A version of this article originally appeared on principal.com.


Small business owners often face the same burn of a cybersecurity breach without as many resources. It can be tough to know how to prepare and where to fortify your defenses.

The Principal Financial Well-Being Index SM finds that smaller businesses (under 500 employees) are half as likely as larger businesses to employ somebody whose sole focus is cybersecurity. Yet the 32.5 million small businesses in the United States make up 99.9% of all businesses and employ 46.8% of workers.

In many ways these companies represent the front lines of improved national cybersecurity.

We’re seeing progress, with just over half of all businesses spending more money and resources on cybersecurity in 2021 compared to the previous year--23% of them significantly more.

Even businesses without budget to spend on a cybersecurity boost can adopt many of the following practical strategies.

1. Protected Passwords 

Eighty-five percent of data breaches involve human behavior, and 61% exploit employee credentials such as weak or stolen passwords. That’s why the added layer of two-factor authentication (or multi-factor authentication) can make such a difference. Business leaders also can encourage employees to choose more complex passwords (phrases rather than words, with a mix of letters, numbers, and punctuation).

Share with employees: “5 ways to protect your online information.”

2. Third-party cybersecurity experts

More than one-fourth of businesses with fewer than 500 employees outsource their cybersecurity needs to a third party, according to the Well-Being Index. But it’s not always easy to choose the firm that may best serve your business. Start with research to understand the different types of cybersecurity firms (from basic IT to more complex work led by virtual chief information officers) and determine the right level of outside support.

3. An internal cyber leader

With or without the benefit of external cybersecurity expertise, identify a “cyber leader” within the organization. The Cyber Readiness Institute (CRI) says that every business needs somebody who “builds a culture of security and ensures associated safeguards are implemented with the support of senior management.”

Get started with CRI’s “Cyber Leader Certification Program.”

4. Cybersecurity incident response plan

Do employees know how to respond to a cyberattack before it strikes? According to CRI, a good cybersecurity incident response plan outlines:

  1. a timeline for preparation (with milestones for regular reevaluation),
  2. the immediate response to a strike, and
  3. steps to rapid recovery that preserve business continuity and restore valuable data.

Learn better incident response for your business through CRI’s “Cyber Readiness Program.”

5. Regular cybersecurity drills

Like a fire safety drill, a business should test itself on how it would respond to a cyberattack in real time to flesh out and assess its incident response plan. This helps employees identify their most useful roles and responsibilities in cyber defense--prior to the panic of a true emergency.

The federal government’s Cybersecurity & Infrastructure Security Agency conducts “cyber range training” that may offer a template for business drills.

6. Regular software updates

Sudden recognition of the widespread Log4j vulnerability in 2021 reminded cyber experts and businesses alike to keep software up to date to help protect data and operations from trending threats. Regular updates are a core CRI principle of good cyber hygiene and security. Seek out and install timely software patches from trusted vendors. 

What’s next?


Cyber Readiness Institute (CRI is not an affiliate of any company of the Principal Financial Group®)

This communication is intended to be educational in nature and is not intended to be taken as a recommendation. ​