The expected rise in holiday sales this year is good news for small businesses— and for hackers attempting to steal sensitive customer information. While headlines have focused on security breaches at big corporations like Target, Neiman Marcus and most recently, Home Depot, small businesses are not immune to such attacks; in fact, an alarming 71 percent of all security breaches target small businesses.

Cyber-attacks are becoming increasingly sophisticated and frequent each year. A 2013 technology survey of small business owners conducted by the National Small Business Association (NSBA) shows that 44 percent of respondents have been victim to cyber-attacks. While respondents said “security issues” was the second biggest technological challenge in their businesses, almost 30 percent had little to no understanding of cyber security. Even one cyber-attack can translate into major financial implications. In the same survey, NSBA estimated that the average cost associated with a single cyber-attack in 2013 was $8,699.48.

The good news is that there are easy, preventable measures you can take to secure your small business at little to no cost. Here are five best practices to avoid a data breach this holiday season— and year-round.

1. Train Your Employees

Training employees is one of the easiest ways to bolster security yet is often overlooked. Educate employees on safe web browsing, phishing scams and click fraud. Encourage them to be smart about passwords and how they share critical information online. If your business deals with transactions on a POS system, make sure they stay alert to suspicious activity from customers or even other employees. Target’s massive data breach could have been stopped had the company’s security team and IT department— made up of more than 300 employees— had reacted when they were supposed to. Your people are your greatest assets, and they can be your greatest assets in stopping a security breach, too.

2. Protect Top Priority Data

With limited resources and spending devoted to security, it’s impossible to protect your business at every possible security failure point. Prioritizing information by assessing their level of importance as well as risk will help you secure the most important data. Depending on the type of data you’re working with, you may consider security measures such as two-step encryption or tokenization, a way to substitute sensitive information with a non-sensitive equivalent. “Point to Point encryption ensures that the credit card data is encrypted from the swipe all the way to the processor,” says Carmon Drummond, POS expert from MainSpring, an NCR provider. “Tokenization means that a token is stored in your database instead of the credit card data itself.”

3. Secure Mobile Data

In the new age of the “bring your own device” (BYOD) era, loss of data through a mobile device, tablet or PC is a real concern. One way in which security is breached is by mobile malware. A study by the Juniper Networks Threat Center (MTC) found that between March 2012 to March 2013, mobile malware threats increased by 614 percent. The first and easiest step to secure your mobile data is to encrypt your device with a passcode, and at multiple levels within one device when warranted. You may also want to invest in a mobile security application which will block malware, detect cyber-attacks and protect your data. The mobile security application should be chosen to fit your business needs, and according to the size of the business, mobile platforms used and the level of security needed for your work environment.

4. Consider Private Cloud File Sharing

Cloud file sharing sites like Dropbox and Google Drive are easy-to-use, ubiquitous and and inexpensive— but they weren’t developed with security as a top priority. When you’re dealing with sensitive internal information, you may want to invest in a private cloud file sharing software. Along with providing a higher level of security, many private cloud file sharing environments offer additional benefits such as control over access, audit trail reporting and the ability to monitor employee online behavior. Most sites will back up your data automatically to protect you from losing important information.

5. Have a Response Plan

Taking preventative measures is the best way to avoid a security breach altogether, but what if your business experiences a cyber-attack or credit card fraud? Having a response plan prior to your security breach will save you time, money resources, and maybe even your reputation. No matter how small your business, having a response plan will allow your organization to react quickly and coordinate with others to mitigate the effects of the data breach. In the response plan, include instructions for using the response plan, the types of incidents that may occur, actions that should be taken and a checklist of key people and processes affected by the data breach.