According to research by Security magazine and the Ponemon Institute, 67% of small and midsize businesses (SMBs) experienced a cyber attack and 58% experienced a data breach in 2018.

While the high-profile breaches like those impacting Target, Home Depot and Marriott gain the global headlines, the fact of the matter is that the same impact is being felt across thousands of small businesses. Doctor’s offices, professional service firms, small restaurants and local retailers and more are all being targeted.

The problem is, small businesses don’t have the massive IT budgets that large enterprises do, so how can a small company reasonably respond to the threat of cyber attacks? Here are nine key steps you can take to protect your small business…that won’t break the bank:

1. Upgrade your software.

Your desktop computer’s running last year’s version of Windows. The laptop sitting next to it is on an outdated edition of Mac OS X. The computer at the reception desk still boasts a CRT monitor and is running Windows 95.

That’s not an unusual situation to confront when you start looking around the office to see how things are going and you realize that your computing environment is rife with security weaknesses.

The most important step is to upgrade your software to the latest version, so that any security patches are added in the process. While you’re at it, assign an employee to set up a tracking spreadsheet so you can list the hardware and software in use at each workstation and the version you’re currently on (as well as the last update).

2. Move to the cloud.

Another extremely valuable step is to move to a cloud-based business application environment. Now, it’s important to note that there are two distinct ways do to this:

The first is to migrate desktop applications to a cloud hosting platform such as Citrix, Cisco, VMWare Horizon Cloud or Amazon WorkSpace, where your staff are accessing a virtual desktop. From a security perspective, this is better than traditional desktop computing because (a) it removes the risk of having an unattended server in your offices, and (b) it enables your cloud hosting provider to easily update and maintain software and operating systems to the latest patches and updates.

The second is to migrate directly to native cloud applications, which are accessed directly in the browser. This is a more aggressive change but for many companies it adds two additional security advantages. The first is that it means there is no need to ‘update’ the software on a schedule, because every time you log in, you’re accessing the latest version automatically. And the second is that you eliminate servers entirely since the backend databases are hosted by the enterprise software vendors themselves, typically with multiple redundancies built in.

3. Take passwords seriously.

Password management in small businesses today is pretty much a disaster. People come up with passwords they can remember, repeat the same common characters or phrases, then leave them indefinitely in place. There are three things you need to do now to get your password situation under control.

First, use strong passwords, which typically means passwords no one can remember and those that are randomly generated using a combination of letters, numbers and special characters.

Second, never ever ever ever use the same password twice. At least a third of all data breaches are perpetrated to capture usernames and passwords from low-value applications on the expectation that applying the same credentials to high-value applications will generate a succesful hit on a high percentage of attempts. That’s like using one key for your car, your house, your home safe and your bank safety deposit box — then making copies and handing them to your friends.

Third, change your passwords regularly, as in every 90 days at a minimum. Change is the enemy of cyberattacks because most attacks go after weakly secured and often outdated datasets, so if you’re regularly changing your credentials you’re much less likely to be exposed.

4. Commit to two-factor authentication.

Two-factor authentication is a process regularly employed by Google, Facebook, many banks and a host of other services that allows you to tie a secondary device or data source to your login process. The most common example is using a cell phone to receive a text, or a phone number to take a call with a one-time passcode. Another option is code generators that rely on a separate application to create a time-sensitive access key. All of these greatly reduce risk for you and your team.

5. Control access to information with password provisioning.

Passwords need to be protected or they really aren’t useful in the first place. Again, passwords are like keys — don’t leave your keys just randomly lying around. The best way to address this is by using high-quality password management software that will keep your passwords secure, generate new ones that meet high-level security requirements, and in some cases, track history and allow you to be reminded when it’s time to update or change passwords in the future.

Another step with more advanced applications is called provisioniong. Provisioning enables you to assign specific access right to individual employees or teams of employees, which ensures much greater control over who has access to which applications, databases or user accounts.

6. Train employees to spot and avoid phishing attacks.

Employees are your first line of defense when it comes to cybersecurity and giving them clear training on how to spot and avoid attacks coming to their inboxes or web browsers is an essential step. Annual training workshops are a good start, but better still is integrated digital training with examples that employees can learn from over time.

7. Exercise caution with mobile devices and flash drives.

Every single port on your computers is a possible access point for a virus or attack, and that’s why any device that will sync or otherwise plug in needs to be considered in your IT security plan.

With mobile devices — especially employee-owned devices – you need to ensure that employees maintain current mobile operating systems and that your computers have sync security protection.

When it comes to flash drives, the rule is to only use company-issued drives and in most cases, any drive that leaves the office (such as one being used to transfer files to a local copy shop, etc.) should be used once and discarded, or wiped clean upon return.

8. Have your IT vendor perform a security audit.

Your IT vendor is also your IT security vendor, whether you’ve ever used them explicitly for that purpose or not. They’re the people who know your network, know your desktops and know your business needs. One of those business needs is to evaluate the security and data safety of your network and applications at least once per year.

If you haven’t had an IT security audit performed previously, talk with your IT vendor now about scheduling one and let them take some time to really evaluate not only the systems themselves, but how you and your team are using or accessing them, when it comes to cybersecurity.

9. Create a plan to respond when an incident takes place.

At the end of the day, the statistics are sobering and it’s a reasonable conclusion to say that at some point, nearly every small business will be victimized by one or more cyber attacks or breaches.

That’s why you need a plan now to respond whenever it happens. The key is preparation, and the goal is to minimize and control damage. There’s a big difference between a small fire that’s promptly extinguished within minutes by a sprinkler head, and a massive conflagration that grows and grows until it consumes your entire business.

An effective cybersecurity response plan will enable you to more quickly identify the nature and type of attack, the depth of the damage, and what you should do right away to stop further infiltration or notify affected parties.

These nine steps are just a starting point for laying a solid cybersecurity foundation at your small business. Work with your key business advisors including your business attorney, business accountant and business IT partner to craft and implement effective business continuity protection strategies today.