Small business owners don’t always pay attention to cybersecurity, thinking they’re too tiny to get hacked. Yet, this is what makes small employers—and not just big companies—a target. 

Fortunately, there are many things you can do to lower your company’s chances of getting hacked.

The two biggest reasons for small business data breaches are a lack of policies and untrained employees. In fact, nearly half of business owners who have experienced a data breach admit that their security issue was caused by an employee.

And then there’s this.

Before you throw up your hands, thinking this is a game you can’t win, know that I am here to help. As an employment lawyer, I know first-hand that the most effective way to lower your risk of being hacked involves clear policies and giving your team tools to keep your business secure. 

Here are 10 cybersecurity best practices to get you started, even if you’ve never thought about cybercrime before.

1. Set up a data privacy policy

Your privacy policy is a pledge to your customers, vendors (and anyone else you do business with) that you and your employees will protect their information.

Hackers can steal your customers’ information, which may include personal details and credit card numbers. They may also steal your employees’ personal information, including Social Security numbers, dates of birth, and medical history.

Writing a privacy policy—and then following it—will ensure that your company is using data in ways that will keep all identities secure. That also means holding your employees accountable for breaches—and if things go wrong, disciplinary action.

Take a look at this sample privacy policy from the BBB, and then work with a lawyer to create one that’s specific to your business.

2. Set up a password policy

A policy that requires complex passwords, changed regularly, is a must for any employees who use computers for work.

These pointers will give you a place to start when creating your own password policy: 

  • All passwords should be reasonably complex and difficult for unauthorized people to guess. That is, employees should not use any common name, noun, verb, adverb, or adjective, like “password” or “basketball.” Good passwords are usually a minimum of 12 characters and contain at least one uppercase letter, one number, and one ASCII character. 
  • Employees should avoid basic combinations. For instance, passwords like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective and should be avoided. 
  • Make sure your employees change their default passwords. Default passwords are usually created for new hires during employee onboarding or protecting new systems when they’re initially set up. Make sure they’re changed when your employee first logs on.
  • Use unique passwords for different accounts. Your employees should choose unique passwords for each company account and avoid recycling a password they already use for a personal account. 
  • Ban sticky notes containing important information. Passwords should not be posted on or near computers or otherwise be readily accessible in the office.
  • Passwords should be changed on a set schedule. Send your employees reminders about changing their passwords every couple of months.
  • Freeze user accounts after a certain number of failed logon attempts. Sure, your employees might forget their passwords at times. But this can be an effective way to curb hacks right when they happen.

To help your team follow the rules, consider getting a password manager. Services like LastPass or 1Password can store all of your team’s unique passwords, and minimize the work you need to do to enforce the policy.

3. Require two-factor authentication

Consider requiring multi-factor authentication (MFA) on all business software programs your team actively uses.

MFA requires additional information beyond a password to gain entry into a service, like a passcode delivered to another device. If employees don’t self-authenticate through MFA, they won’t be able to sign in.

Business owners can set this up through the specific software programs they use. As an example, here are instructions on how to set up two-factor authentication for GSuite.

4. Launch an approval process for employee-owned devices

If employees are going to bring personal devices to work and use them to connect to your network, you need to set up reasonable policies that govern their use.

Ideally, this is incorporated directly in your employee handbook.  

This is the only way to protect your network and security (including the ability to wipe clean a lost or stolen device), instead of ignoring the issue or instituting rules that employees will ignore. 

If your team needs portable data to do their work, limit your employees to company-approved solutions that you can monitor and control. 

Don’t permit employees to plug in external devices (USB and other external drives), and limit cloud storage to approved vendors that you can access and monitor. Otherwise, you will have zero knowledge of what information employees are offloading.

5. Create a social media policy

Social media can present a real risk to small businesses with confidential information.

It’s easy to tell your employees, “Think before you click.” Yet, according to a report by Grant Thornton, 76% of the Inc. 500 lack a social media policy for their employees, and 73% of all employers conduct no social media training. 

If you aren’t educating your employees about the risks and benefits of social media, both in and out of work, you’re leaving yourself exposed to breaches of confidentiality and other snafus.

Incorporate your social media policies directly in your employee handbook, and share other resources on what employees can and can’t share on their social accounts.

6. Terminate device access when an employee leaves

Employees should always be reminded that at the end of their employment, devices need to be returned right away. 

Think laptops, tablets, phones, and other devices they use to do work at your business. Or if it’s an employee’s personal device, it needs to be wiped clean of all company information. This should be done before an employee leaves the office for the last time. 

This also means that you need to cut off access to company folders and tools, like Google Drive, Asana, Jira, and other software programs.

7. Think about getting cybersecurity insurance

You don’t want to pay millions to remedy a data breach, which means you should probably look into carrying cyber-insurance. 

Not all cyber policies are created equally, so it’s important to understand what you’re purchasing, and what it covers (or doesn’t). Your business’s insurance agent should be able to direct you to the right insurance product for your business.

These are just a few of the questions you should be asking your insurance broker before buying that policy. 

  • What types of data breaches does it cover? Viruses? Malware? Ransomware? 
  • Does it cover business interruption costs? 
  • Does it cover reputational damage? 

The only thing worse than not having cybersecurity coverage is to think you have it, only to find out after the fact that you don’t.

8. Ask employees to avoid public WiFi

An open WiFi system is no different than an unlocked house.

Just as you would never leave your house with the front door wide open, don’t leave your network exposed by using open WiFi networks. 

Make sure your employees know that public WiFi is inherently insecure. Any device that connects to public WiFi (laptop, smartphone, or tablet) is at risk, and your team should treat all public WiFi links with suspicion. Employees should avoid public WiFi when possible, and use a cellular connection instead.

Here are a few points to consider when creating your own policy on WiFi access.

  • If employees must use public WiFi, they should not do so without first confirming the legitimacy of the link. Cybercriminals often try to scam users by using bogus links with a connection name deliberately similar to a legitimate coffee shop, hotel, or other venue. Employees shouldn’t connect until they can confirm the legitimacy of the WiFi through the connection’s name and IP address with an employee at the location that is offering the public WiFi. 
  • Consider offering employees a virtual private network (VPN) to use. A VPN establishes a private pipeline that encrypts all data that passes through the network. This can help prevent cybercriminals from intercepting data, even on public WiFi. 
  • If a VPN isn’t available, your team should at least use SSL connections (connecting via “https” instead of “http”), which will add an extra layer of encryption to transmitted data. It’s far from perfect, but it’s better than nothing. 
  • Employees should turn off WiFi when they’re not using it. Even if you aren’t actively connected to a network, the WiFi hardware in your device is still transmitting data. And if you’re transmitting, cybercriminals can snoop. If you don’t need the WiFi connection, simply turn it off.

9. Educate your employees on common email scams

Nearly 40% of all employees report opening a suspicious email, even when they knew it looked fishy. “When in doubt, throw it out” is a line you should repeat to your team.

Many data breaches result from employee misuse of email, which results in the loss/theft of data or the accidental downloading of viruses, malware, or ransomware. That’s why you need standards on how your team uses work email

And don’t forget to train your employees on how to detect and deflect phishing attempts. Phishing is when a cybercriminal impersonates a trustworthy source in order to steal credentials, or places malware on a system. And at times, it can be pretty convincing.

10. Make it easy for your team to report security incidents

Finally, all of the above goes out the window if your employees don’t understand when and how to report a security breach. This can include lost or stolen devices, malicious viruses, malware, or ransomware that’s accidentally clicked on.

Include this information prominently in your employee handbook. 

In a small business, these reports should be made to a Chief Technology (or Information Security) Officer, Director of Technology (or Information Security), or, if you lack an internal head of technology, to another C-level employee who can respond to these crises. (Hey, it may be you!)


Data breaches at small businesses are not an if issue, but a when issue. Once you understand that you will probably suffer a breach at some point, you should roll out employee policies and trainings that make data security a priority. 

As an employment lawyer, I generally don’t work in the business of guarantees. But I will guarantee that any expenses you absorb to prevent the potential cost of a data breach is money well spent.

Jon Hyman Jon Hyman is a partner in the Labor & Employment Group at Cleveland, Ohio’s Meyers, Roman, Friedberg & Lewis. He is the author of the award-winning Ohio Employer Law Blog. When he’s not helping employers proactively and cost-effectively solve workplace problems, he’s working as an unpaid roadie for his kids’ burgeoning rock ‘n’ roll careers.
Back to top