Creating An IT Security Policy For Your Small Business

It was 10:30 on a random Saturday night when a small business in Kentucky learned it was under attack. Hackers had breached the network, seized control of every computer and were demanding $400,000 to relinquish that control.

Unable to operate without networked assets and unwilling to suffer a damaged reputation by going public about the ransomware attack, the manufacturing company opted to negotiate with the hacking organization. Ultimately, after the business paid $150,000 to reclaim its assets, a post mortem review indicated the hackers likely gained entry when an employee clicked a link in a phishing email.

What’s most striking about this story isn’t the financial cost this 35-person company suffered; ransomware attacks often reap payments in the millions. Neither is it the size of the company; small businesses are frequently the victims of cyberattacks, though not typically by an organization so well organized.

No, what should concern small business owners and IT managers is the assumed method by which the hackers breached the network—the lowest of low-tech methods: a phishing email, a poisonous link, and a careless or poorly trained employee. 

To an extent, this company was fortunate. It had a strong team of IT staff, insurers and third-party negotiators working to resolve the situation. The ransom amount was decreased by more than half. And the business was able to quietly get back up and running in a relatively short amount of time.

But all of that might have been avoided had a stronger security policy been in place. 


woman with malware on her computer

Cybersecurity and Small Business

It’s no shock when a well known, enterprise-level business falls victim to a cyberattack. Big assets equal big targets and, for the criminals, potentially enormous payoffs. But small and medium businesses (SMBs) are just as likely to be targets. 

Part of that is just the nature of doing business in today’s world, where companies run on networked machines, valuable data is everywhere and reputations can be lost in an instant. And it’s partially because too many businesses underestimate both the tenacity of hackers and their own vulnerability levels.

According to research commissioned by cybersecurity company BullGuard, nearly 60% of SMB owners believe their business is unlikely to be targeted by cyber criminals; that same study, however, revealed that 18.5% of SMBs experienced a cyber attack or data breach within the past year.

And when looking solely at small businesses, Verizon’s 2020 Data Breach Investigations Report (DBIR) found that nearly one in three breaches—that’s 28 percent—involved small businesses. 

So why are cyberthieves targeting small businesses anyway, and how are they doing it? First and foremost, it’s a lucrative field. The 2020 DBIR reported that 83% of breaches against SMBs were financially motivated. And second, because they can.

Criminals know most smaller companies aren’t sufficiently protected. The BullGuard study found that one-third of companies with 50 or fewer employees use nothing more than free, consumer-grade cybersecurity, and one in five use no endpoint security whatsoever.

Even more troubling is the revelation that 43 percent of SMBs have no cybersecurity defense plan in place at all. When the door is left wide open, hackers will happily enter, and their most common attack methods are tried-and-true: 

  • Phishing: Verizon’s 2020 DBIR found phishing to be the primary threat action against SMBs
  • Malware: Datto reported that four out of five managed service providers identified ransomware attacks as the leading malware threat to SMBs

The potential consequences of a cyberattack are many and can be quite serious: an inability to operate (however temporary) means lost revenue, the cost of fighting back cuts further into budgets, and a damaged reputation can cost businesses customers, the most important asset of all.

And should sensitive personal information (e.g., healthcare records, financial data) be compromised, penalties can be severe. According to the BullGuard report: 

Once breached, 25% of SMB owners stated they had to spend $10,000 or more to resolve the attack, which could be devastating for a small company. As for time lost, 50% of SMB owners said it took 24 hours or longer to recover from a breach or cyber attack, while 25% reported they lost business as a result, and almost 40% stated they lost crucial data.

The bottom line is simple: small businesses in particular need to recognize their vulnerabilities, increase preparedness, and better protect themselves, their assets and their customers. Key to doing that is establishing and enforcing a strong internal IT security policy.

“Small businesses are not immune to cyber attacks and data breaches, and are often targeted specifically because they often fail to prioritize security. Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.” —Paul Lipman, CEO of BullGuard


The Importance of Having an IT Policy and Security Plan

First things first: it’s important to distinguish a security policy from a security plan. At a high level, your plan involves how you’re protecting all the pieces of your IT setup—your servers, computers, phones, data, peripherals, etc.

On the other hand, your policy should be an element of that overarching plan, one that describes the obligations on anyone (e.g., employees, contractors, vendors, etc.) with access to company systems and data to lessen security risks. 

In other words, you need a plan to defend your business from bad actors, but you need a policy to protect it from within as well. 

Chances are, most of your employees and other users would never dream of causing you intentional harm. But as the eye-popping number of phishing attacks year over year proves, humans can make some questionable choices. A good security policy can help minimize the risks that humans create. 

Globally respected cybersecurity firm McAfee suggests that regardless of an organization’s size, security is everyone’s concern, and that a clear policy can help employees recognize and understand the part they play in protecting your business. 

There are also regulatory and PR/perception reasons for establishing a policy. Small organizations may not be subject to federal data protection requirements, but there remains an expectation to meet at least minimum security standards; failure to do so can result in prosecution if customer data is compromised.

And from an image perspective, it just makes good business sense. Any of your stakeholders may request proof you can protect sensitive data; without a policy in place you’ll be hard pressed to meet that burden. 

Building A Policy Right-Sized for Small Business

McAfee defines a cybersecurity policy as “the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security.” The practical application of that definition, however, can vary widely between enterprises and small businesses. 

A highly regulated business may require a lengthy and extremely detailed security plan, with multiple policies within it. But a smaller company may need only a few pages to cover basics like remote access best practices, how to create and safeguard passwords, proper use of company assets and data, rules governing internet use and email, and social media guidelines. 

It really boils down to guiding employees and other users on 1) which types of business information can be shared, including how and where; 2) appropriate use of devices and online materials; and 3) proper handling and storage of sensitive material.

In 2019, The Manifest, a B2B-focused news site, surveyed nearly 400 small businesses to better understand their cybersecurity challenges and expected plans to address them. The results, shown in the graph below, look strikingly like the building blocks of a good IT security policy: 

But if you’ve never created an IT security policy, you may still feel overwhelmed, wondering how to begin. Consider building it layer upon layer, starting with the most pressing issues and/or areas of greatest risk, and building up from there. For example:

  • Layer 1: focus on phishing. Teach employees what it is, why it’s so dangerous and how they can help prevent the resulting attacks. (E.g., “If you don’t know who sent the email, don’t click the link.” It really is that basic, and yes, some people really need to be reminded.)
  • Layer 2: protect those passwords. Mandate two-factor authentication to reduce lost or stolen password issues and unauthorized network access. 
  • Layer 3: defend the data. Establish the rules for protecting company and customer data, such as only using the company email system for work-related messages, eliminate the use of thumb drives, and even physically shredding paperwork and hard drives when no longer needed. 

Designed to ultimately stop password/credential theft, these increasing layers of prevention can curtail the loss of intellectual property and/or your customers’ personal information (a particularly problematic issue for any business beholden to HIPAA or other privacy regulations). 

Whatever You Do, Don’t Set It And Forget It

Once you’ve established your security policy and trained your team, don’t assume you’re done. Technology moves fast, and hackers move even faster. You should review your policy regularly—annually at least—and update it where needed. In the end, the key is building a security-aware work culture that helps you mitigate risk, safeguard sensitive information, and protect your business from damage to both your reputation and your bottom line.