CYBERSECURITY FOR

SMALL BUSINESS

CYBERSECURITY BASICS

Cyber criminals target Knowing some cybersecurity basics and

putting them in practice will help you
protect your business and reduce the
companies of all sizes. risk of a cyber attack.

PROTECT
YOUR FILES & DEVICES

Update your software Secure your files Require passwords

This includes your apps, web Back up important files offline, Use passwords for all laptops,
browsers, and operating on an external hard drive, or in tablets, and smartphones.
systems. Set updates to the cloud. Make sure you store Don’t leave these devices
happen automatically. your paper files securely, too. unattended in public places.

Encrypt devices Use multi-factor authentication

Encrypt devices and other media that Require multi-factor authentication to access areas of
contain sensitive personal information. your network with sensitive information. This requires
This includes laptops, tablets, additional steps beyond logging in with a password
smartphones, removable drives, backup — like a temporary code on a smartphone or a key
tapes, and cloud storage solutions. that’s inserted into a computer.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

PROTECT YOUR WIRELESS NETWORK

Secure your router
Change the default name and password, turn off remote management,
and log out as the administrator once the router is set up.

Use at least WPA2 encryption

Make sure your router offers WPA2 or WPA3 encryption, and that it’s
turned on. Encryption protects information sent over your network so
it can’t be read by outsiders.

MAKE
SMART SECURITY
YOUR BUSINESS AS USUAL

Require strong passwords Train all staff Have a plan

A strong password is at least Create a culture of security by Have a plan for saving data,
12 characters that are a mix implementing a regular running the business, and
of numbers, symbols, and schedule of employee training. notifying customers if you
capital lowercase letters. Update employees as you find experience a breach. The
Never reuse passwords and out about new risks and FTC’s Data Breach Response:
don’t share them on the vulnerabilities. If employees A Guide for Business gives
phone, in texts, or by email. don’t attend, consider blocking steps you can take. You can
their access to the network. find it at FTC.gov/DataBreach.
Limit the number of unsuccessful
log-in attempts to limit password-
guessing attacks.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
Understanding

THE NIST CYBERSECURITY

FRAMEWORK
You may have heard about the businesses of all sizes better understand,
manage, and reduce their cybersecurity risk
NIST Cybersecurity Framework, and protect their networks and data. The
Framework is voluntary. It gives your business
but what exactly is it? an outline of best practices to help you decide
where to focus your time and money for
And does it apply to you? cybersecurity protection.
NIST is the National Institute of Standards and You can put the NIST Cybersecurity Framework
Technology at the U.S. Department of Commerce. to work in your business in these five areas:
The NIST Cybersecurity Framework helps Identify, Protect, Detect, Respond, and Recover.

1.IDENTIFY 2. PROTECT
Make a list of all equipment, software, and data • Control who logs on to your network and
you use, including laptops, smartphones, uses your computers and other devices.
tablets, and point-of-sale devices.
• Use security software to protect data.
Create and share a company
cybersecurity policy that covers: • Encrypt sensitive data, at rest and in transit.
• Conduct regular backups of data.
Roles and responsibilities
for employees, vendors, • Update security software regularly,
and anyone else with automating those updates if possible.
access to sensitive data. • Have formal policies for safely disposing
of electronic files and old devices.
Steps to take to protect against
• Train everyone who uses your computers,
an attack and limit the damage
devices, and network about cybersecurity.
if one occurs. You can help employees understand their
personal risk in addition to their crucial
role in the workplace.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
3. DETECT

Monitor your computers Check your network Investigate any unusual

for unauthorized personnel for unauthorized activities on your
access, devices (like USB users or connections. network or by your staff.
drives), and software.

4. RESPOND
Have a plan for:
• Notifying customers, employees, and • Investigating and containing an attack.
others whose data may be at risk.
• Updating your cybersecurity policy
• Keeping business operations up and running. and plan with lessons learned.
• Reporting the attack to law enforcement • Preparing for inadvertent events
and other authorities. (like weather emergencies) that may
put data at risk.
Test your plan regularly.

5. RECOVER
After an attack:
Repair and restore the Keep employees and customers
equipment and parts of your informed of your response and
network that were affected. recovery activities.

For more information on the NIST Cybersecurity Framework and resources for small businesses,
go to NIST.gov/CyberFramework and NIST.gov/Programs-Projects/Small-Business-Corner-SBC.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

PHYSICAL SECURITY
Cybersecurity begins with An employee accidentally leaves a flash drive
on a coffeehouse table. When he returns hours
strong physical security. later to get it, the drive — with hundreds of
Social Security numbers saved on it — is gone.
Lapses in physical security can expose Another employee throws stacks of old
sensitive company data to identity company bank records into a trash can, where
theft, with potentially serious a criminal finds them after business hours.
consequences. For example:
A burglar steals files and computers from your
office after entering through an unlocked window.

HOW TO PROTECT EQUIPMENT & PAPER FILES

Here are some tips for protecting information in paper files and on hard
drives, flash drives, laptops, point-of-sale devices, and other equipment.

Store securely Limit physical Send reminders Keep stock

When paper files or access Remind employees to Keep track of and
electronic devices When records or put paper files in locked secure any devices
contain sensitive devices contain file cabinets, log out that collect sensitive
information, store sensitive data, allow of your network and customer information.
them in a locked access only to those applications, and Only keep files and
cabinet or room. who need it. never leave files or data you need and
devices with sensitive know who has access
data unattended. to them.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
HOW TO PROTECT DATA ON YOUR DEVICES
A burglary, lost laptop, stolen mobile phone, or misplaced flash drive — all can happen due to
lapses in physical security. But they’re less likely to result in a data breach if information on
those devices is protected. Here are a few ways to do that:

Require complex passwords

Require passwords that are long, complex, and unique. And make sure that
these passwords are stored securely. Consider using a password manager.

Use multi-factor authentication

Require multi-factor authentication to access areas of your network with sensitive
information. This requires additional steps beyond logging in with a password —
like a temporary code on a smartphone or a key that’s inserted into a computer.

Limit login attempts

Limit the number of incorrect login attempts allowed to unlock devices. This will
help protect against intruders.

Encrypt
Encrypt portable media, including laptops and thumb drives, that contain
sensitive information. Encrypt any sensitive data you send outside of the
company, like to an accountant or a shipping service.

TRAIN Include physical security in your regular employee trainings

and communications. Remind employees to:
YOUR
Shred documents Promote security practices
EMPLOYEES Always shred documents in all locations
with sensitive information Maintain security practices even if working
before throwing them away. remotely from home or on business travel.

Erase data correctly Know the response plan

Use software to erase data All staff should know what to do if
before donating or discarding equipment or paper files are lost or
old computers, mobile devices, stolen, including whom to notify and
digital copiers, and drives. Don’t what to do next. Use Data Breach
rely on “delete” alone. That Response: A Guide for Business for
does not actually remove the help creating a response plan. You can
file from the computer. find it at FTC.gov/DataBreach.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

RANSOMWARE
Someone in your The attackers ask for money or
cryptocurrency, but even if you pay, you don’t
company gets an email. know if the cybercriminals will keep your data
or destroy your files. Meanwhile, the
It looks legitimate — but with one click on a information you need to run your business
link, or one download of an attachment, and sensitive details about your customers,
everyone is locked out of your network. That employees, and company are now in criminal
link downloaded software that holds your hands. Ransomware can take a serious toll
data hostage. That’s a ransomware attack. on your business.

HOW IT Criminals can start a ransomware

HAPPENS attack in a variety of ways.

Scam emails Server

with links and attachments that vulnerabilities
put your data and network at risk. which can be exploited
These phishing emails make up by hackers.
most ransomware attacks.

Infected websites Online ads

that automatically download that contain malicious code
malicious software onto — even on websites you
your computer. know and trust.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
HOW TO PROTECT YOUR BUSINESS
Have a plan
How would your business stay up and running after a ransomware attack?
Put this plan in writing and share it with everyone who needs to know.

Back up your data

Regularly save important files to a drive or server that’s not connected to your network.
Make data backup part of your routine business operations.

Keep your security up to date

Always install the latest patches and updates. Look for additional means of protection,
like email authentication, and intrusion prevention software, and set them to update
automatically on your computer. On mobile devices, you may have to do it manually.

Alert your staff

Teach them how to avoid phishing scams and show them some of the common ways
computers and devices become infected. Include tips for spotting and protecting
against ransomware in your regular orientation and training.

WHAT TO Limit the damage Keep your business running

DO IF YOU’RE Immediately disconnect the Now’s the time to implement that plan.
infected computers or Having data backed up will help.
ATTACKED devices from your network. If
your data has been stolen, Should I pay the ransom?
take steps to protect your Law enforcement doesn’t recommend
company and notify those that, but it’s up to you to determine
who might be affected. whether the risks and costs of paying
are worth the possibility of getting
Contact the authorities
your files back. However, paying the
Report the attack right away ransom may not guarantee you get
to your local FBI office. your data back.

Notify customers
If your data or personal information was compromised, make sure
you notify the affected parties ― they could be at risk of identity
theft. Find information on how to do that at Data Breach Response:
A Guide for Business. You can find it at FTC.gov/DataBreach.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

PHISHING
You get an email that looks like it’s from someone you know.
It seems to be from one of your company’s vendors and asks that you click on a link to update your
business account. Should you click? Maybe it looks like it’s from your boss and asks for your network
password. Should you reply? In either case, probably not. These may be phishing attempts.

HOW
PHISHING WORKS WHAT YOU CAN DO
Before you click on a link or share any
You get an email or text
of your sensitive business information:
It seems to be from someone you know,
and it asks you to click a link, or give your
password, business bank account, or
Check it out
other sensitive information. Look up the website or phone number for
the company or person behind the text or
It looks real email. Make sure that you’re getting the
It’s easy to spoof logos and make up fake email real company and not about to download
addresses. Scammers use familiar company malware or talk to a scammer.
names or pretend to be someone you know.

It’s urgent Talk to someone

Talking to a colleague might help you figure out
The message pressures you to act now
if the request is real or a phishing attempt.
— or something bad will happen.

What happens next Make a call if you’re not sure

If you click on a link, scammers can install
ransomware or other programs that can Pick up the phone and call that vendor,
lock you out of your data and spread to colleague, or client who sent the email.
the entire company network. If you share Confirm that they really need information
passwords, scammers now have access from you. Use a number you know to be
to all those accounts. correct, not the number in the email or text.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
HOW TO
WHAT IF YOU FALL FOR A
PROTECT PHISHING SCHEME
YOUR BUSINESS
Back up your data Alert others
Regularly back up your data and Talk to your colleagues and share your
make sure those backups are not experience. Phishing attacks often happen
connected to the network. That to more than one person in a company.
way, if a phishing attack happens
and hackers get to your network,
you can restore your data. Make Limit the damage
data backup part of your routine Immediately change any compromised passwords
business operations. and disconnect from the network any computer or
device that’s infected with malware.
Keep your security
up to date Follow your company’s procedures
Always install the latest patches These may include notifying specific
and updates. Look for additional people in your organization or contractors
means of protection, like email that help you with IT.
authentication and intrusion
prevention software, and set them
to update automatically on your
Notify customers
computers. On mobile devices, If your data or personal information was
you may have to do it manually. compromised, make sure you notify the
affected parties — they could be at risk of
identity theft. Find information on how to do
Alert your staff that at Data Breach Response: A Guide for
Share with them this information. Business (FTC.gov/DataBreach).
Keep in mind that phishing
scammers change their tactics Report it
often, so make sure you include
Forward phishing emails to spam@uce. gov (an
tips for spotting the latest phishing
address used by the FTC) and to
schemes in your regular training.
reportphishing@apwg.org (an address used by
the Anti-Phishing Working Group, which includes
Deploy a safety net ISPs, security vendors, financial institutions, and
Use email authentication law enforcement agencies). Let the company or
technology to help prevent person that was impersonated know about the
phishing emails from phishing scheme. And report it to the FTC at
reaching your company’s FTC.gov/Complaint.
inboxes in the first place.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

BUSINESS
EMAIL IMPOSTERS
A scammer sets up an email address Scammers do this to get passwords and
that looks like it’s from your company. bank account numbers or to get someone
to send them money. When this happens,
Then the scammer sends out messages your company has a lot to lose.
using that email address. This practice is Customers and partners might lose trust
called spoofing, and the scammer is what we and take their business elsewhere — and
call a business email imposter. your business could then lose money.

HOW TO PROTECT YOUR BUSINESS

Use email authentication Keep your security Train your staff

When you set up your up to date Teach them how to avoid
business’s email, make sure the Always install the latest phishing scams and show
email provider offers email patches and updates. Set them them some of the common
authentication technology. That to update automatically on your ways attackers can infect
way, when you send an email network. Look for additional computers and devices with
from your company’s server, the means of protection, like malware. Include tips for
receiving servers can confirm intrusion prevention software, spotting and protecting
that the email is really from you. which checks your network for against cyber threats in your
If it’s not, the receiving servers suspicious activity and sends regular employee trainings
may block the email and foil a you alerts if it finds any. and communications.
business email imposter.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

WHAT TO DO
IF SOMEONE SPOOFS YOUR COMPANY’S EMAIL
Report it
Report the scam to local law enforcement, the FBI’s Internet
Crime Complaint Center at IC3.gov, and the FTC at FTC.gov/
Complaint. You can also forward phishing emails to spam@
uce.gov (an address used by the FTC) and to reportphishing@
apwg.org (an address used by the Anti-Phishing Working Group,
which includes ISPs, security vendors, financial institutions, and
law enforcement agencies).

Notify your customers

If you find out scammers are impersonating your business, tell
your customers as soon as possible — by mail, email, or social
media. If you email your customers, send an email without
hyperlinks. You don’t want your notification email to look like a
phishing scam. Remind customers not to share any personal
information through email or text. If your customers’ data was
stolen, direct them to IdentityTheft.gov to get a recovery plan.

Alert your staff

Use this experience to update your security practices and
train your staff about cyber threats.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

TECH SUPPORT SCAMS

You get a phone call, pop-up, Often, scammers are behind these calls, pop-
up messages, and emails. They want to get
or email telling you there’s a your money, personal information, or access to
your files. This can harm your network, put
problem with your computer. your data at risk, and damage your business.

HOW THE SCAM WORKS

The scammers may pretend to be from a well-known tech company, such as Microsoft. They
use lots of technical terms to convince you that the problems with your computer are real.
They may ask you to open some files or run a scan on your computer — and then tell you
those files or the scan results show a problem…but there isn’t one.

The scammers may then:

Ask you to give them remote Try to enroll you in a worthless
access to your computer — computer maintenance or
which lets them access all warranty program
information stored on it, and on
any network connected to it Ask for credit card information
so they can bill you for phony
Install malware that gives them services or services available
access to your computer and elsewhere for free
sensitive data, like user names
and passwords Direct you to websites and
ask you to enter credit card,
Try to sell you software or repair bank account, and other
services that are worthless or personal information
available elsewhere for free

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
HOW TO PROTECT YOUR BUSINESS
If a caller says your computer has a problem, hang up. A tech support call you don’t expect is a scam
— even if the number is local or looks legitimate. These scammers use fake caller ID information
to look like local businesses or trusted companies.

If you get a pop-up message to call tech support, ignore it. Some pop-up messages about
computer issues are legitimate, but do not call a number or click on a link that appears in a pop-up
message warning you of a computer problem.

If you’re worried about a virus or other threat, call your security software company directly, using
the phone number on its website, the sales receipt, or the product packaging. Or consult a
trusted security professional.

Never give someone your password, and don’t give remote access to your computer to
someone who contacts you unexpectedly.

WHAT TO DO IF YOU’RE
SCAMMED
If you shared your password with a If the affected computer is
scammer, change it on every account connected to your network, you or a
that uses this password. Remember security professional should check
to use unique passwords for each the entire network for intrusions.
account and service. Consider using
a password manager. If you bought bogus services, ask
your credit card company to
Get rid of malware. Update or reverse the charges, and check
download legitimate security your statement for any charges you
software. Scan your computer, and didn’t approve. Keep checking your
delete anything the software says is credit card statements to make
a problem. If you need help, consult sure the scammer doesn’t try to re-
a trusted security professional. charge you every month.

Report the attack right away to the FTC at FTC.gov/Complaint.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

CYBER INSURANCE
Recovering from Cyber insurance is one option that can help protect your
business against losses resulting from a cyber attack. If you’re
a cyber attack thinking about cyber insurance, discuss with your insurance
agent what policy would best fit your company’s needs, including
whether you should go with first-party coverage, third-party
can be costly. coverage, or both. Here are some general tips to consider.

WHAT SHOULD YOUR

CYBER INSURANCE POLICY
COVER?
Make sure your policy includes coverage for:
Data breaches (like Cyber attacks on your Terrorist acts
incidents involving theft of data held by vendors and
personal information) other third parties

Cyber attacks (like Cyber attacks that occur

breaches of your network) anywhere in the world (not
only in the United States)

Also, consider whether your cyber insurance provider will:

Defend you in a lawsuit or Provide coverage in excess Offer a breach hotline
regulatory investigation (look of any other applicable that’s available every day
for “duty to defend” wording) insurance you have of the year at all times

LEARN MORE AT: The FTC thanks the National Association of Insurance
FTC.gov/SmallBusiness Commissioners (NAIC) for its role in developing this content.
 CYBERSECURITY FOR

SMALL BUSINESS
WHAT IS
FIRST-PARTY COVERAGE
AND WHAT SHOULD YOU LOOK FOR?
First-party cyber coverage protects your data, including employee and customer
information. This coverage typically includes your business’s costs related to:

Legal counsel to Customer Crisis management Forensic services

determine your notification and call and public relations to investigate the
notification and center services breach
regulatory obligations

Recovery and Lost income Cyber extortion Fees, fines, and

replacement of due to business and fraud penalties related to
lost or stolen data interruption the cyber incident

WHAT IS
THIRD-PARTY COVERAGE
AND WHAT SHOULD YOU LOOK FOR?
Third-party cyber coverage generally protects you from liability if a third
party brings claims against you. This coverage typically includes:
Payments to consumers Claims and settlement Losses related to
affected by the breach expenses relating to defamation and copyright
disputes or lawsuits or trademark infringement

Costs for litigation and Other settlements, Accounting costs

responding to regulatory damages, and judgments
inquiries

More insurance resources for small businesses available at www.insureuonline.org/smallbusiness

LEARN MORE AT: The FTC thanks the National Association of Insurance
FTC.gov/SmallBusiness Commissioners (NAIC) for its role in developing this content.
 CYBERSECURITY FOR

SMALL BUSINESS

EMAIL AUTHENTICATION
Email authentication technology makes it a lot harder for a scammer
to send phishing emails that look like they’re from your company.
Using email authentication technology makes it a lot harder for scammers to send phishing
emails. This technology allows a receiving server to verify an email from your company and block
emails from an imposter — or send them to a quarantine folder and then notify you about them.

WHAT TO KNOW
Some web host providers let you set up your company’s business email using your domain name (which
you may think of as your website name). Your domain name might look like this: yourbusiness.com. And
your email may look like this: name@yourbusiness.com. Without email authentication, scammers can use
that domain name to send emails that look like they’re from your business. If your business email uses your
company’s domain name, make sure that your email provider has these three email authentication tools:

Sender Policy Framework (SPF) Domain-based Message Authentication,

tells other servers which servers are allowed to send Reporting & Conformance (DMARC)
emails using your business’s domain name. So when
is the essential third tool for email authentication.
you send an email from name@yourbusiness. com,
SPF and DKIM verify the address the server
the receiving server can confirm that the sending
uses “behind the scenes.” DMARC verifies that
server is on an approved list. If it is, the receiving
this address matches the “from” address you
server lets the email through. If it can’t find a match,
see. It also lets you tell other servers what to do
the email can be flagged as suspicious.
when they get an email that looks like it came
from your domain, but the receiving server has
Domain Keys Identified Mail (DKIM) reason to be suspicious (based on SPF or
puts a digital signature on outgoing mail so DKIM). You can have other servers reject the
servers can verify that an email from your domain email, flag it as spam, or take no action. You also
actually was sent from your organization’s servers can set up DMARC so that you’re notified when
and hasn’t been tampered with in transit. this happens.

It takes some expertise to configure these tools so that they work as intended and don’t block legitimate
email. Make sure that your email hosting provider can set them up if you don’t have the technical
knowledge. If they can’t, or don’t include that in their service agreement, consider getting another provider.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
WHAT TO DO IF YOUR
EMAIL IS SPOOFED
Email authentication helps keep your business’s email from being used in phishing
schemes because it notifies you if someone spoofs your company’s email. If you get that
notification, take these actions:

Report it
Report the scam to local law enforcement, the FBI’s Internet Crime
Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. You
also can forward phishing emails to spam@uce.gov (an address used
by the FTC) and to reportphishing@apwg.org (an address used by the
Anti-Phishing Working Group, which includes ISPs, security vendors,
financial institutions, and law enforcement agencies).

Notify your customers

If you find out scammers are impersonating your business, tell your
customers as soon as possible — by mail, email, or social media. If
you email your customers, send an email without hyperlinks: you
don’t want your notification email to look like a phishing scam.
Remind customers not to share any personal information through
email or text. And if your customers’ data was stolen, direct them to
IdentityTheft.gov to get a recovery plan.

Alert your staff

Use this experience to update your security practices and train your
staff about cyber threats.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

VENDOR SECURITY
Your business vendors Make sure those vendors are securing their own computers
and networks. For example, what if your accountant, who
may have access to has all your financial data, loses his laptop? Or a vendor
whose network is connected to yours gets hacked? The
sensitive information. result: your business data and your customers’ personal
information may end up in the wrong hands — putting your
business and your customers at risk.

HOW TO MONITOR YOUR VENDORS

Put it in writing Verify compliance Make changes as needed

Include provisions for security Establish processes so you Cybersecurity threats
in your vendor contracts, like a can confirm that vendors change rapidly. Make
plan to evaluate and update follow your rules. Don’t just sure your vendors keep
security controls, since threats take their word for it. their security up to date.
change. Make the security
provisions that are critical to
your company non-negotiable.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS
HOW TO PROTECT YOUR BUSINESS
Control access
Put controls on databases with sensitive information. Limit access to a need-to-
know basis, and only for the amount of time a vendor needs to do a job.

Use multi-factor authentication

This makes vendors take additional steps beyond logging in with a password
to access your network — like a temporary code on a smartphone or a key
that’s inserted into a computer.

Secure your network

Require strong passwords: at least 12 characters with a mix of numbers, symbols, and
both capital and lowercase letters. Never reuse passwords, don’t share them, and limit
the number of unsuccessful log-in attempts to limit password-guessing attacks.

Safeguard your data

Use properly configured, strong encryption. This protects sensitive information
as it’s transferred and stored.

WHAT TO DO IF A Contact the authorities Confirm the

VENDOR HAS A Report the attack right away vendor has a fix
DATA BREACH to your local police
department. If they’re not
Make sure that the vendor
fixes the vulnerabilities and
familiar with investigating ensures that your information
information compromises, will be safe going forward,
contact your local FBI office. if your business decides to
continue using the vendor.

Notify customers
If your data or personal information was compromised,
make sure you notify the affected parties — they could
be at risk of identity theft. Find information on how to do
that at Data Breach Response: A Guide for Business.
Find it at FTC.gov/DataBreach.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

HIRING A WEB HOST

You may want a new But if you don’t have the skills to set up the web
presence you want, you may want to hire a web host
or upgraded website provider to do it for you. Whether you’re upgrading a
website or launching a new business, there are many
web-hosting options. When comparing services,
for your business. security should be a top concern.

WHAT TO LOOK FOR

Transport Layer Security (TLS) Email authentication
The service you choose should include TLS, Some web host providers let you set up your
which will help to protect your customers’ company’s business email using your domain name
privacy. (You may have heard of its (that’s part of your URL, and what you may think of
predecessor, Secure Sockets Layer, or as your website name). Your domain name might
SSL.) TLS helps make sure that your look like this: yourbusiness.com. And your email
customers get to your real website when may look like this: name@yourbusiness.com. If you
they type your URL into the address bar. don’t have email authentication, scammers can
When TLS is correctly implemented on your impersonate that domain name and send emails
website, your URL will begin with https://. that look like they’re from your business.
TLS also helps make sure the information When your business email is set up using
sent to your website is encrypted. That’s your company’s domain name, make sure
especially important if you ask customers that your web host can give you these three
for sensitive information, like credit card email authentication tools:
numbers or passwords. • Sender Policy Framework (SPF)
• Domain Keys Identified Mail (DKIM)
• Domain-based Message Authentication,
Reporting & Conformance (DMARC)

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR
SMALL BUSINESS

WHAT TO Software updates

LOOK FOR Many web host providers offer pre-built websites or software
packages designed to make it quick and easy to set up your
company’s website. As with any software, it is essential that
you use the latest versions with up-to-date security patches.
Make sure you know how to keep the website’s software up to
date, or whether the web host provider will do this for you.

Website management
If a web host provider is managing your website, you may have
to go through that provider to make any changes — though you
may be able to log in and make some changes yourself. Some
web host providers may instead offer you the option of
managing the website on your own. It’s important to clarify from
the beginning who will manage the website after it’s built.

WHAT TO ASK
When you’re hiring a web host provider, ask these questions to make sure
you’re helping protect your customer information and your business data.

Is TLS included in the hosting plan? Are the most up-to-date software
paid add-on? Will I set it up myself versions available with your service, and
or will you help me set it up? will you keep software updated? If it’s
my responsibility to keep software
updated, is it easy for me to do?

Can my business email use my After the website is set up, who will be
business website name? If so, can able to make changes to it? Will I have
you help me set up SPF, DKIM, to go through you? Will I be able to log
and DMARC email authentication in and make changes on my own? If I
technology? (If not, consider can log in to make changes, is multi-
looking for a provider that does.) factor authentication available?

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR

SMALL BUSINESS

SECURE
REMOTE ACCESS
Employees and vendors may need to connect to your network remotely.
Put your network’s security first. Make employees and vendors follow strong security standards
before they connect to your network. Give them the tools to make security part of their work routine.

HOW TO
PROTECT DEVICES
Whether employees or vendors use company-issued devices or their own
when connecting remotely to your network, those devices should be secure.
Follow these tips — and make sure your employees and vendors do as well:
Always change any pre-set router passwords and
the default name of your router. And keep the
router’s software up to date; you may have to visit
the router’s website often to do so.

Consider enabling full-disk encryption for laptops and

other mobile devices that connect remotely to your
network. Check your operating system for this option,
which will protect any data stored on the device if it’s
lost or stolen. This is especially important if the device
stores any sensitive personal information.

Change smartphone settings to stop automatic

connections to public Wi-Fi.

Keep up-to-date antivirus software on devices that

connect to your network, including mobile devices.

LEARN MORE AT:

FTC.gov/SmallBusiness
 CYBERSECURITY FOR
SMALL BUSINESS
HOW TO CONNECT
Require employees and vendors to use
REMOTELY secure connections when connecting
TO THE NETWORK remotely to your network. They should:
Use a router with WPA2 or WPA3 encryption when connecting from their homes.
Encryption protects information sent over a network so that outsiders can’t read it.
WPA2 and WPA3 are the only encryption standards that will protect information
sent over a wireless network.

Only use public Wi-Fi when also using a virtual private network (VPN) to encrypt
traffic between their computers and the internet. Public Wi-Fi does not provide a
secure internet connection on its own. Your employees can get a personal VPN
account from a VPN service provider, or you may want to hire a vendor to create
an enterprise VPN for all employees to use.

WHAT TO DO TO MAINTAIN SECURITY

Train your staff: Include information on secure remote access in regular trainings
and new staff orientations.

Have policies covering basic cybersecurity, give copies to your

employees, and explain the importance of following them.
Before letting any device — whether at an employee’s home or on a
vendor’s network — connect to your network, make sure it meets your
network’s security requirements.
Tell your staff about the risks of public Wi-Fi.

Give your staff tools that will help maintain security:

• Require employees to use • Require multi-factor authentication to access areas of your
unique, complex network network that have sensitive information. This requires additional
passwords and avoid steps beyond logging in with a password — like a temporary code
unattended, open workstations. on a smartphone or a key that’s inserted into a computer.

• Consider creating a VPN • If you offer Wi-Fi on your • Include provisions for
for employees to use business premises for guests security in your vendor
when connecting remotely and customers, make sure it’s contracts, especially if the
to the business network. separate from and not connected vendor will be connecting
to your business network. remotely to your network.

LEARN MORE AT:

FTC.gov/SmallBusiness