Small Business Cybersecurity Quick Reference Guide

Why This Matters to You

As a small business owner, you face the same cyber threats as large corporations—but often with fewer resources. Cyber incidents can cost you customers, revenue, and reputation. The good news? Most attacks can be prevented with basic security practices that don't require a huge budget.

This guide helps you:
Assess where you currently stand on cybersecurity
Identify your biggest vulnerabilities
Understand where you need to be
Take concrete first steps today

Based on resources from the Cybersecurity and Infrastructure Security Agency (CISA), the nation's cyber defense agency.

Part 1: Where Are You Now?

Take This 5-Minute Self-Assessment

Answer these questions honestly. Each "NO" reveals a vulnerability that attackers could exploit.

A. Authentication & Access

Do ALL employees use multi-factor authentication (MFA) for email and critical systems?
Do you use unique passwords for every account (no sharing, no defaults)?
Have you removed administrator privileges from regular user laptops?
Do you review and remove unused accounts quarterly?

Score: 0/4

B. Backups & Recovery

Do you have automated daily backups of critical business data?
Are your backups stored offline or in a separate location (not just on the network)?
Have you tested restoring files from backup in the last 3 months?
Do you have a written plan for operating your business if systems go down for 48 hours?

Score: 0/4

C. System Security

Are all computers and software set to update automatically?
Do you patch critical security updates within 7-14 days of release?
Is antivirus/security software installed and active on all devices?
Do you maintain a list of all devices and software your business uses?

Score: 0/4

D. Employee Awareness

Have all employees received cybersecurity training in the last 6 months?
Do employees know how to spot phishing emails?
Do employees know who to contact if they suspect a security issue?
Do you conduct practice exercises (like simulated phishing tests)?

Score: 0/4

E. Incident Preparedness

Do you have a written incident response plan?
Does everyone know what to do if you're hit by ransomware or a breach?
Do you have emergency contact information that works without your network?
Have you practiced your incident response in the last 6 months?

Score: 0/4

F. Data Protection

Do you know what your most critical data is (customer info, financial records, IP)?
Is sensitive data encrypted when stored and transmitted?
Do you limit who can access sensitive information (least-privilege principle)?
Do you have monitoring in place to detect unusual data access?

Score: 0/4

Your Cybersecurity Maturity Level

Your Total Score

0 / 24

Complete the assessment above to see your maturity level

0-6 Points: High Risk — Immediate Action Required CRITICAL

Where you are: Your business is highly vulnerable to common attacks like ransomware, phishing, and data breaches. You're likely to be targeted because attackers know small businesses often lack basic protections.

Where you need to be: Focus on the "Critical First Steps" in Part 2. These are your top priorities this week.

CISA Resources for You:

Start with CISA's Cyber Essentials Starter Kit
Request free vulnerability scanning: Email vulnerability@cisa.dhs.gov

7-12 Points: Moderate Risk — Building Your Foundation HIGH

Where you are: You've started taking cybersecurity seriously, but you have significant gaps that attackers can exploit. You're on the right path but need to accelerate.

Where you need to be: Complete the "Critical First Steps" and move to the "30-Day Action Plan" in Part 2.

CISA Resources for You:

Use the CPG Checklist to prioritize
Access the Cyber Essentials Toolkits

13-18 Points: Good Progress — Strengthen Your Defenses MEDIUM

Where you are: You have solid basic security practices in place. However, you still have vulnerabilities that sophisticated attackers or persistent threats could exploit.

Where you need to be: Focus on consistency and testing. Review the "Advanced Protections" in Part 3.

CISA Resources for You:

Request a Cyber Resilience Review: iodregionaloperations@cisa.dhs.gov
Explore CISA's Cyber Security Evaluation Tool (CSET)

19-24 Points: Strong Posture — Maintain and Improve LOW

Where you are: You're doing an excellent job protecting your business. You're following most cybersecurity best practices.

Where you need to be: Continue regular testing, stay current with threats, and consider mentoring other small businesses.

CISA Resources for You:

Benchmark with Infrastructure Survey Tool: Email Central@cisa.dhs.gov
Join sector-specific information sharing groups through your Regional Cybersecurity Advisor

Part 2: Recommended Action Plan

Critical First Steps (This Week)

No matter your score, start here:

1. Turn On Multi-Factor Authentication (MFA) Everywhere

Why it matters: MFA is the single most effective control you can implement. It prevents 99% of automated attacks.

What to do:

Enable MFA on email first (Office 365, Gmail, etc.)
Enable MFA on your bank accounts and financial systems
Enable MFA on any remote access or admin accounts
Use authentication apps (like Microsoft Authenticator or Google Authenticator) instead of SMS when possible

CISA Guide: Implementing Phishing-Resistant MFA

2. Start Automated Backups Today

Why it matters: Ransomware is the #1 threat to small businesses. Good backups are your insurance policy.

What to do:

Identify your critical data (customer lists, financial records, documents, databases)
Set up automatic daily backups to an external drive or cloud service
Ensure backups are isolated (not always connected to your network)
Test restoring one file to confirm backups work

CISA Resource: Cyber Essentials - Your Data

3. Enable Automatic Updates

Why it matters: Attackers exploit known vulnerabilities in outdated software. Automatic updates close these security holes.

What to do:

Turn on automatic updates for Windows/Mac on all computers
Enable auto-updates for all software (browsers, Adobe, Office, etc.)
Check your routers, firewalls, and network equipment—update firmware
Subscribe to alerts from CISA's Known Exploited Vulnerabilities Catalog

Priority: Focus first on systems connected to the internet and those handling sensitive data.

4. Create an Emergency Contact List

Why it matters: In a cyber crisis, you may lose email and network access. You need to communicate.

What to do:

Write down (on paper) key contacts: IT support, critical vendors, legal counsel, insurance
Include cell phone numbers and personal emails (not just work emails)
Add CISA's incident reporting: 1-844-SAY-CISA (1-844-729-2472) or report@cisa.gov
Store copies at home, in your wallet, and with your leadership team

30-Day Action Plan

Week	Focus Area	Key Tasks
Week 1	Secure Your People	Conduct 30-minute cybersecurity awareness meeting with all staff Train everyone on how to spot phishing emails Establish clear reporting process Require password manager use for all employees
Week 2	Secure Your Systems	Create inventory of all devices Create inventory of all software and cloud services Remove administrator rights from standard user accounts Verify antivirus/security software is active on all endpoints
Week 3	Secure Your Data	Identify your 5 most critical data assets Verify these assets are backed up daily Perform test restore of backup data Implement least-privilege access
Week 4	Prepare for Incidents	Draft one-page incident response plan Identify who is in charge during a cyber incident Schedule first tabletop exercise for next month Review cyber insurance policy

Part 4: 10 Biggest Vulnerabilities

What Attackers Exploit in Small Businesses

Based on CISA analysis, here's what puts small businesses at risk:

1 Weak or Reused Passwords

Solution: Use unique passwords + MFA everywhere

2 No Multi-Factor Authentication

Solution: Enable MFA on all accounts

3 Unpatched Software

Solution: Turn on automatic updates; monitor CISA's KEV Catalog

4 No Backups or Untested Backups

Solution: Automate backups and test monthly

5 Phishing-Susceptible Employees

Solution: Train staff quarterly on email threats

6 Excessive User Privileges

Solution: Remove admin rights from regular users

7 No Incident Response Plan

Solution: Write a simple one-pager and practice it

8 Unencrypted Sensitive Data

Solution: Enable encryption on laptops and for sensitive files

9 Unknown or Unmanaged Devices

Solution: Maintain current asset inventory

10 No Security Monitoring

Solution: At minimum, review logs weekly for unusual activity

Good News: Each of these can be fixed without a huge budget. Start with #1-4, which provide the most protection for your investment.

Part 5: Simple Incident Response Plan Template

Copy and customize this for your business:

[Your Business Name] Cyber Incident Response Plan

Incident Commander: [Name, Title, Cell]
Backup Commander: [Name, Title, Cell]
IT Contact: [Name/MSP, Phone, After-hours #]

If You Suspect a Cyber Incident:

Step 1: Report Immediately

Contact Incident Commander: [Phone]
Do NOT wait to be certain—report suspicions

Step 2: Isolate Affected Systems

Disconnect from network (unplug ethernet, turn off WiFi)
Do NOT turn off devices (preserves evidence)
Take photos of any ransom messages or error screens

Step 3: Preserve Evidence

Note time of discovery and what you observed
Do not delete anything
Save any suspicious emails or messages

Step 4: Activate Response Team

IT Support: [Contact]
Legal Counsel: [Contact]
Insurance: [Contact]
CISA: 1-844-729-2472 or https://www.cisa.gov/report

Step 5: Communicate

Internal: [Who notifies staff and how]
External: [Who handles customer/public communication]
Law Enforcement: [When and who contacts FBI/local police]

Business Continuity During Incident:

How to process orders manually
How to communicate with customers without email
How to access backup systems
How to pay employees if payroll system is down

Part 6: Free CISA Resources and Support

You're not alone—CISA provides free support to small businesses:

Assessments & Tools

Click any card below to open a pre-filled email request to CISA

Cyber Hygiene Scanning

Free continuous monitoring of your internet-facing systems. Typical 40% risk reduction in first year.

Cyber Resilience Review

Interview-based assessment of your security practices.

Infrastructure Survey Tool

Benchmark your security against similar businesses.

Guides & Frameworks

Cyber Essentials Framework - Six-element foundation for small businesses
Cybersecurity Performance Goals (CPGs) - 26-goal baseline for prioritizing security investments
Small Business Guidance - Role-based responsibilities for CEOs, security managers, and IT leads
Known Exploited Vulnerabilities Catalog - Authoritative list of threats you must patch
StopRansomware.gov - Comprehensive ransomware prevention and response resources

Direct Support

Regional Cybersecurity Advisors: In-person help from CISA experts in your area.
Find your region: https://www.cisa.gov/about/regions or call 1-844-SAY-CISA

Incident Reporting: 24/7 support if you experience an attack.
https://www.cisa.gov/report or report@cisa.gov

Frequently Asked Questions

Q: I'm a very small business (1-10 employees). Do I really need all this?

A: Start with the "Critical First Steps": MFA, backups, and automatic updates. These three controls prevent 80%+ of attacks and take less than a day to implement. The rest can follow over 90 days.

Q: How much does this cost?

A: The Critical First Steps cost $0-$100. MFA is usually free with your existing services. Backups can use affordable cloud storage ($10-50/month). Most software includes automatic updates. As you grow, budget 3-5% of your IT spending on security.

Q: What if I don't have IT staff?

A: Many small businesses work with managed service providers (MSPs). Share this guide with your MSP and ask them to help implement it. You can also work directly with CISA's Regional Cybersecurity Advisors (free support).

Q: We've never been attacked. Why start now?

A: Small businesses are increasingly targeted because attackers know you have fewer defenses. 43% of cyberattacks target small businesses, and 60% of small businesses close within 6 months of a significant breach. Prevention is much cheaper than recovery.

Q: What's the most important thing to do first?

A: Multi-factor authentication (MFA). It's free, takes an hour to set up, and prevents the vast majority of account compromises. Start with email and admin accounts.

Q: How do I know if I'm doing enough?

A: Use the self-assessment in Part 1 quarterly. Aim for 18+ points within 6 months. Request a free assessment from CISA to benchmark against similar businesses.

Q: What if we get hit by ransomware?

A: Don't panic. Isolate infected systems immediately. Contact CISA (1-844-729-2472) and your IT support. With good backups, you can recover without paying ransom. This is why tested backups are critical.

Take Action Today

Your Three Tasks Before End of Business:

Enable MFA on your email account right now (it takes 5 minutes)
- Gmail: https://myaccount.google.com/security
- Microsoft: https://account.microsoft.com/security
Print this guide and share with your leadership team
Schedule 30 minutes on your calendar this week to:
- Complete the self-assessment in Part 1
- Create your emergency contact list
- Set up automated backups

Your Commitment:

"I commit to making cybersecurity a priority for my business. I will implement the Critical First Steps this week and work through the 90-day roadmap to protect my business, employees, and customers."

Signed: _________________________ Date: _____________