Skip to main content

How To Create a Small Business Cybersecurity Plan That Works

  |  Dashlane

With the headlines focused on cybercrimes and information leaks affecting large companies, it’s important to remember that small businesses can also be vulnerable to data breaches and other cybersecurity issues. A small business cybersecurity plan is an effective way to document proactive steps that organizations can take to protect themselves from cyber threats.

Want to learn more about using a password manager for your business?

Check out Dashlane’s password manager for small businesses or get started with a free business trial.

Why do you need a small business cybersecurity plan?

With 52% of small to medium-sized businesses (SMBs) experiencing a cyberattack in the past year, most small businesses realize they need to develop or improve strategies to protect their company, employees, and customers from cyber threats. Building effective plans and policies takes time and effort, which is likely why 40% of SMBs still don’t have a cybersecurity plan in place.

  • Small business vulnerabilities: Employees at small businesses often wear multiple hats, and IT resources can be stretched thin, so it’s understandable why some small businesses avoid or postpone cybersecurity planning. At the same time, a small organization may have fewer security protocols and tools at its disposal and may be less able to withstand the cost of a data breach if it happens. Despite the limited resources and conflicting priorities, security policies for small businesses should be considered essential.
  • Flexible work arrangements: Small companies benefit from the flexibility and reduced overhead offered by work-from-home (WFH) and bring-your-own-device (BYOD) policies. An overall system security plan for small businesses should focus on keeping devices and company data secure, even when employees and devices are widely dispersed.
  • Protecting stakeholders and sensitive data: Small businesses often capture personally identifiable information (PII) and other sensitive data on company laptops and other devices. A written cybersecurity strategy defines how to proactively protect data and stakeholders from cyberattacks and how to respond quickly if sensitive data is lost or stolen so that the impact can be minimized.
  • Securing customer and client trust: If a small business stores customer or client information on its servers, securing this data is critical for preserving customer privacy, establishing trust, and meeting any relevant compliance standards. A written cybersecurity plan that is updated as cyber threats evolve helps to safeguard brand integrity and customer satisfaction.

The cybersecurity climate for small businesses is constantly changing. Find out how the latest trends are impacting company policies and employee attitudes as Dashlane highlights 10 New Cybersecurity Trends at Small Businesses.

What makes up a cybersecurity plan?

To create a solid small business cybersecurity plan, you must understand a few important terms and concepts. Here are some core elements you’ll find in a cybersecurity plan: 

  • Security risk assessment: A cybersecurity risk assessment is an organized way to brainstorm security vulnerabilities and the actions needed to address them. Listing potential threat sources, common attack types in your industry, past known threats and breaches, and the potential financial impact of future cyber events allows you to identify and prioritize any gaps in your security profile.

    There are many standardized risk assessment formats available that make it easier to organize and evaluate the information you gather.
  • Secure systems: A secure system consists of the three moving parts—hardware, software, and people—that work together to keep a company safe from cyberattacks and data breaches. Secure systems use prevention, protection, and response in equal measures to protect valuable information and keep the business running smoothly. 
  • Access control protocols: When a user logs in to a company network or application, they must be authenticated to prevent unauthorized access. As part of a cybersecurity policy for small business environments, an access control protocol describes the steps taken to verify user identity with passwords, PINs, or security tokens. Access control is especially important for small businesses monitoring employee logins from multiple devices and locations.
  • Employee training: Effective training requires more than just a read and acknowledge (R&A) checkbox with busy employees quickly skimming through cybersecurity policy documents. Interactive training sessions that stress the reasons for and importance of the cybersecurity plan are more likely to resonate and foster a flourishing cybersecurity culture.

    Cybersecurity training for remote employees should highlight issues like safe password sharing, avoiding public WiFi use without a VPN, prompt reporting of data breaches and malware, and enabling multi-factor authentication.

The 6 steps to creating a small business cybersecurity plan

Cybersecurity planning is made easier by breaking the process into a few simple steps that can gradually move you closer to a customized and effective cybersecurity plan.

  1. Update your hardware and software

As you begin the planning process by assessing risks and forming a project team to complete and carry out the cybersecurity plan, you should prepare your existing systems and software by completing any necessary maintenance and updates. This includes updating web browsers to the latest version, applying any recommended patches for applications and operating systems, and testing your WiFi network to make sure it’s secure.  

  1. Choose your cybersecurity tech stack
Graphic listing the five recommended tools and platforms needed to enable adequate cybersecurity, including firewalls, antivirus software, authentication protocols, monitoring software, and backup and recovery plans.

A cybersecurity tech stack includes the tools and platforms you need to enable your security strategy. To protect your digital assets, the tech stack should be based on the results of the cybersecurity risk assessment and include elements such as:

  • Firewalls: A firewall forms the first line of defense for network security by allowing or blocking network traffic based on predefined security rules.
  • Antivirus software: Good antivirus software continually scans employee computers and devices for harmful malware and other malicious programs that can compromise employee credentials and company data.
  • Authentication protocols: New authentication measures based on the risk assessment might include 2-factor authentication (2FA) or multifactor authentication (MFA) that use identifiers like codes sent through an app or email in addition to password authentication. Dashlane uses 2FA for added protection when you sign in to your password manager from a new device. An optional authenticator app stores 6-digit 2FA tokens for your most important logins.
    • A password manager is also a valuable tool for configuring and managing authentication factors for small business applications, users, and devices.
  • Monitoring software: Monitoring tools that scan the network for vulnerabilities can be used to improve visibility into safe network and device usage for remote employees.
  • Backup and recovery plans: The tech stack includes the internal and cloud storage hardware (servers) that define your options for data storage, backup, and recovery. The cybersecurity policy for small businesses should also include disaster and recovery protocols.
  1. Create a plan for all devices used to conduct work

With BYOD policies in place, each new phone, laptop, tablet, or smartwatch brings unique interoperability and security challenges. The small business cybersecurity plan should define what devices can and cannot be used, what applications can be installed, and how company data is removed from shared devices when employees leave the company. The policy should also include guidelines for reporting lost or stolen devices. A password manager can make it easier to control network access for all devices used to conduct work or to sync credentials remotely. 

  1. Develop sensible cybersecurity policies

Sensible password policies should be risk-based and eliminate legacy activities like 30/60/90-day password reset intervals that do little to improve security. The topics that should be included in a well-defined and sensible cybersecurity plan example include:

  • Password requirements for length and complexity.
  • Safe password-sharing guidelines, especially for remote employees sharing passwords over the internet.
  • Restrictions on using browser password managers to store information.
  • Conditions when 2FA must be used.
  • Onboarding and offboarding checklists to streamline computer and password setup for new employees and device, data, and password controls for departing employees.
Graphic of an icon representing a PDF handout from an employer with a list of recommended security practices for work-from-home employees.
  1. Inform and train your employees

With remote work redefining security perimeters for small businesses, 37% of organizations have increased cybersecurity training to better inform employees on the latest threats and methods to protect against them. An information security policy for small business environments should describe how training, information sharing, and employee feedback play important roles in preventing cyberattacks and data breaches.  

  1. Install the right tools

You should review and upgrade your cyber tool kit to make sure the threats you’ve identified in your plan can be prevented or addressed consistently. Some of the more useful and cost-effective cybersecurity tools for small businesses include:

  • Antivirus software to protect employees from malware, phishing, and spyware.
  • A virtual private network (VPN) to encrypt all data going into or out of employee devices and route it through a secure portal.
  • Single sign-on (SSO) to reduce attack surfaces by allowing employees to log in just once per day, using one set of secure credentials.
  • A password manager to improve security and efficiency by creating, encrypting, storing, and auto-filling complex and unique passwords for employees.

How Dashlane makes your cybersecurity plan more effective

Despite the growing popularity of cybersecurity tools, 69% of small businesses are still concerned about being the victim of a cyberattack. Cybersecurity plans for small businesses bridge this gap by defining how tools, training, rules, and infrastructure come together to foster a security culture. With password management features such as SSO, VPN, encryption, a secure password-sharing portal, and 2FA, Dashlane provides solutions that support and sustain small business cybersecurity plans.  

Cybersecurity planning is too valuable to delay.

Learn more about the unique password and security challenges of small companies by reviewing the informative Dashlane Password Playbook for Small Businesses.


  1. Dashlane, These Small Businesses Got Hacked So You Don’t Have To,” January 2022.
  2. Help Net Security, “52% of SMBs have experienced a cyberattack in the last year,” November 2021.
  3. Dashlane, “3 Billion Reasons Your Small Business Needs a Password Manager,” October 2022.
  4. Dashlane, “Why Every Employee Device Should Be Secured,” May 2021.
  5. Dashlane, “Cybersecurity Strategy: Best Practices for Small-to Medium-Sized Businesses,“ October 2022.
  6. Dashlane, “10 New Cybersecurity Trends at Small Businesses,” 2022.
  7. IT Governance, “Cybersecurity Risk Assessments,” 2022.
  8. Dashlane, “What a Secure System Is & How to Implement It in Your Business,” October 2022.
  9. Dashlane, “Celebrating IT Heroes at Small Businesses: How They’ve Created a Strong Cybersecurity Culture, and Why That Matters,” November 2022.
  10. Dashlane, “3 Remote Work Security Practices for Your Small Business,” October 2022.
  11. Cox Blue, “10 Ways To Secure Your Business WiFi Network,” 2022.
  12. Datto, “What Is a Firewall and Why Is it Important in Cyber Security?” May 2022.
  13. Dashlane, “How Dashlane Makes 2FA Easy,” June 2022.
  14. Dashlane, “How Strong Is Your Password & Should You Change It?” August 2022.
  15. Dashlane, “How to Erase Saved Browser Passwords: Step-by-Step Guide,” November 2022.
  16. Dashlane, “2022 The Future of Secure Work for People + Organizations,” 2022.
  17. Dashlane, “Always Change Your Passwords After a Breach,” March 2020.
  18. Dashlane, “Create a Culture of Cybersecurity: Teach Employees to “Catch a Phish,” August 2021.
  19. Dashlane, A Step-By-Step Guide to Managing Passwords in Small Businesses,” January 2022.
  20. AdvisorSmith, “Report: Cyberattacks Affected 42% of Small Businesses in Past Year,” November 2021.
  21. Dashlane, “Password Playbook for Small Businesses,” 2022.

Sign up to receive news and updates about Dashlane