Pratum Blog

People sitting at desk having meeting with text overlay Cybersecurity for Small Businesses

The biggest cybersecurity risk for small businesses comes from within your own team, one expert told a recent cybersecurity summit. “It’s optimism bias,” says John Hoyt, deputy director of information security at Clemson University. “They think it’s going to happen to somebody else.”

To provide cybersecurity tips for small businesses who are ready to take ownership of their risks, Clemson recently hosted the South Carolina Small Business Cybersecurity Summit. Pratum attended the virtual event, which featured several panels full of experts from the Department of Homeland Security, the U.S. Small Business Administration and The New York Times’ cybersecurity beat.

The highlights reported below revolve around two key takeaways shared by these thought leaders:

  • Every business will be targeted.
  • Following basic cybersecurity hygiene policies can make small businesses vastly less susceptible to breaches without incurring crippling expenses.

It feels like the U.S. is under siege.

Nicole Perlroth Cybersecurity Reporter The New York Times

Journalist Perlroth, author of This is How They Tell Me The World Ends: The Cyberweapons Arms Race, provided insights about the headline-grabbing attacks that affected SolarWinds, Microsoft Exchange Server and the Colonial Pipeline. All of these high-profile breaches, Perlroth said, are evidence of concerted, state-sponsored (or at least state-sanctioned) efforts to compromise systems throughout the U.S.

“In the Ukraine, the security community told me that they see what’s happening there as a dry run,” she said. “When they look at the forensics, they see that Russia is running trials to see which capability works best. The U.S. is the end target, and it’s going to be a lot worse here because everything is digitized. We just keep plugging things in.”

Despite this grim warning, Perlroth remains optimistic—if organizations take the threat seriously and implement basic policies that make a big difference. Her tips for small businesses involve two first steps:


Identify your “crown jewels.” What is the one thing that would devastate your business if it were locked up by cyber criminals via ransomware or other breaches? Develop a plan that protects that data via tools such as segmenting networks and creating backups.


Create a basic cybersecurity hygiene plan. “If you implement tools like multifactor authentication and train your employees in cybersecurity,” Perlroth says, ”you’ll be in a far better position than about 80% of the other potential targets out there.”

Bolstering her argument with the latest headlines, Perlroth noted that when the Colonial Pipeline was breached in May 2021, it did not have an incident response plan in place and still hadn’t patched the Microsoft Exchange Server breach identified two months earlier. If those fundamentals had been in place, the eastern U.S. may have avoided a massive interruption in its fuel supply.

Don’t be the weakest antelope on the plain.

David Trzcinski Acting Chief Information Security Officer U.S. Small Business Administration

Trzcinski noted that hackers rarely go after a specific small business with ransomware or phishing attacks. Hackers run a numbers game in which they scan for vulnerabilities across thousands of networks. When they find an opening, they pounce.

“Lions and tigers seek out the weakest antelope on the plain,” Hoyt said. “Sometimes the answer is simply not being the slowest, weakest antelope. If you implement protections like multifactor authentication (MFA), that’s a deterrent, and the attackers usually move on to someone else.”

Thanks to recent developments in the software as a service (SaaS) sector in the last decade, most cybersecurity solutions are far more affordable today. In the past, every small business would need a software developer to help them roll out something like MFA. “You no longer have that challenge for endpoint protection and other tools,” Trzcinski says. “You don’t have to build and maintain the infrastructure like you once did.”

Trzcinski’s tip is for every organization to evaluate its anticipated reaction to its five most likely breach scenarios, commonly known as tabletop exercises. “Just buy your IT team pizza on a Friday afternoon and work through various situations,” he said.

Trzcinski says the exercise will help the team come up with specific answers such as where key data is backed up and how long it would take to access it. Working out those details could turn a breach that may have killed your company into a disruption that you can recover from quickly.

Cybersecurity begins with the users.

Ken Bible Chief Information Security Officer U.S. Department of Homeland Security

Bible said, “There’s a tendency to think the problem is so big that you can’t do anything, but good cybersecurity basics make a difference.” He offered these tips as first steps for small businesses:


Maintain an offline, encrypted backup of your key data and check it often.


Make a basic incident response plan and emergency communications plan. Write down how you will respond in various scenarios and who on your teams needs to be notified in each situation.


Regularly patch and update all of your software. “I can’t hammer that one enough,” Bible said. “Make it hard for the adversary.”


Maintain a network diagram that shows the flow of information throughout your organization. “If responders have to spend time trying to figure out where things are, that’s precious time you’re wasting,” he says.

Bible also emphasized the importance of creating a cybersecurity culture that runs from the top executives down. He pointed to “smishing,” bogus text messages with links that can be used as pivots into larger systems, as a key area to emphasize in training right now.

If you can tap into an ISAC for your sector, that’s invaluable.

John Hoyt Deputy Director of Information Security Clemson University

Hoyt recommends looking up the Information Sharing and Analysis Center (ISAC) specific to your sector. The 25 ISACs across the country are organized through the National Council of ISACs to provide sector-specific threat and mitigation information for their member organizations. “You can find out about security threats targeting your sector,” Hoyt says. “That’s so important to share the latest information with each other.” (This recent Pratum blog recommends additional sources to follow for current threat information.)

Every day, Pratum helps organizations of all sizes implement these best practices and more. Contact us to find out how these tools can help protect your organization.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.