Cybersecurity coverage in the news is a wall of catastrophic numbers, billions in damages, sophisticated attacks, nation-state actors. For a small business owner, none of that is actionable. What is actionable is a short list of practical, mostly free steps that prevent the actual attacks small businesses get hit by. This is that list.
What small businesses actually get hit by
Most small business breaches don’t involve sophisticated hackers. They involve: an employee clicking a fake invoice link, a reused password leaking from another site, ransomware coming in through an outdated plugin, or a credit card form on a website that was never properly secured. Defending against these doesn’t require a security team. It requires consistent attention to a few specific things.
Step one: turn on multi-factor authentication everywhere
The single highest-impact security step is multi-factor authentication (MFA) on every business account: email, banking, cloud storage, website admin, CRM, payroll, accounting. MFA stops roughly 99% of automated attacks that rely on stolen passwords. It’s free. It takes a couple of minutes per account. Most small businesses we audit have MFA on maybe half of what they should.
Use an authenticator app (Authy, Google Authenticator) instead of SMS where possible, SMS-based MFA can be intercepted by attackers who SIM-swap your phone number, which has become surprisingly common.
Step two: use a password manager, kill the spreadsheet
If your team is sharing passwords in a spreadsheet, a shared Google Doc, or a Slack channel, you have a serious problem. A password manager (1Password, Bitwarden, Dashlane) generates unique strong passwords for every account, shares them securely with team members who need them, and removes access cleanly when someone leaves. The cost is roughly $4-6 per user per month, orders of magnitude cheaper than the cost of one breach.
Every password your business uses should be unique and randomly generated. Reusing the same password across services is how 80% of small business account compromises happen.
Step three: patch everything
Software vulnerabilities get patched all the time. Attackers count on businesses not installing those patches. Set up automatic updates on operating systems, browsers, and any software that supports it. For WordPress sites, this means automatic updates on WordPress core and plugins (with backup safety nets). For Microsoft 365 and Google Workspace, this is mostly default. For the rest of your stack, build a monthly habit of checking what’s behind and updating it.
Anything past end-of-life, Windows versions no longer receiving updates, plugins abandoned by their developers, browsers nobody’s updating, needs to be replaced. It’s not optional anymore.
Step four: backups that are tested
The single most effective defense against ransomware is a working, tested, off-site backup. The key word is tested. If your backup software has been running for two years but nobody’s ever restored from it, you don’t have a backup, you have a hopeful guess.
For most small businesses, the right setup is automated daily backups stored off the main systems (cloud backups, not just an external drive that’s plugged in 24/7), with a quarterly restore test where you actually restore a file and confirm it works. Twenty minutes a quarter, every quarter.
Step five: train your team on phishing
The biggest hole in small business security isn’t technology, it’s the team member who clicks “View Invoice” on a perfectly convincing fake email. Phishing has gotten dramatically better in the AI era. The old “obvious typos and broken English” rules don’t apply. Modern phishing emails are written cleanly, often with insider details that make them feel legitimate.
The fix isn’t a one-time training. It’s a recurring habit: a quick monthly reminder, occasional simulated phishing tests, and a culture where reporting a suspicious email is encouraged, not embarrassing. Tools like KnowBe4 or Hoxhunt automate this for small businesses at a reasonable cost.
Step six: separate accounts for sensitive functions
The administrator account should not be the same account someone uses for daily email. The bookkeeper should have their own login, not share the owner’s. The marketing person should not have the WordPress admin password. Role-based access reduces the blast radius of any single account being compromised.
This is also where good offboarding matters. Every time someone leaves the business, their accounts should be deactivated within hours, not weeks. Most small businesses have abandoned accounts of former employees still sitting active, every one is a vulnerability.
Step seven: cyber insurance
For any small business handling customer data, processing payments, or relying on its website for revenue, cyber insurance is increasingly worth it. Premiums have come down, coverage has gotten clearer, and one ransomware incident easily costs ten years of premiums. The application alone is useful, most policies ask the kind of questions (“do you have MFA on all email accounts?”) that surface the gaps you should fix anyway.
What you don’t need to worry about (yet)
You don’t need an enterprise SIEM platform. You don’t need a SOC 2 audit unless your customers are asking for one. You don’t need to hire a CISO. You don’t need to spend more than a few hundred dollars a month on security tooling. Most small business security wins come from disciplined use of basics, not from expensive enterprise tools.
The realistic threat model
You’re not being targeted by elite hackers. You’re in the crosshairs of automated scanning tools looking for any easy door, a leaked password, an unpatched vulnerability, an employee with weak email security. Make yourself moderately hard, and you fall out of those scanners’ lists. Make yourself easy, and you get hit.
If you’d like an honest, jargon-free audit of where your small business sits on the security basics, we’d be glad to help. We work with small businesses across South Florida to make the security boring, set it up properly, keep it running, and stop thinking about it.
