Anyone can destroy your company’s security in just a few seconds. That’s the time it takes one harried employee to click on a phishing link sent by a scammer, infecting every device on the network with malware. It would take a hacker just as long to crack a CEO’s simple password that they’ve memorized and used for all of their online accounts.
If you’re looking for a reason to create a cybersecurity strategy for your business, consider the bottom line. According to IBM’s Cost of a Data Breach Report, the global average cost of a data breach in 2024 was a record-breaking $4.88 million. That’s a high price to pay for an insecure workplace.
(Credit: Thomas Barwick via Stone for Getty Images)
That said, a small business setting is usually a little different from an enterprise-level corporation. Many small business owners run their companies out of a home office or co-working space. Remote employees may connect to company servers over a home network while using their personal computers or other devices. Securing a remote-first workplace requires careful policy-making, along with complete buy-in from employees. It’s a tough ask, especially if you don’t have an IT department or a cybersecurity specialist on the payroll.
Getting started can be daunting, but don’t give up hope! I’ve compiled some small business security suggestions from myself and a few experts. Keep reading for recommendations for the best tools I’ve tested and policies your company should consider to keep your business safe.
1. Use a Password Manager
Not all hacks are complex missions to backdoor a company’s servers via spearphishing email campaigns or malware-infested browser extensions. Instead, criminals can get in using the key under the rock by the front door, otherwise known as your employees’ breached, easy-to-guess, or weak passwords.
When crafting a cybersecurity policy for your company, require employees to use a unique password for every work-related account. Make it easier for everyone to comply by investing in a password manager. Employees can install the app on their devices, and it will create strong, unique passwords for all of their accounts and fill them instantly around the web. There is no need to remember complicated passwords or passphrases.
(Credit: 1Password/PCMag)
I’ve tested many password managers over the years, and most of them offer affordable service tiers with small business owners in mind. If you’re on a tight budget, I recommend 1Password’s Teams Starter Pack, which is $19.99 per month for up to 10 employees. For the price, you get 1Password’s well-organized and reliable apps, plus password hygiene alerts.
Another particularly good value is the Proton Pass Essentials plan, which, before discounts, runs $4.99 monthly for a minimum of three employees. You and your employees will get the well-designed Proton Pass apps, plus dark web monitoring, password hygiene alerts, and unlimited masked emails.
PCMag Picks: Password Managers for Small Businesses
2. Require Multi-Factor Authentication
Requiring your employees to use multi-factor authentication (MFA) for their work accounts adds another layer of protection between your business and cyber criminals. That way, if the worst happens, and a criminal steals an employee’s unique, password-generated credential via a phishing link in an email or text message, they won’t be able to get into the account.
MFA requires a person to verify their identity using a device or something attached to them, such as a fingerprint or a face scan. Here’s how it works: the employee logs into their corporate account, and an alert instantly shows up on their phone or via a desktop application, asking them to enter a code to verify their identity. Enter the code, and the login process is complete.
(Credit: 2FAS/PCMag)
If you’re looking for an easy way to get employees to adopt MFA, ask them to download PCMag Editors’ Choice 2FAS, a free app available for mobile devices and web browsers. I like 2FAS because it doesn’t collect much data from your devices and sports a clean, customizable interface. Authenticator apps are super simple by design, so I don’t recommend paying for one.
You could also consider investing in hardware security keys for your team. The keys are small enough to fit on a key ring and can authenticate your identity or store your passkeys with just a finger tap.
PCMag Picks: Hardware Security Keys
3. Consider Browser Security
Cloud-based office suites such as Google Workspace, Microsoft 365, and Zoho Office make it easy for employees to get work done using browser-based calendars, meeting software, spreadsheets, or word processors. This makes web browsers incredibly valuable to small business owners and cybercriminals.
“The browser is becoming a significant cybersecurity concern,” says Andrius Buinovskis, a cybersecurity expert at NordLayer, a network security service. “Traditional browsers are not built with security and observability in mind—their primary target is to provide a user-friendly interface.”
(Credit: Firefox/PCMag)
Buinovskis says that browsers’ popularity in the workplace can impede a company’s cybersecurity efforts: “Aside from attracting the attention of cybercriminals, it’s also become a hub for insider threats or employee error, which can result in devastating security breaches.”
Buinovskis warns corporate security teams that while monitoring employees’ browser activity can be very expensive and time-consuming, it’s worth consideration. Start the process by crafting workplace policies built on security-first principles. Here are some guideline suggestions:
-
Require administrative approval for browser extensions before installation. Cybercriminals can create browser extensions just as easily as legitimate developers. So when you download a rogue ad blocker, coupon generator, or writing assistant, it could, at best, siphon up all of the data you’re inputting into the browser, along with information about every website visited and your activities. At worst, the extension can infect your computer and every other device on the network with malware.
-
Only use company-approved SaaS applications. Inputting company details (or your personal information) into an unauthorized web application is insecure data handling. Create a list of approved applications and request suggestions from employees for app additions or deletions throughout the year.
-
Enable privacy-focused browser settings. Earlier this year, I created a guide to locking down your browser settings to make it harder for companies to track you online. These recommendations deal with limiting cookie storage and websites’ access to employees’ personal devices, like cameras and microphones.
-
Require prompt browser updates. Google is still finding massive security flaws in its Chrome browser from more than two decades ago. That should be enough of a reason to keep your browser patched. Whichever one you choose as the default for your workplace, ask your employees to enable automatic updates in the settings menu.
4. Update Devices and Software
Recently, 4chan, an infamous message board, went offline after a hacker exploited an out-of-date software package on the forum’s servers. I’d normally advise against learning anything from 4chan, but this time, benefit from their mistakes: Keep on top of updates for your devices and software.
“Windows patches every week, and Apple patches all the time, right? They’re constantly filling holes,” says Dr. Darren Williams, founder and CEO at BlackFog. He’s a ransomware expert and pioneer of Anti Data Exfiltration technology whom I spoke to earlier this year about what to do if your data ends up on the dark web.
Williams says that keeping your systems up to date is one of the best things an individual or business can do to strengthen their cybersecurity strategy. That’s because many people don’t update their devices or software, leaving themselves open to attack.
“It’s like that classic line about the bear: I only have to outrun [the other person with me], not the bear,” Williams says. “Cyber criminals are pretty lazy unless they’ve really got it out for you.”
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Enable automatic updates whenever possible, and always allow your computer to run through its update cycle, even if it takes a little more time.
5. Require On-Device Protection
“The bad guys want to get on your computer, not just inside your company,” Williams says. “So let’s fight them where they’re playing.” With that in mind, consider installing on-device protection in the form of antivirus software with phishing alerts and scam detection.
The antivirus software can catch malware threats coming your way, while the phishing alerts and scam detection software can protect employees from clicking on links or visiting insecure sites created by fraudsters. The best ones can even prevent ransomware scenarios in which cybercriminals encrypt all of your business’s files and demand payment, usually in cryptocurrency, to unlock them (which they may or may not do, but by that point, you’ve lost money, time, and your data).
My colleague Neil Rubenking created a list of the best antivirus software he’s tested. He tells me that some of these consumer-level options offer enough licenses for a small business. For example, Aura supports up to 50 employees, Avast One Gold supports up to 30 workers, and Avira Prime and Bitdefender Premium Security both support services for up to 25 employees.
McAfee is rolling out scam detection capabilities to subscribers this month, so I asked the company’s chief technology officer, Steve Grobman, about using the feature at work. “People who work for a small business often use their cellphone, not a managed device as you’d see in larger environments,” Grobman says. This adds a layer of insecurity to the company’s network because you have devices on it that the security team can’t monitor for threats. Grobman says that while the McAfee Scam Detector is a consumer-first feature if employees use it on their personal devices, they can indirectly make their workplace safer.
If you want to skip out on the antivirus, some companies offer standalone phishing and scam detection. For example, Norton Genie performed well in our testing, correctly identifying scammy text in screenshots and URLs.
Always remember to turn on email spam filters and firewall protection, too. And be sure to keep these applications up to date to prevent criminals from sneaking past your digital boundaries.
Recommended by Our Editors
PCMag Picks: Antivirus for Small Businesses
6. Monitor Your Network
If you’re running your small business out of your place, make sure to safely set up your home network. Keep an eye on activities from all internet-connected devices, including appliances, cellphones, and security cameras.
Knowing what’s happening on your network is the key to preventing cyberattacks, particularly ransomware attacks. Not all criminals do their dirty deeds in the open. Williams cites the 2024 Change Healthcare cyberattack as an example.
“They were latent for nine days inside the company’s computers. Just sitting behind the firewalls doing reconnaissance work,” Williams recounts. “You only need to have one weak link, and you can get in.”
7. Create Effective Cybersecurity Training Programs
Weak links are always there, though, because we are humans. We all get distracted. We all forget to update things, procrastinate, or get annoyed by constantly enabling and disabling settings while working and simultaneously playing a cat-and-mouse game with faceless, nameless cybercriminals (who are rarely caught and prosecuted).
The key to overcoming these weaknesses is by educating yourself and your employees about online threats. A recent presentation at the RSAC 2025 Conference revealed that workers have basic cybersecurity awareness but become less enthusiastic about cybercrime prevention when they don’t see any results from their actions.
Consider following up with employees who report phishing emails or scheduling lunch-and-learn sessions with your IT team and the rest of the company to educated everyone about the reasons for cybersecurity best practices in the workplace.
8. Get a Company VPN
VPN apps route your data through an encrypted tunnel between your machine and your company’s server or one operated by the VPN company. That means that no one, not even people using the same Wi-Fi network, can monitor your work traffic. In an era of remote-first workplaces, a VPN is a common expense for companies that want to keep data private from the wider web.
That said, it’s wise to remember that the VPN provider can see your data since you’re using its servers, so make sure you trust the app. If you or your employees are frequent travelers, invest in a VPN app and require everyone to connect to it when doing work-related tasks over public Wi-Fi in airports, conference halls, or hotels.
PCMag Picks: VPNs for Small Businesses
9. Hire for Experience, Not Certifications
As your small business grows, you’ll need to make some tough decisions when it comes to hiring new employees. When choosing people to be a part of your IT or cybersecurity team, make sure to cover all of your bases by hiring people from diverse career backgrounds.
Last year, I spoke to Adobe’s chief security officer, Maarten Van Horenbeeck, about how he chooses people for his security unit. “Companies like us have a responsibility to identify candidates that have potential even if they don’t have that very broad expertise in the security domain,” he says, explaining that his teams seek people who have a strong interest in cybersecurity but who have a career background in another field.
Hiring strictly for security expertise could lead to a lack of consideration for operational needs by IT and security teams at the company. “They don’t always understand how a software developer works from beginning to end, and that lack of empathy can make things harder,” Van Horenbeeck says.
Job fairs and word-of-mouth may be easier roads to hiring new talent, but if you want effective cybersecurity in your workplace, you need a team that understands the needs of your workforce. Seek candidates from internship programs with higher education institutions, and request collaborations with online communities. For example, in 2023, Adobe partnered with BlackGirlsHack, a cybersecurity program aimed at helping Black women and girls gain cybersecurity skills training and find mentorship opportunities.
Need more advice for securing your home or small business? Check out our cybersecurity checklist to find new ways to be more safer online.
About Kim Key
Senior Security Analyst
