Cybersecurity should be top of mind for all small business owners. Why? Because small businesses are increasingly becoming the targets of cyberattacks. 46% of cyberattacks target small businesses with fewer than 1000 employees. Furthermore, employees at small businesses are 350% more likely to be targeted by cyberattacks than those at more prominent corporations.

Understandably, it’s critically important for small businesses to be aware of cybersecurity threats and take active measures to prevent them. Social engineers are constantly finding new ways to exploit human vulnerabilities, and as technologies evolve, so do the methods used by cybercriminals. A social engineer uses psychological manipulation to trick people into revealing confidential information or performing actions that could jeopardize security.

How can I limit the threat of cybersecurity attacks?

Educate Yourself and Your Employees on Cybersecurity Threats

The first step in protecting your small business from a cyberattack is to educate yourself and your employees on the latest cybersecurity threats. You can be more proactive in protecting your business by staying up-to-date on the latest cybersecurity threats. You can also train your employees to spot a potential threat and what to do if they think a cyberattacker has targeted them. KnowBe4, for example, offers a quick 20-minute cybersecurity course that you can enroll your employees in for added security.

Invest in Cybersecurity Software and Hardware

Another essential step in protecting your small business from a cybersecurity attack is to invest in cybersecurity software and hardware. There are many different types of software and hardware available, so it’s essential to do your research to find the right solution for your business. For example, if you store sensitive customer data, you’ll want to invest in software that encrypts that data. Consider investing in anti-virus, firewall, and malware protection software.

When you first receive your router from your internet provider, immediately change the network’s name and add a secure password. The default password that comes with your router is well-known. Therefore, if you don’t change it, anyone with access to the password can lock you out. Think about it like a lock on your house – if you don’t change the locks when you first buy your home, anyone with an old key can still access it.

Router security is essential not only for your business’s physical location but for your and your employees’ houses. If you or your employees work from home, ensuring they have secure router passwords is critical. Otherwise, a hacker could get into the network and hijack it, leading to further loss of sensitive business data and many headaches.

Implement Two-Factor Authentication

One of the simplest things you can do to improve your small business’s cybersecurity is to implement strong passwords and two-factor authentication (2FA). Two-factor authentication is an extra layer of security that requires users to provide two pieces of information before accessing an account. This could be something like a password and a code that is sent to your mobile phone.

Two-factor authentication is vital for any website or app you use that requires a password. Two-factor is especially crucial for apps like Instagram and Facebook that are prone to being hacked. My brother, for example, had his Instagram account hacked and could never recover it because Meta’s customer service is practically nonexistent (unless you have a high-spending ad account with them).

Use Strong and Unique Passwords

For each account your business has, you should have a unique password set to that account. This means that you should use a different password for multiple logins. If all your passwords are the same and one is compromised, all your accounts are at risk. Furthermore, it’s a good practice to update your passwords routinely. Password apps such as 1Password or SafeinCloud make it easy to keep track of your passwords, so you don’t forget.

A strong password should include numbers and characters and be at least ten characters long. A good tip is to use phrases such as “I love pizza” and add special characters such as 1Lov3p1zzA! Doing so makes your passwords easier to remember and challenging to decode for hackers.

What is the most common type of Cyberattack on Small Businesses?

Phishing attacks are the most common cyberattack on small businesses. In a phishing attack, a hacker will send an email that looks like it’s from a legitimate source, such as a bank or credit card company. The email will contain a link that takes you to a fake website where you’re asked to enter personal information, such as your social security number or credit card number. Hackers can use this information to commit identity theft or fraud.

Phishing attacks are also used on social media. These attacks on social media can take various forms. For example, you may receive a direct message from someone telling you that you’ve won a prize. Or, you could receive a direct message stating that they will help you grow your following for free or that they offer a service that can benefit your business.

On Instagram alone, I get hit with phishing scams almost daily! I mean, it’s honestly ridiculous. I decided just for fun to scroll through my DMs for some examples for this blog post, and here’s what I found:

Left: not necessarily Phishing, but a person posing from a legitimate account looking for me to pay them for more followers.

Center: sending links to me, no profile photo, links are incredibly suspicious

Right: someone posing as an official Instagram account, this is NOT legitimate. Instagram will not message you like this for verification.

Left: a person, not a company, reaching out to me because they want to “pay me for a sponsored post”. This is highly suspicious. Notice that the grammar is off as well.

Right: The Bitcoin scams on Instagram have been around for a while. This one is trying to tell me to click through to this person’s profile.

Please note that NONE of these are credible messages. Social engineers have gotten extremely good at disguising themselves on social media. It is critical to NEVER click on a link in a social media direct message. Social engineers will leverage social media and create lookalike accounts that look like people you follow but are not.

To learn more about social media security, check out our article here.

How can I spot a Phishing attack?

There are a few key indicators to look for when determining whether or not someone is attempting a phishing attack.

1: Check the URL: One of the easiest ways to spot a phishing email is to look at the URL of the link included in the email. If you hover over (don’t click) the link, in most browsers, you’ll be able to see the actual URL you would be taken to if you clicked. If the URL looks strange, is misspelled, or doesn’t match the company it’s supposedly from; it’s probably a phishing email.

Sometimes social engineers will use shortened URLs or those that look like the original URL they are copying. Generally, it is better to be safe than sorry, so avoid clicking on URLs from unknown senders.

2: Look for poor grammar and spelling: Another indicator of a phishing email is poor grammar and spelling. Often, these emails are created in a hurry by someone who isn’t a native English speaker. While not all phishing emails will have bad grammar, it’s something to look out for.

3: Be wary of unexpected attachments: Most businesses will never send you an attachment out of the blue, so if you get an email with an attachment from someone you don’t know, it’s probably a phishing email. These attachments can contain malware that will infect your computer if you open them. Be sure to immediately report the email as spam, and do not open the attachment.

4: Check the “To” and “From” fields: One way to spot a phishing email is to look at the “To” and “From” fields. If you see that the email is addressed to a large group of people (e.g., “undisclosed recipients”), or if the “From” field looks suspicious (e.g., it contains a random string of characters), then it’s probably a phishing email.

Social engineers will create emails that look authentic at a glance but are visibly not—for example, [email protected]. Be on the lookout for the email’s sender, as this can be a quick indicator that the email is attempting Phishing and is not legitimate.

Notice that the from email is [email protected] – this is NOT a legitimate email address for Instagram.

In summary, don’t click on any links or attachments from the email when in doubt. If it’s a legitimate message, the sender will understand if you reach out to them directly to verify the request.

Source: KnowBe4


As a small business owner, it’s vital to take cybersecurity seriously. Small businesses are increasingly becoming the targets of cyberattacks. 87% of small businesses have sensitive information that can be compromised in an attack. In 2021, 61% of small businesses fell victim to a cyberattack. Protecting your small business from cyberattacks is now more critical than ever.

To protect your small business from a costly and reputation-damaging attack, educate yourself and your employees on the latest cybersecurity threats, invest in cybersecurity software and hardware, and implement strong passwords and two-factor authentication (2FA). Be aware of suspicious emails and phishing attacks, and never click on any suspicious links or attachments. Taking these steps can help keep your small business safe from harm.