Cybersecurity Strategy: Best Practices for Small-to Medium-Sized Businesses
With smaller teams and fewer resources to effectively prevent cybercriminals from hacking company networks, keeping data safe becomes a huge undertaking for small to medium-sized businesses (SMBs). To make matters worse, successful cyberattacks hit SMBs much harder; in fact, more than half of SMBs close within six months following a cyberattack. Fortunately, a robust cybersecurity strategy can prevent these incidents and help protect company and client data.
Want to learn more about using a password manager for your business?
Check out Dashlane's business plans or get started with a free business trial.
What is a cybersecurity strategy?
A cybersecurity strategy includes the objectives, steps, and resources your organization will use to secure its assets and minimize cyber risk. Although your strategy may take anywhere from a few months to several years to execute, it's important to set a deadline to motivate internal stakeholders. Because cybercriminals are constantly changing their methods, your desired timeline may also change over time.
A sound cybersecurity defense strategy is:
Cybersecurity threats vary from company to company. The industry that a company operates within, as well as the size, work model (in-office, remote, or hybrid), and customer base will determine which threats are most likely to occur to that organization. Let your unique company structure guide your research into what types of cybercriminals your organization is most likely to face, and build your strategy accordingly.
A cybersecurity strategy is most useful before a data breach. Make sure your strategy involves proactive methods to keep your organization’s data safe, such as annual staff training and password safety policies. Bouncing back from a serious cybersecurity incident is a lot more time-consuming and expensive than preventing one in the first place.
Cybercriminals are constantly changing their behaviors to take advantage of weak spots. Best practices for cybersecurity might look different three years from now; your information security strategy plan should be able to account for these changes. Make sure to conduct an annual review and update of these policies.
Seven best practices for developing your cyber defense strategy
When the time comes to put pen to paper and create an informed, proactive, and adaptable cybersecurity strategy, use these seven steps as a guide.
- Understand the risks and set your objectives
Knowing what specific cybersecurity threats your industry and company face will help you set objectives and secure buy-in from other employees and management. As you begin to craft your strategy, ask yourself and your information technology colleagues questions such as:
- What are the biggest cybersecurity threats to our organization? Examples may include compromised passwords, ransomware, malware, data leaks, phishing, or insider threats.
- Where is our organization most vulnerable? Examples may include operating systems, client data warehouses, server message blocks, or third-party or cloud apps.
- What's the financial and reputational impact if any of these threats or vulnerabilities are exploited? For example, if you’re client-facing, any internal vulnerabilities that surface may affect your relationship with clients. Note all the risks associated with your stakeholders.
Cybersecurity risk assessments are an opportunity to get on the same page with IT colleagues and determine the path forward. Audits like these will provide a solid foundation for the rest of your security strategy.
Need a plan for understanding your company’s risk levels?
Learn how to conduct a security audit in five steps.
- Identify areas of improvement and list your steps to remedy them
Use a tool like the popular NIST Cybersecurity Framework to assess your company’s policies, governance, and technologies. Keep in mind that because of limited time, resources, and budget, you may have to prioritize some goals over others. Use these findings to create a roadmap of your strategic objectives and the steps necessary to achieve those objectives. Now is a good time to get preliminary management buy-in.
- Assess your needs and level of IT knowledge to define your resources
Based on the risks and the areas of improvement you’ve identified, examine your own expertise and ability to execute the strategies that will improve your company’s security. Do you feel well-equipped to tackle the challenges, have someone on your team who is, or do you need to call in subject matter experts for additional support? Make sure you’re honest with yourself about your expertise and about the time and budget you’ll be able to devote to executing a cybersecurity strategy.
- Document your cybersecurity strategy
The best way to get management’s approval and implement your cybersecurity roadmap is to document it. This includes educating all employees about the risks to your business you’ve identified in step one. If your company culture allows it, have employees sign this documentation to acknowledge they read and comprehend the material.
- Measure progress and reassess
An important part of any strategy is metrics: How do you intend to measure the success of your strategy? The metric of “zero data breaches” is a great place to start, but more granularity will help you target weak spots and measure progress. For example, you may choose to track your company’s password manager adoption rate amongst employees and your company’s overall password health score.
As you complete aspects of your strategy and reach your goals, it’s also a good idea to reassess annually, quarterly, or as needed. You can review strategy according to changes that have occurred (or will occur) within your organization, as well as according to recent data breaches or metrics that your organization fell short on. Because both your organization and the cybersecurity landscape will likely have evolved from the time you first drafted your strategy, this reassessment can patch holes in your policies and information technology network that have grown since you last checked.
- Hire a professional to evaluate your security
Most SMB employees wear several hats throughout the average workday and may not have the time to become cybersecurity experts. If this is you, don’t worry—hiring a professional will help ensure your information cybersecurity strategy is on the right track and identify any gaps you may have missed.
- Use the right cybersecurity tools
A robust cybersecurity strategy will likely require some additional tools to help you save time, stay organized, and efficiently accomplish goals. Several options for IT managers, such as password managers, single sign-on technology, and 2-factor authentication can work in concert to produce a comprehensive and easy-to-use cybersecurity system.
- Password managers
Password managers can be a one-stop-shop support tool for multiple facets of your company’s IT security strategy. Beyond offering a secure place to store multiple passwords, some password managers, such as Dashlane, also offer comprehensive reporting tools such as a dashboard for IT managers that displays a company-wide password health score. Dashlane also offers a Dark Web Monitoring tool that scans for employee passwords on the dark web, where most cybercriminals will attempt to sell stolen data.
Explore how a password manager can support your cybersecurity strategy in Dashlane’s free e-book.
- Single sign-on
Single sign-on (SSO) technology enables employees to access multiple applications with one set of login credentials. Needing only one password helps to remove the temptation of storing passwords on sticky notes in an office, in a loose file on a desktop, or in an internet browser.
Pro tip: Some password managers integrate with SSO for a layer of added security. Learn more about how password managers and SSO work hand-in-hand in Dashlane’s free e-book.
- 2-factor authentication
By requiring an extra verification method such as a one-time code sent to a mobile device or biometric validation like Face ID, 2-factor authentication technology ensures that login attempts are only made by employees themselves and not cybercriminals.
By itself, this method of cybersecurity can become cumbersome if employees have to enter an extra code sent to a key fob or their email for every login attempt across every application. However, several password managers, such as Dashlane, integrate with 2-factor authentication technology to automatically populate the first password, so the employee only needs to enter the second login. Using 2-factor authentication and password managers can help keep passwords and login attempts secure without slowing down an employee’s day.
How a password manager can support your cybersecurity strategy action plan
Password managers can do more than simply keep a company’s passwords secure—they can also be a powerful strategic partner in executing your cybersecurity strategy.
Password vaults, for example, store passwords and enable secure password sharing between employees. Dashlane goes the extra mile by offering IT managers analytics on employee password health and dark web security monitoring.
Password managers contribute to human-first security culture by empowering employees to adopt cybersecurity measures themselves. Read about how one university got 2,259 people to play an active role in their online security by adopting Dashlane Password Manager in the case study.
Interested in learning more about how SMBs can craft a strategic, comprehensive cybersecurity plan?
Download our free password manager guidebook for small businesses.
- Inc. Magazine, “60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack” May 2018
- NIST, “Cybersecurity Framework” April 2022
- UpGuard, “How to Perform a Cybersecurity Risk Assessment” June 2022