New Cybersecurity Expectations for Small Businesses: What You Should Know

If you're running a small business, you may be thinking: “Who Cares? We’re too small to be regulated.”

But the truth is changing. Between rising threats, evolving client demands, and tightening insurance policies, cybersecurity expectations are now reaching small businesses — whether you're “regulated” or not.

Why This Matters Now

• Cyber insurers are asking tougher questions before they’ll cover you

• Vendors and clients want to know you won’t expose them to risk

• New laws and frameworks are starting to call out small and midsized businesses directly

Whether you’re in healthcare, professional services, retail, or nonprofit — security standards are moving closer.

Examples of What’s Changing

• FTC Safeguards Rule (now applies to some tax preparers, finance pros, even car dealerships)

• CMMC (Cybersecurity Maturity Model Certification) for small businesses in the DoD supply chain

• NIST CSF 2.0 now includes small orgs more explicitly

• State-level laws (like California’s CPRA) can apply if you handle personal data — even if you’re not based there

These rules aren’t always enforced right away — but they set the tone for what’s expected. It's always best to achieve compliance before enforcement begins.

5 Basic Things Every Small Business Should Be Doing Now

1. Use strong passwords + multi-factor authentication

2. Keep software and systems updated

3. Back up your data regularly and securely

4. Train your team on phishing and data safety

5. Know what sensitive info you collect — and protect it

Our Final Thought:

You don’t have to become a compliance expert overnight. But if you’re serving clients, handling sensitive info, or relying on technology — some level of cybersecurity readiness is no longer optional.

Start small. Stay consistent. Know that you don’t have to figure it all out alone. And you don't have to figure everything out on day 1. But do start by doing something.