Cybersecurity for the Small Business

With the number of cyberattacks targeted at small businesses always on the rise, here’s how owners can protect their companies and employees without breaking the budget.

Running your own business has long been — and still remains — an endeavor that holds the potential for financial success and a sense of personal accomplishment. And while the technological advancements of the digital age have in many ways made entrepreneurship a more realistic and convenient pursuit, they have also introduced a new set of concerns and potential threats that don’t always get the time, attention and resources necessary.

“I don’t think anyone intentionally says ‘I don’t care about cybersecurity,’” says Jeff Kennedy, Chief Information Security Officer for Regions in Birmingham, Alabama. “They just don’t realize how highly vulnerable they can be to things like fraud, cyber scams and the loss of intellectual property.”

Kennedy isn’t exaggerating the level of vulnerability. Fraudulent email scams, often called “spear-phishing campaigns,” that target business employees increased 55% in 2015, according to recent research from cybersecurity software and consulting firm Symantec. Furthermore, 43% of attacks against companies in 2015 were targeted at those in the small business sector—companies with fewer than 250 employees—up from 34% in 2014 and 30% in 2013.

The threats are real

Despite the very real threats, many small business owners remain in the dark about, or at least justifiably distracted by, a laundry list of other high-priority concerns, when it comes to protecting themselves, says Thomas Reddington, Director of the Cybersecurity Master’s Program at New York University’s School of Engineering. “Cybersecurity is not on their minds,” Reddington says. “They don’t know about it and they haven’t considered the potential long-term impact.”

The issue of cost is top of mind for small businesses in particular, but Kennedy and Reddington agree that there are plenty of precautions a business can take that won’t break the bank, and that some of the more expensive methods—installing private servers and firewalls—aren’t typically necessary.

“There is something to be said for having a level of skepticism,” Kennedy says, after providing a real-life example of a company that lost “a couple million dollars” after hackers posing as the CEO contacted the company’s CFO, requesting that he wire money to purchase a company in China. “Often it is more about awareness than anything else,” he says.

Have a plan

While it’s a key component of an effective cybersecurity strategy, just being aware of existing cyber threats and potential scams isn’t a comprehensive plan and certainly can’t guarantee total protection.

“Security isn’t one thing,” explains Reddington. “It’s a series of technologies and policies.” In order to implement the most effective cybersecurity strategy possible, Reddington says owners should first be able to answer the following questions:

  • What do I want to protect?
  • What are my overarching security policies and goals?
  • Who has access to my network?
  • What is the value of my company’s and employees’ intellectual property?
  • What is the nature of the service agreement I have with my Internet provider?

When owners start with these questions, they can then begin to implement a cybersecurity strategy that makes the most sense for their companies.

To do so properly, however, Reddington points out that the more savvy small business owner—one who understands the seriousness of being victimized by cybercriminals—will hire a trusted expert to aid in the planning and construction of a secure, safe network. This, of course, brings back the issue of cost, which Reddington suggests approaching with a different mindset, looking at it as an investment as opposed to an expense. “I hear that security is expensive all the time, but they never consider the cost a breach may bring,” he says. “It’s frustrating.”

Be aware

Whether an owner is in a position to spend on cybersecurity or not, Kennedy says that practices like frequently changing passwords—every 90 days is a good rule of thumb—and using established and reliable brands when it comes to applications and software are practical and cost-effective steps to take when trying to mitigate a potentially devastating hack.

“Our first advice to small business owners is to bring up the level of awareness,” says Kennedy. “Use name-brand file-sharing software and leverage all security services offered.”

Finally, Kennedy encourages his clients to ask questions. “We encourage all small business owners to ask the tough questions and make sure their businesses are safe for today and in the future.”


This information is general in nature and is provided for educational purposes only. Information provided and statements made by employees of Regions should not be relied on or interpreted as accounting, financial planning, investment, legal, or tax advice. Regions encourages you to consult a professional for advice applicable to your specific situation. Information provided and statements made by individuals who are not employees of Regions are the views, opinions, or positions of the individual who made the statement and do not necessarily reflect the policies, views, opinions, and positions of Regions. Regions makes no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information presented.