Skip to main content
Uncategorized

Cybersecurity for Small Businesses: The 8 Things That Actually Matter

· 5 min read

Most cybersecurity advice is written for organisations with security teams, big budgets and dedicated tools. If you run a small business, that’s not your reality — and the advice can feel paralysing.

Here’s the practical version. Eight controls, in order of impact. If you do these well, you’ve blocked the path that 80%+ of SMB cyber incidents take. Total cost: a few hundred dollars a year and a few hours a month of attention.

1. Multi-factor authentication on email — today

If you do nothing else from this list, do this. Most small business cyber incidents start with someone’s email account being taken over. Once an attacker has email access, they can:

  • Reset passwords on every other service that uses that email
  • Read past emails for sensitive data
  • Send invoice fraud emails to your customers from your real address
  • Pivot into your file storage, banking, accounting

Multi-factor authentication (MFA, also called 2-step verification) adds a second check at login — usually a code from an app on your phone. It’s the single biggest control reduction for SMBs. Microsoft 365, Google Workspace, and basically every modern email platform have it built in. Turn it on for everyone, today. Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) — not SMS, which can be hijacked.

2. A password manager for the team

Reusing passwords across services is the second most common compromise vector. A password manager (1Password, Bitwarden, Dashlane) generates unique passwords for every site, stores them safely, and logs people in across devices.

The pitch to the team: it actually makes their lives easier. No more password resets, no more sticky notes, no more “what was the wifi password again?”. Most small businesses can be on a paid team plan for $5–10/user/month. Bitwarden’s free tier is genuinely usable.

3. Automatic OS and app updates

Most malware exploits known, patched vulnerabilities. The fix exists — the user just hasn’t installed it. Turn on automatic updates for every work computer’s operating system, browser, and key apps. Schedule a reboot once a week so updates actually apply.

For phones, enable auto-updates and require iOS/Android passcodes. Personal devices accessing work email should have the same baseline.

4. Backups that aren’t on the same machine

Two scenarios where you need backups:

  1. Hardware fails. Your laptop’s SSD dies, your office gets flooded, your phone is stolen.
  2. Ransomware encrypts everything. The backup on the same network is encrypted too.

The fix: cloud backup (OneDrive, Google Drive, Dropbox Business) for your day-to-day files, plus a separate backup target for important business data (accounting files, customer records, contracts). For SMBs, services like Backblaze ($99/year per computer) or a NAS rotated off-site work well.

Once a quarter, restore something from backup to make sure it works. A backup you’ve never restored is a wish, not a backup.

5. The phone-call rule for money changes

Business email compromise (BEC) is the highest-loss scam targeting SMBs. The pattern: an attacker takes over a vendor’s email (or impersonates them via a lookalike domain), then asks you to update their bank details for the next invoice. You pay. The real vendor never sees the money.

The rule: any change to bank details — yours or anyone you pay — gets verified by a phone call to a number you already had on file. Not the number in the email. The known number from a previous communication or their website.

Train whoever handles your finance to follow this every time. It feels paranoid until the first time it saves you a five-figure transfer.

6. Anti-malware on every computer

Modern Windows ships with Microsoft Defender, which is genuinely good. Make sure it’s on and up to date. macOS has built-in protections. The classic third-party AV vendors (Norton, McAfee) aren’t worth paying for — Defender + Safe Browsing is enough for most SMBs.

Larger SMBs (20+ devices) should consider an EDR product like SentinelOne, CrowdStrike Falcon Go, Sophos Intercept X, or Defender for Business. The pricing for SMB tiers has come down to $5–15/device/month.

7. Restrict admin rights and remove leavers

Two related habits:

Limit who can install software. If everyone is a local admin, malware can install too. On Windows, set users up with Standard accounts and use a separate admin account when needed. On Mac, the same — separate admin and standard users.

Disable accounts when people leave. Same day, ideally — that includes email, file sharing, all apps. Most SMB compromises via “the founder’s old assistant” happen because the account was never disabled. Build a checklist for offboarding and stick to it.

8. A 1-page “if we get hacked” plan

You don’t need a 50-page incident response plan. You need a one-page document with answers to:

  • Who do we call first? (your IT provider, an IR firm, your insurance broker)
  • Who decides to take the network offline if needed?
  • How do we communicate if email is down? (a Signal group, alternate emails, phone numbers)
  • Who informs the team? Who informs customers, if needed?
  • Where are the most important files / accounts / suppliers documented?

Print it. Put it in a folder. Tell the leadership team where it is. The first 30 minutes of an incident are when good decisions matter most — having the answers pre-decided beats trying to figure them out under pressure.

What about cyber insurance?

For most SMBs: yes. Cyber insurance for a small business is typically $500–3,000/year and covers the response costs of a real incident — IR firm, legal, regulator notifications, business interruption. The insurer’s questionnaire forces you to confirm your basic controls (MFA, backups, patching), which itself is useful.

Read what’s covered. Sub-limits matter. Make sure ransomware and BEC are explicitly included.

What about training?

Annual “cyber awareness” videos are not very effective. What works is:

  • A 30-minute session at onboarding and once a year
  • Brief, real-world reminders (“we just got a phishing wave, here’s what to look for”)
  • Praise for people who report suspicious emails

The goal isn’t expertise — it’s a culture where people pause before clicking, verify before paying, and report instead of hiding mistakes.

Where to start, week 1

  1. Turn on MFA for email and accounting apps.
  2. Sign up for a password manager and roll it out.
  3. Confirm you have cloud backups of important files.
  4. Write a one-page incident plan.

That’s a week’s work, ~$500/year of tooling, and a transformative reduction in your risk.

Take the 30-question Small Business Cyber Posture assessment → to see where you stand and what to fix first.

Share

Keep reading