Woman working remotely tuned into a video conference with colleagues.
With many small businesses adapting a hybrid or remote work environment, their already increasing risk of cyberattacks is only getting bigger. — Getty Images/SDI Productions

Small businesses today are facing a double security challenge. First, they are increasingly being targeted by ransomware and other cyber threats. At the same time, many businesses are migrating toward a hybrid — and potentially less secure — working environment.

Fortunately, there are several steps small business owners and their employees can take to keep their organizations safe from security breaches, no matter where employees are working. Here are some common cybersecurity threats and how to protect your business from them.

Common cybersecurity risks for small businesses

According to Tara Holt, senior product marketing manager at Iron Mountain, “Most attacks start from human error, not system failures.” This is especially true when employees are fully or partially remote, using devices and networks that are potentially less secure than those managed directly by a company’s on-site IT department.

With this in mind, small businesses and their employees should watch for these five common cybersecurity threats:

Phishing attacks

Phishing occurs when an attacker poses as a trusted contact, such as a financial institution or business partner, and requests that the user share account details or click a malicious link.

The biggest threats come from phishing scams that start with email, said Holt. These emails are often designed to appear like a legitimate message from the organization, although text phishing scams also exist.

Malware attacks

Malware refers to malicious code created to destroy data or gain unauthorized network access. Viruses, Trojans, adware and spyware all fall under this category. Malware often comes from spam emails and malicious downloads, though can also occur after connecting to other infected devices.

Personal devices are at a much higher risk than company computers for malware attacks. Since more than half of employees use their personal devices when working from home, small businesses must take extra caution to avoid malware.


A ransomware attack occurs when an attacker encrypts company data so it cannot be used, then forces the company to pay a ransom to access it. In general, smaller companies are less likely to have their data backed up and may be more likely to pay the ransom in the hopes of regaining access.

“A ransomware attack is just one bad click away,” Holt stressed.

Weak passwords

Using easy-to-guess passwords or reusing the same password across multiple accounts makes it easier for cybercriminals to access valuable data. Strong passwords and incorporating additional security measures into the login process can help protect small businesses against data breaches.

“At a minimum, businesses should implement multi-factor authentication, use strong passwords and secure connections, like a VPN or zero trust network,” advised Holt.

Insider threats

Insider threats refer to malicious or negligent actions of both current and former employees and business associates. Since these individuals have access to company data, they have the opportunity to cause significant damage, whether intentional or not.

Practicing and educating employees on security awareness, as well as terminating access for inactive users, can help mitigate insider threats.

A ransomware attack is just one bad click away.

Tara Holt, senior product marketing manager, Iron Mountain

Why cyber threats and ransomware attacks have increased in the hybrid world

Ransomware attacks and other cyber threats have risen in prominence over the past few years, especially in the wake of the pandemic. Many businesses that had previously worked only in person were forced to quickly shift to e-commerce or remote work setups.

“Cybercrimes are crimes of opportunity,” Holt explained. “With such rapid change, it was difficult to keep up with the IT tasks that go with that change, such as making sure every [device] in use is backed up, [ensuring] employees are using secure connections and passwords … [and training staff] on how to spot a scam before they click on it.”

Ransomware is an especially pervasive threat to small businesses, which may not have the funds and resources to combat these types of attacks. Additionally, small business owners may not always have the time and resources to implement data security measures.

“Even everyday IT tasks like installing system patches and enforcing password policies can fall to the bottom of the list,” said Holt. “These types of security gaps can leave you wide open to hackers looking for ways to exploit any vulnerability they can find.”

Protecting your data

Even a seemingly small-scale cyberattack can be detrimental to a small business. A loss of data often results in a loss of time and money, as well as potential damage to a company’s reputation.

“Secure your digital business like you would your physical place of business,” Holt advised. “Make data protection part of your business continuity and disaster recovery plan.

Here are some simple steps you can take to protect your small business data.

  • Keep your software up to date. Most providers offer periodic updates to maintain their software’s efficiency and security. Regularly update all your software, especially your security programs, to ensure that all security measures are up to date.
  • Layer your security measures. Using multiple security tools can limit the likelihood of cyberattacks and malicious code reaching their end goal. For example, by simultaneously implementing a firewall and antivirus software, you will still have a layer of protection should one of the measures fail.
  • Train your employees in security awareness. Your team is the most important level of defense against data breaches. Educate your employees on the different types of cyberattacks, as well as good security practices to prevent data loss and other negative outcomes.
  • Set up access controls. Define and manage user roles and access for company data, giving only the minimum access needed. Additionally, revoke access when an individual no longer requires it. This lowers the risk of both inside and outside security threats.
  • Use strong passwords and multifactor authentication. Ensure your employees use strong passwords that are unique to each account. Additionally, requiring multifactor authentication — for example, a code texted to a separate device or answers to a security question — makes it more difficult for hackers to gain access to company data.
  • Enable spam filters. Adding strong spam filters to email and messaging services can significantly reduce the risk of phishing. These filters can prevent malicious emails from entering employee inboxes in the first place.
  • Back up your data regularly. “It’s important to protect your data before a ransomware attack so you have a way to recover if the worst-case scenario happened,” said Holt. Backing up your data both online and offline as often as possible can help you avoid paying a ransom for recovery.
  • Get help from experts. Working with a data and asset management firm can help you store and protect your valuable business information and ensure it is secure and backed up in the event of a breach or cyberattack.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

Follow us on Instagram for more expert tips & business owners’ stories.