Cybersecurity on a budget

March 20, 2026 | 4 minute read

Businesses of every size increasingly rely on digital tools to pay for goods and services, receive payments, deliver marketing messages or interact with suppliers. No matter how many people your company employs or how long it has been in operation, you’re likely conducting some or all your business online.

 

One consequence of this shift is an increase in cyber risk. Bad actors have more opportunities than ever to impact businesses through ransomware, phishing attacks, data breaches and other tactics responsible for billions of dollars in losses and significant reputational damage every year.

All businesses are susceptible

Businesses that lack the capacity to implement robust cybersecurity defenses that large enterprises can adopt may be especially vulnerable. Fortunately, there are meaningful ways to help protect your business that don’t require a massive investment.

 

Human error and inefficient or unsafe online processes remain leading causes of cybercrime. Businesses that factor cyber risk into their policies and operations — and use low‑cost tools with strong built‑in security controls — can keep many aspects of their operations secure.

 

Regardless of your company’s size or budget, these guidelines can help you reduce cyber risk while continuing to grow digitally.

Graphic showing the percentages of small business owners that over the next five years plan to adopt digital tools and utilize digital tools to increase cybersecurity, as well as the percentage of data breaches in which the human element was a factor. See link below for a complete description

Build cyber awareness into your business plan

Every business that uses software, receives email, connects to the internet, sends or receives digital payments or stores data electronically is a potential target for cybercriminals. That’s why your company culture, from day one and from the top down, should emphasize cyber awareness and the necessity of following the company’s security guidelines. 

 

Deploy fundamental (and low-cost) tools

Technology companies have steadily improved security features in their products — but users still need to be proactive to maximize their benefits.  Your business can implement cyber defense basics by:

 

  • Ensuring that all company devices have modern endpoint security tools (including antivirus and endpoint detection and response) along with firewalls and application security monitors and deterrents
  • Installing security apps on all company mobile devices
  • Using reputable cloud‑based tools when possible, which often include strong built‑in security controls
  • Regularly backing up critical data and storing it on a private cloud or a network-attached storage device
  • Working with merchant service providers that adhere to Payment Card Industry Security Standards
  • Enabling multifactor authentication (MFA) for all critical systems and accounts
  • Keeping software and operating systems up to date with the latest security patches
  • Using strong, unique passwords and considering a password manager for employees
  • Encrypting sensitive data both in transit and at rest

Limit employee access and permissions

Among the most costly data breaches are those that begin when criminals obtain employee credentials and use them to access sensitive files and data.3 A simple and cost-effective way businesses can hedge against this risk is by limiting employees’ access to critical assets to only what’s needed for their jobs. By the same principle, only specific, designated personnel should have permission to download software to company devices.

 

Partner with cyber threat-aware organizations

Working with financial institutions that enable MFA, passkeys and other advanced protections can help your business establish solid protections around transactions and reduce phishing risk.

 

Be ready to ask vendors and suppliers how they prioritize cybersecurity and about their track record of cyber-risk management. Setting high compliance standards with third parties won’t eliminate threats but can reduce them.

 

Develop a cyber response plan and perform regular cyber-risk assessments

Whether your company has a dedicated IT or security specialist or not, it should appoint a responsible individual or team to develop, update and execute a cyber incident response plan.

 

That person should regularly review its most important assets and digital footprint and revise the plan as necessary. Leadership should periodically review the company’s cyber response plan and consider simple tabletop exercises to test readiness. If the threat landscape changes significantly, evaluate whether outside security expertise is needed.

Keep payment processes separate and security focused

You should isolate payment systems from other company operations (e.g., avoid web browsing, email or other routine tasks on devices used for financial transactions). Establish clear thresholds for transaction amounts — both payable and receivable — that qualify as unusual and require additional levels of approval. If you pay for goods and services with credit cards, choose cards with strong anti-fraud protections, which can help recover losses from financial scams.

 

Proactively manage employees and security policies

Incentivize employees to learn cyber hygiene basics and the importance of adhering to all company security policies regarding remote connectivity, secure sign-on, sharing permissions and other activities that carry cyber risk. Security protocols should include clear processes for discontinuing access privileges to protect the company from insider threats.

 

1 Bank of America, 2025 Business Owners Report.

2  Verizon, 2025 Data Breach Investigations Report.

3 IBM Corporation, “Cost of a Data Breach Report 2025,” July 2025.

Back to Homepage

Explore more

How to protect your customers and business from payment card fraud

Payment card fraud has become a growing concern for merchants. Learn how you can protect your customers and your business.

4-minute read

Security & Information Management

Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.

Important Disclosures and Information

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products:

 

Are Not FDIC Insured Are Not Bank Guaranteed May Lose Value