, but physically locking down computers and servers will help even more. Whether your employees are working from home, a coworking space, or a traditional office, be sure they understand how to keep their company equipment protected.


5. Regularly back up all data

No matter how vigilant you are with your cyber security strategies, data breaches can still happen. The most important information to back up is:


  • Databases
  • Financial files
  • Human resources files
  • Accounts receivable/payable files


Be sure to also back up all data stored on an online drive and check your backup regularly to ensure that it is functioning correctly.

Your insurance company may also provide cyber consulting and risk management services, so check with your agent or broker when choosing your cyber insurance coverage. You can also hire an outside expert to evaluate risks!


Additional Resources:

Stay safe from cybersecurity threats

CIA’s Cybersecurity Awareness Program Small Business

Cybersecurity for Small Business

All content in this material is for general information purposes only. It does not constitute personal advice or a recommendation to any individual or business of any product or service. Please refer to the policy documentation issued for full terms and conditions of coverage.
Chubb European Group SE (CEG) is an undertaking governed by the provisions of the French insurance code with registration number 450 327 374 RCS Nanterre. Registered office: La Tour Carpe Diem, 31 Place des Corolles, Esplanade Nord, 92400 Courbevoie, France. CEG has fully paid share capital of €896,176,662. UK business address: 100 Leadenhall Street, London EC3A 3BP. Authorised and supervised by the French Prudential Supervision and Resolution Authority (4, Place de Budapest, CS 92459, 75436 PARIS CEDEX 09) and authorised and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.

Contact us
Contact us

Have a question?

Talk to an expert.