Cyber Guidance for Small Businesses

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js"> <head> <meta charset="utf-8" /> <meta name="description" content="Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. The security" /> <link rel="canonical" href="https://www.cisa.gov/cyber-guidance-small-businesses" /> <meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.cisa.gov/cyber-guidance-small-businesses" /> <meta property="og:title" content="Cyber Guidance for Small Businesses | CISA" /> <meta property="og:description" content="Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. The security landscape has changed, and our advice needs to evolve with it." /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" /> <title>Cyber Guidance for Small Businesses | CISA</title> <link rel="stylesheet" media="all" href="/core/misc/components/progress.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/misc/components/ajax-progress.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/accordion.frontend.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/modules/contrib/extlink/css/extlink.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?ss1oyc" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?ss1oyc" /> <link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&family=Public+Sans:wght@400;500;600;700&display=swap" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?ss1oyc" /> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/16035","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"gtag":{"tagId":"","consentMode":false,"otherIds":[],"events":[],"additionalConfigInfo":[]},"ajaxPageState":{"libraries":"eJxdjkEOwjAMBD8UmidFTmzSUDeubAfo7-mhgOCy8ows7WZyJ00mpQEnm0FbrykPd-kWzXc-OJSFsLloglJEsUmPn2u6qnSnjoGefnwvEXVswNOJoYpUpuRQYz3inye4wfNXrqEOe6DFrARYdKz5bSpLBg4bKFSFbbZ329dMo28jc7OZMNhuTmvMYBRchDPoUWKLxZPCsCthlXs6J0AH3r0ViyyAlw9eCvYXn1t24Q","theme":"guswds","theme_token":null},"ajaxTrustedUrl":[],"gtm":{"tagId":null,"settings":{"data_layer":"dataLayer","include_classes":false,"allowlist_classes":"","blocklist_classes":"","include_environment":false,"environment_id":"","environment_token":""},"tagIds":["GTM-53QLXSL9"]},"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":false,"extTitleNoOverride":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button,.usa-footer__contact-info","extCssInclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","extHideIcons":false,"mailtoClass":"mailto","telClass":"","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extPreventOrphan":false,"extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":1,"openTabsWithHash":1}},"user":{"uid":0,"permissionsHash":"0f75d40308887aebba0d5b0d2671305b73c9431902f86e672380a6dc6ab97d07"}}</script> <script src="/core/misc/drupalSettingsLoader.js?v=10.4.1"></script> <script src="/modules/contrib/google_tag/js/gtag.js?ss1oyc"></script> <script src="/modules/contrib/google_tag/js/gtm.js?ss1oyc"></script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DHS&subagency=CISA&yt=true" id="_fed_an_ua_tag" async></script> </head> <body class="path-node not-front node-page node-page--node-type-page" id="top"> <div class="c-skiplinks"> <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a> </div> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-53QLXSL9" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="l-site-container"> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" /> </div> <div class="grid-col-fill tablet:grid-col-auto"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div> <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <div class="c-block c-global-header-btns c-global-btns"> <div class="l-constrain l-constrain"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> <div class="usa-overlay"></div> <header class="usa-header usa-header--extended" role="banner"> <div class="usa-navbar"> <div class="l-constrain"> <div class="usa-navbar__row"> <div class="c-block c-site-header"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblock" class="c-block c-block--provider-block-content c-block--id-block-contentbc4e6844-86b4-4e20-b163-a73bda3d1d76"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/header_logo_tagline_update.svg" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/><img class="print-only" src = "/sites/default/files/images/SVG/header_logo_tagline_update.png" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/></a></div></div> </div> </div> </div> </div> </div> <div class="c-block c-site-header-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblockmobile" class="c-block c-block--provider-block-content c-block--id-block-content283396c9-cd36-4ce3-b1e2-9b5576ab4f50"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/mobile_logo_wordmark.svg" alt="CISA Logo"/></a></div></div> </div> </div> </div> </div> </div> <div class="usa-navbar__search"> <div class="usa-navbar__search-header"> <p>Search</p> </div> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> </div> <button class="mobile-menu-button usa-menu-btn">Menu</button> </div> </div> </div> <div class="c-block c-tagline-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-mobiletaglinecontainer" class="c-block c-block--provider-block-content c-block--id-block-contentc8d12e9d-7e48-4708-90c1-563609c4b566"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><center><img src = "/sites/default/files/images/SVG/header_tagline_mobile_update.svg" alt = "America's Cyber Defense Agency" /></center></div></div> </div> </div> </div> </div> </div> <nav class="usa-nav" role="navigation" aria-label="Primary navigation"> <div class="usa-nav__inner l-constrain"> <div class="usa-nav__row"> <button class="usa-nav__close">Close</button> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item topics"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Topics</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/topics">Topics</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cybersecurity-best-practices"> <span>Cybersecurity Best Practices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cyber-threats-and-advisories"> <span>Cyber Threats and Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/critical-infrastructure-security-and-resilience"> <span>Critical Infrastructure Security and Resilience</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/election-security"> <span>Election Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/emergency-communications"> <span>Emergency Communications</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/industrial-control-systems"> <span>Industrial Control Systems</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/information-communications-technology-supply-chain-security"> <span>Information and Communications Technology Supply Chain Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/partnerships-and-collaboration"> <span>Partnerships and Collaboration</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/physical-security"> <span>Physical Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/risk-management"> <span>Risk Management</span> </a> </div> </div> </div> <div class="c-menu-feature-links"> <div class="c-menu-feature-links__title"> <a href="/audiences"> How can we help? </a> </div> <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a><a href="/audiences/faith-based-community">Faith-Based Community</a><a href="/audiences/executives">Executives</a><a href="/audiences/high-risk-communities">High-Risk Communities</a></div> </div> </div> </li> <li class="usa-nav__primary-item spotlight"> <a href="/spotlight" class="usa-nav__link" > <span>Spotlight</span> </a> </li> <li class="usa-nav__primary-item resources--tools"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Resources & Tools</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/resources-tools">Resources & Tools</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/all-resources-tools"> <span>All Resources & Tools</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/services"> <span>Services</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/programs"> <span>Programs</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/resources"> <span>Resources</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/training"> <span>Training</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/groups"> <span>Groups</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News & Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/news-events">News & Events</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/news"> <span>News</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/events"> <span>Events</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/cybersecurity-advisories"> <span>Cybersecurity Alerts & Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/directives"> <span>Directives</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/request-speaker"> <span>Request a CISA Speaker</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/congressional-testimony"> <span>Congressional Testimony</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-conferences"> <span>CISA Conferences</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-live"> <span>CISA Live!</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item careers"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>Careers</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/careers">Careers</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/benefits-perks"> <span>Benefits & Perks</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/hirevue-applicant-reasonable-accommodations-process"> <span>HireVue Applicant Reasonable Accommodations Process</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/general-recruitment-and-hiring-faqs"> <span>Hiring</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/resume-application-tips"> <span>Resume & Application Tips</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/students-recent-graduates-employment-opportunities"> <span>Students & Recent Graduates</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/veteran-and-military-spouse-employment-opportunities"> <span>Veteran and Military Spouses</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item about"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6"> <span>About</span> </button> <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/about">About</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/divisions-offices"> <span>Divisions & Offices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/regions"> <span>Regions</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/leadership"> <span>Leadership</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/doing-business-cisa"> <span>Doing Business with CISA</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/site-links"> <span>Site Links</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-github"> <span>CISA GitHub</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-central"> <span>CISA Central</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us"> <span>Contact Us </span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us/subscribe-updates-cisa"> <span>Subscribe</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/eeo-policies"> <span>Policies & Plans</span> </a> </div> </div> </div> </div> </li> </ul> <div class="c-block c-global-menu-btns c-global-btns"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> </div> </nav> </header> <div class="l-breadcrumb"> <div class="l-constrain"> <div class="l-breadcrumb__row"> <nav aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation"> <div class="l-constrain"> <div id="breadcrumb-label" class="c-breadcrumb__title u-visually-hidden">Breadcrumb</div> <ol class="c-breadcrumb__list"> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/">Home</a> </li> <li class="c-breadcrumb__item"> <span aria-current="page"> Cyber Guidance for Small Businesses </span> </li> </ol> </div> </nav> <div id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block"> <div class="c-block__content"> <div class="c-block__row"> <span>Share:</span> <div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div> <div class="social-sharing-buttons"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/cyber-guidance-small-businesses&title=Cyber%20Guidance%20for%20Small%20Businesses" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons-button share-facebook" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" /> </svg> </a> <a href="https://twitter.com/intent/tweet?text=Cyber%20Guidance%20for%20Small%20Businesses+https://www.cisa.gov/cyber-guidance-small-businesses" target="_blank" title="Share to X" aria-label="Share to X" class="social-sharing-buttons-button share-x" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#x" /> </svg> </a> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/cyber-guidance-small-businesses" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons-button share-linkedin" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" /> </svg> </a> <a href="mailto:?subject=Cyber%20Guidance%20for%20Small%20Businesses&body=https://www.cisa.gov/cyber-guidance-small-businesses" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons-button share-email" target="_blank" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" /> </svg> </a> </div> </div> </div> </div> </div> </div> </div> <main id="main" class="c-main" role="main" tabindex="-1"> <div class="l-content"> <article class="c-article"> <div class="c-page-title"> <div class="c-page-title__inner l-constrain"> <div class="c-page-title__row"> <div class="c-page-title__content"> <h1 class="c-page-title__title"> <span>Cyber Guidance for Small Businesses</span> </h1> </div> </div> <div class="c-page-title__decoration"></div> </div> </div> <div class="c-wysiwyg"> <div class="l-constrain"> <div class="c-wysiwyg__inner"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><h2>A Different Kind of Cybersecurity Advice</h2><p>Small businesses often do not have the resources to defend against devastating cyber threats like ransomware. As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.</p><p><strong>This advice is different.</strong></p><p>Below, we offer an action plan informed by the way cyberattacks actually happen. We break the tasks down by role, starting with the Chief Executive Officer (CEO). We then detail tasks for a Security Program Manager and the Information Technology (IT) team. While following this advice is not a guarantee you will never have a security incident, it does lay the groundwork for building an effective security program.</p><h2>Role of the CEO</h2><p>Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:</p><ol><li><strong>Establish a culture of security.</strong> Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security must be an “everyday” activity, not an occasional one. For example, set goals to improve the security of your data and accounts through the adoption of <a href="https://www.cisa.gov/MFA" title="multifactor authentication">multifactor authentication</a> (MFA) (more on that below), the percentage of systems you have fully patched, and the percentage of systems that you back up.</li><li><strong>Select and support a “Security Program Manager.”</strong> This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.</li><li><strong>Review and approve the Incident Response Plan (IRP).</strong> The Security Program Manager will create a written IRP for the leadership team to review. The IRP is your action plan before, during and after a security incident. Give it the attention it deserves in “peace time,” and involve leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident.<br><br><strong>PRO TIP</strong>: Invoke the IRP even when you suspect a false alarm. “Near misses” drive continuous improvements in the aviation industry, and the same can be true for your security program. Never let a near miss go to waste!</li><li><strong>Participate in </strong><a href="/cisa-tabletop-exercises-packages" title="Tabletop Exercise drills"><strong>tabletop exercise drills</strong></a><strong> (TTXs).</strong> The Security Program Manager will host regular attack simulation exercises called tabletop exercises. These exercises will help you and your team build reflexes that you’ll need during an incident. Make sure your senior leaders attend and participate.</li><li><strong>Support the IT leaders.</strong> There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking IT to do so. For example, do not rely on the IT team to persuade busy staff that they must enable MFA. Instead, make the MFA announcement to the staff yourself and keep track of the progress. Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.</li></ol><p>A note on MFA: MFA is a layered approach to securing your online accounts and the data they contain. Any form of MFA is better than no MFA. Any form of MFA (like SMS text messages, or authenticator codes) will raise the cost of attack and will reduce your risk. Having said that, phishing is consistently the most cost-effective way for attackers to compromise systems, and the only widely available phishing resistant authentication is called “FIDO authentication.” When an attacker eventually tricks you into trying to log into their imposter site to compromise your account, the FIDO protocol will block the attempt. FIDO is built into the browsers and smartphones you already use. We urge you to learn<strong> </strong><a href="https://fidoalliance.org/how-fido-works/" title="how FIDO resists phishing attacks"><strong>how</strong> <strong>FIDO resists phishing attacks</strong></a><strong>.</strong></p><p>The combination of a cloud-hosted email service, Secure by Design devices, and FIDO authentication will dramatically raise the cost for attackers and will dramatically reduce your risk. It’s worth considering.</p><h2>Role of the Security Program Manager</h2><p>The Security Program Manager will need to drive the elements of the security program, inform the CEO of progress and roadblocks, and make recommendations. These are the Security Program Manager’s most important tasks:</p><ol><li><strong>Training.</strong> All staff must be formally trained to understand the organization’s commitment to security, what tasks they need to perform (like enabling MFA, updating their software, and avoiding clicking on suspicious links that could be phishing attacks), and how to escalate suspicious activity</li><li><strong>Write and maintain the </strong><a href="/incident-response-training" title="IRP"><strong>IRP</strong></a><strong>. </strong>The IRP will spell out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all major activities and an address book for use should the network be down during an incident. Get the CEO and other leaders to formally approve it. Review it quarterly and after every security incident or “near miss”. Need to know where to start? Look to our<strong> </strong><a href="https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf" title="IRP Basics"><strong>IRP Basics</strong></a><strong></strong>two-pager with advice on what to do before, during and after an incident. To request assistance or to share information about an incident that can help protect other potential victims, you can contact CISA at <a href="/report" title="Report to CISA"><strong>https://www.cisa.gov/report</strong></a><strong>.</strong></li><li><strong>Host quarterly tabletop exercises (TTXs). </strong>A <a href="https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages" title="TTX">TTX</a> is a role-playing game where the organizer (possibly you!) presents a series of scenarios to the team to see how they would respond. A common scenario involves one employee discovering their laptop is blocked by ransomware. Symphonies and sports teams practice regularly, and your organization should, too. CISA has <a href="/sites/default/files/publications/Cybersecurity-Tabletop-Exercise-Tips_508c.pdf" title="Cybersecurity Tabletop Exercise Tips"><strong>Cybersecurity Tabletop Exercise Tips</strong></a> to get you started.</li><li><strong>Ensure MFA compliance. </strong>Yep--MFA Again! The most important step an organization can make is to ensure that all staff use MFA to log into key systems, especially email. While this task is also listed under the IT section below, multiple people must review the MFA status regularly.</li></ol><p>In addition to the advice here, we urge you to look at the information and toolkits available from our <a href="/cyber-essentials" title="Cyber Essentials"><strong>Cyber Essentials</strong></a> series to continue to mature your program.</p><h2>Role for the IT Lead</h2><p>The top tasks for the IT lead and staff include the following:</p><ol type="1"><li><strong>Ensure MFA is mandated using technical controls, not faith.</strong> Some organizations have instructed their users to enroll in MFA, but not all users complete that task. There are often MFA gaps for recently onboarded staff and for people who have migrated to a new phone. You’ll need to regularly look for non-compliant accounts and remediate them. Verify, verify, verify MFA stats.</li><li><strong>Enable MFA for all system administrator accounts.</strong> System administrators are valuable targets for attackers. You might assume that they would reflexively enroll in MFA. Yet Microsoft reports that around half of Azure Active Directory global administrators use MFA. In many compromises, attackers were able to get a foothold on the system administrator’s account, and from there they had complete access to all the company’s assets.</li><li><strong>Patch</strong>. Many attacks succeed because the victims were running vulnerable software when a newer, safer version was available. Keeping your systems patched is one of the most cost-effective practices to improve your security posture. Be sure to monitor CISA’s <a href="/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog"><strong>Known Exploited Vulnerabilities (KEV) Catalog</strong></a><strong>,</strong> a list of the vulnerabilities we see attackers using in real attacks. Prioritize the vulnerabilities in the KEV. Also, where possible enable auto-update mechanisms.</li><li><strong>Perform and test backups.</strong> Many organizations that have fallen victim to ransomware either had no backups or had incomplete/damaged backups. It’s not enough to schedule all important systems to have a regular backup. It’s critical to regularly test partial and full restores. You’ll have to pick a cadence for the backups (continuous, hourly, weekly, etc.). You’ll also want to write a plan for the restoration. Some organizations experiencing ransomware attacks found that the time to restore their data was significantly longer than expected, impacting their business.</li><li><strong>Remove administrator privileges from user laptops.</strong> A common attack vector is to trick users into running malicious software. The attacker’s job is made easy when users have administrator privileges. A user who lacks administrator privileges cannot install software, and this type of attack won’t work.</li><li><strong>Enable disk encryption for laptops.</strong> Modern smartphones encrypt their local storage, as do Chromebooks. Windows and Mac laptops, however, must be configured to encrypt their drives. Given how many laptops are lost or stolen each year, it’s important to ensure that your laptop fleet is protected.</li></ol><p>All of the above steps may leave you wondering if the products you use are as secure as they could be. Very often, the answer is that the software manufacturers create products using components and practices that inevitably lead to common vulnerabilities. In addition to putting into practice the above steps, we urge you to learn more about how software companies can create software that is “secure by design”. Read more here: <a href="https://www.cisa.gov/securebydesign">https://www.cisa.gov/securebydesign</a>.</p><h2>Achieving the Highest Security Posture</h2><p>When security experts give cybersecurity advice, they usually assume you are only willing to make small changes to your IT infrastructure. But what would you do if you could reshape your IT infrastructure? Some organizations have made more aggressive changes to their IT systems to reduce their “attack surface.” In some cases, they have been able to all but eliminate (YES, WE SAID ELIMINATE!) the possibility of falling victim to phishing attacks. Sound interesting? Keep reading!</p><h3>On premises vs cloud</h3><p>One major improvement you can make is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure.</p><p>While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.</p><h3>Secure endpoints</h3><p>While all operating system vendors work to continuously improve the security of their products, two stand out as being “secure by design,” specifically, Chromebooks and iOS devices like iPads.</p><p>Some organizations have migrated some or all of their staff to use Chromebooks and iPads. As a result, they have removed a great deal of “attack surface,” which in turn makes it much harder for attackers to get a foothold. Even if an attacker were able to find a foothold on those systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.</p><h2>Additional Information*</h2><p>For more information and resources for Small and Medium-sized businesses, visit <a href="https://www.cisa.gov/audiences/small-and-medium-businesses">Small and Medium Businesses | Cybersecurity and Infrastructure Security Agency CISA</a> and our Small Business Week page: cisa.gov/small-business-week. </p><p>*<em>This page was updated in April 2024. </em></p></div></div> </div> </div> </div> </article> </div> </main> <footer class="usa-footer usa-footer--slim" role="contentinfo"> <div class="usa-footer__return-to-top"> <div class="l-constrain"> <a href="#top">Return to top</a> </div> </div> <div class="usa-footer__upper"> <div class="l-constrain"> <ul class="c-menu c-menu--footer-main"> <li class="c-menu__item"> <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a> </li> <li class="c-menu__item"> <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a> </li> <li class="c-menu__item"> <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources & Tools</a> </li> <li class="c-menu__item"> <a href="/news-events" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7332">News & Events</a> </li> <li class="c-menu__item"> <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a> </li> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a> </li> </ul> </div> </div> <div class="usa-footer__main"> <div class="l-constrain"> <div class="usa-footer__main-row"> <div class="usa-footer__brand"> <a class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage"> <span class="c-site-name__text">Cybersecurity & Infrastructure Security Agency</span> </a> </div> <div class="usa-footer__contact"> <ul class="c-menu c-menu--social"> <li class="c-menu__item"> <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a> </li> <li class="c-menu__item"> <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a> </li> <li class="c-menu__item"> <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a> </li> <li class="c-menu__item"> <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a> </li> <li class="c-menu__item"> <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a> </li> <li class="c-menu__item"> <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a> </li> </ul> <div class="usa-footer__contact-info"> <span>CISA Central</span> <a href="tel:1-844-Say-CISA">1-844-Say-CISA</a> <a href="mailto:SayCISA@cisa.dhs.gov">SayCISA@cisa.dhs.gov</a> </div> </div> </div> </div> </div> <div class="usa-footer__lower"> <div class="l-constrain"> <div class="usa-footer__lower-row"> <div class="usa-footer__lower-left"> <div class="c-dhs-logo"> <div class="c-dhs-logo__seal">DHS Seal</div> <div class="c-dhs-logo__content"> <div class="c-dhs-logo__url">CISA.gov</div> <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div> </div> </div> <ul class="c-menu c-menu--footer"> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a> </li> <li class="c-menu__item"> <a href="/no-fear-act" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21494">No FEAR Act</a> </li> <li class="c-menu__item"> <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a> </li> <li class="c-menu__item"> <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a> </li> <li class="c-menu__item"> <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a> </li> <li class="c-menu__item"> <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a> </li> <li class="c-menu__item"> <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a> </li> <li class="c-menu__item"> <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a> </li> </ul> </div> <div class="usa-footer__lower-right"> <iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0" ></iframe> </div> </div> </div> </div> </footer> </div> </div> <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script> <script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script> <script src="/core/misc/drupal.js?v=10.4.1"></script> <script src="/core/misc/drupal.init.js?v=10.4.1"></script> <script src="/core/assets/vendor/tabbable/index.umd.min.js?v=6.2.0"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?ss1oyc"></script> <script src="/modules/contrib/extlink/js/extlink.js?v=10.4.1"></script> <script src="/core/misc/jquery.form.js?v=4.3.0"></script> <script src="/core/misc/progress.js?v=10.4.1"></script> <script src="/core/assets/vendor/loadjs/loadjs.min.js?v=4.3.0"></script> <script src="/core/misc/debounce.js?v=10.4.1"></script> <script src="/core/misc/announce.js?v=10.4.1"></script> <script src="/core/misc/message.js?v=10.4.1"></script> <script src="/core/misc/ajax.js?v=10.4.1"></script> <script src="/modules/contrib/google_tag/js/gtag.ajax.js?ss1oyc"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/breadcrumb.es6.js?ss1oyc"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?ss1oyc"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?ss1oyc"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?ss1oyc"></script> </body> </html>

CINXE.COM

Cyber Guidance for Small Businesses | CISA