SMB Cybersecurity Guide: How to Build a Strong Plan Within Budget

Tammy Cohen, PHR, SHRM-CP

January 31 2023

Has cybersecurity been put on the back burner at your growing enterprise? It makes sense: small-to-medium businesses (SMBs) typically have much to get done while working with limited resources and a tight budget. However, research suggests that building a strong cybersecurity plan for your SMB is more urgent than ever.

According to Coro’s 2022 Cybersecurity Threat Report, cyber attacks on SMBs have increased by 150% over the past two years. Plus, a study by the National Cybersecurity Alliance reveals that 28% of all SMBs in the United States were forced out of business because of cyber attacks in 2021. This means that cybersecurity is no longer a nice addition to your business plan – it’s a necessity.

This guide gives you the tools needed to communicate the importance of cybersecurity to decision-makers at your company. It also offers an action plan for building a strong SMB cybersecurity plan within budget.

Your Budget is Incomplete Without Cybersecurity. Here’s Why:

Awareness about the dangers of cyber attacks is growing amongst small businesses. However, many SMBs in the US remain completely unprepared for a cyber attack. A 2022 study found that only half of all U.S. small businesses have a cybersecurity plan in place. Of the companies that don’t, 20% admit that they do not intend to create a cybersecurity plan in the foreseeable future.

There are many reasons why companies continue to forgo cyber protection. Examples include:

  • Limited resources
  • Lack of knowledge or in-house expertise
  • Difficulty hiring or being able to afford dedicated cybersecurity employees
  • Lack of time
  • Lack of training

Arguably the number one obstacle is a lack of knowledge. Many shareholders and decision-makers at small businesses may be unaware of the recent increase in cyber attacks on SMBs and may be under the impression that cybersecurity is still a bonus resource instead of a necessity. 

If you feel like this is an obstacle at your company, it’s crucial that you communicate to decision-makers and shareholders any relevant statistics and facts that demonstrate the growing urgency of cybersecurity. Awareness is the first step; the rest of the obstacles can be tackled with careful planning and dedication.

Need a place to start? Well, this is bound to catch any business leader’s attention: 

IBM’s 2022 Cost of a Data Breach Report found that the average cost of a data breach in the U.S. is $9.44 million. Although this number is typically smaller for SMBs, the impact of the cost on smaller companies is much harder to recover from based on available resources. The same IBM report found that organizations with an Incident Response (IR) team and tested IR plan save an average of $2.66 million compared to companies with no IR team or plan.

Additionally, be sure to communicate both the direct and indirect costs of a cyber attack to demonstrate how invaluable security is to your company. Examples of direct costs would be things like theft, system repair, & compliance fees, whereas indirect costs are things like damaged credibility, lost business, and lost intellectual property.

How Much Should You Spend on Cybersecurity?

Cybersecurity spending varies greatly depending on a company’s industry, size, the sensitivity of data you collect, local compliance mandates, and more. However, the general rule of thumb is to spend between 7%-10% of your IT budget on security. Some companies spend as little as 5% or as much as 20%, with the highest spenders falling into the professional services, financial services, and high technology industries.

When deciding how to budget for cybersecurity within your own organization, start small. Building a strong cybersecurity plan takes a healthy amount of trial and error before getting it right, so you don’t want to immediately blow 20% of your IT budget on your first year of implementing a new plan. Start with around 5% of your IT budget, and build from there. If you already have a cybersecurity plan that you want to improve, see where you can slowly increase this percentage until you find the sweet spot.

Further reading: HR: First Line of Defense in Preventing Insider Cyber-Attacks

How to Build a Strong Cybersecurity Plan Within Budget

1. Lay Out Your Priorities

Realistically, most SMBs will not have the resources to implement a full suite of the highest-quality cybersecurity services on the market. That’s why you need to start by taking a look at your most immediate, basic needs. 

For most small businesses, the top three priorities to start with are end-user training, multi-factor authentication, and vulnerability assessments. However, high-risk SMBs, such as those who deal with people’s finances and sensitive data, should look into extra steps that add to their security plan. For example, consider hiring an ethical hacker who will test your system from the inside out to find any weaknesses.

2. Protect Your Systems

Protection starts with securing your networks and endpoints, which are like doors into your system. These include computers, mobile devices, software, hosting centers, and even people. Consider investing in some of these services to protect your networks and endpoints:

  • Virtual Private Network (VPN): A VPN allows employees to work on a protected network connection when using public networks. These are typically priced on a per user/per month basis, with some as low as $7 per user.
  • Multi-Factor Authentication (MFA): A simple yet useful tool, MFA asks a user directly at a secondary location if they are trying to log in. Mobile apps are typically the easiest way to do this, with most of them offering a free trial or low entry-level price.
  • Antivirus Software: This technology detects and blocks any malicious files to protect individual endpoints. Many companies offer free trials or entry-level pricing, so you can try different systems with little risk until you find the perfect match for your company.
  • Firewall: Firewalls are the guards of your system; they analyze and filter incoming traffic based on your system’s rules to prevent attacks. Firewalls for small businesses can start around $200, but many of the strongest systems exceed $500. Any firewall is better than no firewall, so consider starting with an affordable option until your organization is ready to upgrade.

Additional steps you could take include using cloud security, scanning for vulnerabilities, keeping software and systems up-to-date, and investing in smart alert systems. For high-risk SMBs, consider adding enterprise-grade data centers and real-time global threat sensors to your plan for extra security.

Further reading: What HR Technology Will Benefit Your SMB Most?

3. Implement Employee Training

End-user, or employee, training is one of the least costly yet most effective ways to protect your growing enterprise from cyber attacks. For example, one of the most common forms of social engineering is phishing, which targets employees directly by tricking them into clicking malicious content. This is the leading cause of ransomware attacks, which is currently the most common type of attack on SMBs.

Luckily, this can be fixed with rigorous, consistent end-user training. Send employees regular training materials that teach them how to set secure passwords, spot a phishing email, manage their mobile devices, and more. Incentivize the training by offering prizes to employees who score highest and view the material most consistently to make the program as effective as possible.

Training is absolutely necessary before granting employees access to company systems or consumer data. Moreover, your staff needs periodic refreshers on their training to ensure they have the knowledge and skills needed to keep your systems and data strong.

4. Work With the Right Partners

If all of this seems like too much for your current team to take on, you may want to consider using managed & consulting services or hiring a temporary vCISO (Virtual Chief Information Security Officer) to receive expert counseling while getting your cybersecurity plan up and running. Once your plan is more established, you can build a dedicated team of in-house experts to take charge of your security initiatives.

It’s also important to choose your business partners wisely every step of the way. You don’t want to work with an antivirus, banking, or onboarding company that doesn’t have its own strong cybersecurity plan in place. Work with companies who are committed to protecting their clients’ data to avoid being the victim of a breach. We recommend running vendor assessments on a potential partner to review their security and compliance controls before engaging further.

5. Develop Smart Hiring & Onboarding Practices

Preventing insider threats is extremely important when implementing a security program. In fact, businesses in the US encounter around 2,500 internal security breaches daily, with the average cost per insider threat averaging $15.4 million. Mitigating the risk of insider threats begins with smarter hiring and onboarding practices.

An example of a company that helps businesses develop more secure hiring practices is a professional, FCRA-certified background screening provider. Through a full suite of services like verifications and criminal history searches, you will have a better understanding of who a candidate is before allowing them into your system.

Further reading: 3 Ways HR Can Help Companies Fight Workplace Cybercrime

Prevent Internal Threats with Background Screening

Bottom line– The most valuable thing SMBs can do to improve their cybersecurity plan on a budget is focus on human security:

  1. Vet vendors and their employees easily through a vendor screening program
  2. Train new employees and regularly retrain current employees
  3. Screen your contingent labor
  4. Screen your employees to protect your systems and your clients systems

At InfoMart, we are dedicated to keeping our clients’ sensitive data secure. We take every measure to protect our data, from protecting our end-points with technology to training our employees regularly.

With over three decades of experience in the screening industry, we are also extremely passionate about finding all the ways we can add to our clients’ workplace safety and security. One of our newest services, continuous criminal monitoring, adds an extra layer of security to protect against internal threats by scanning data in real-time for arrests of current employees.

Every company is different. That’s why we offer customizable solutions for each client we work with. Interested in what our services would look like for your organization? Click the button below to learn more.

Get Started

I would love to hear from you and connect; add me on LinkedIn to keep in touch!

About Tammy Cohen

Tammy Cohen, an industry pioneer and expert in identity and employment screening, founded InfoMart 30 years ago. Deemed the “Queen of Screen,” she’s been a force behind industry-leading innovations. She was most recently the first-to-market with a fully compliant sanctions search, as well as a suite of identity services that modernizes talent onboarding. Tammy revolutionized the screening industry when she stepped into the field, developing the first client-facing application and a due diligence criminal search that has since become standard for all background screening companies. Cohen has received national awards and honors for her business and civic involvement, including Atlanta Business Chronicle’s Top 25 Women-Owned Firms in Atlanta, Enterprising Women Magazine’s Enterprising Women of the Year award, the YWCA of Northwest Georgia’s Kathryn Woods Racial Justice Award, and a commendation in the 152nd Congressional Record.

About InfoMart

InfoMart has been revolutionizing the global background and identity screening industry for 30 years, providing businesses the information they need to make informed hiring decisions. They develop innovative technology that modernizes talent onboarding, including a first-to-market biometric identity authentication application and a verified sanctions search. The WBENC-certified company is a founding member of the Professional Background Screening Association, and they have achieved PBSA accreditation in recognition of their consistent business practices and commitment to compliance with the FCRA. The company is dedicated to customer service, speed, and accuracy, and it has been recognized for its success, workplace culture, and corporate citizenship with over 45 industry awards. To Get the Whole Story on InfoMart, please visit, follow @InfoMartUSA, or call (770) 984-2727.

Pin It on Pinterest