If you think your small business is safe from data breaches, think again. The 2025 Data Breach Investigations Report found that small and medium sized businesses are targeted with cyber attacks nearly four times more than large corporations. In fact, 60% of small businesses rank phishing and ransomware attacks as their top cybersecurity concerns this year. Businesses of all sizes have good reason to be concerned—The average cost of a data breach has increased by 10% since last year, reaching $4.88 million.

A data breach results in angry and concerned customers and reputational damage,” says Joram Borenstein, vice president at NICE Actimize. “For some small businesses, it could prove difficult to recover from both the financial impact and the hit to their credibility.”

Rather than leaving your small business open to data breaches, experts suggest using the following checklist to protect your company against hackers:

1. Have you considered social engineering awareness?

Social engineering attacks often exploit employees who are unaware of the value of the information they handle. For example, a social engineer might call a new employee pretending to be from IT and claim to be testing the system, tricking the employee into giving up their password. These attacks succeed because employees may not realize how critical their data is and therefore fail to protect it adequately.

To combat this, provide employees with social engineering awareness training and implement written policies and procedures. Instruct them not to click on unsolicited email attachments or embedded links, and to verify the identity of callers before sharing sensitive information.

Neglecting the threat of social engineering is somewhat like installing a high-tech security system but leaving the front door unlocked.

2) Are you being proactive when it comes to security?

Before investing in security software, businesses should assess their actual needs and assign someone to manage regular updates. Having a plan in place is more effective than trying to recover after a cyber attack.

Many small businesses purchase security tools without fully understanding them. However, spending more doesn’t guarantee better protection if the software isn’t properly implemented or maintained.

If you’re unsure about what security measures to take or which parts of your business are vulnerable, consider hiring a professional to audit your computers, network and mobile devices. This audit can help identify necessary steps such as data backup strategies, encryption practices and mobile device protection.

3) Are your passwords robust and changed frequently?

In addition to avoiding bad password choices, make sure your passwords are as strong as possible.

  • Change your passwords frequently. Once a month is a good rule of thumb.
  • Use passwords that are at least 13 characters long and includes symbols, letters and numbers (but no words).
  • Consider using a password manager that can help secure your identity and increase the strength of passwords that protect your online accounts without requiring you to memorize a string of characters.

4) Is your data encrypted?

Anytime a small business is storing data, or when it isn’t being transmitted over the Internet, it should be encrypted. To accomplish this, turn on the full-disk encryption tools that come standard on most current operating systems (On Windows-based PCs, it’s called BitLocker and on Macs, it’s called FileVault).

Experts caution that the encryption only applies when users are logged out of the computer, so potentially hackers could attack through malware when the system is running. To prevent this, set your office computers to automatically log out after 15 minutes of inactivity.

5) Are you cyber savvy?

Since most small businesses don’t have a security consultant on staff, Borenstein recommends that business owners learn as much as they can about cyber security. If you feel that you need more assistance or would like to consult with a cyber security expert, consider retaining a consultant.