Small businesses don’t get hacked because attackers “hate small businesses.”
They get hacked because small businesses are efficient targets:
- fewer layers of approval,
- fewer security controls,
- the same cloud tools as everyone else,
- and real money moving through email every day.
And the data backs up the “this could happen to anyone” reality:
- Verizon’s 2025 DBIR SMB Snapshot shows ransomware present in 44% of breaches overall, and ransomware-related breaches affecting SMBs at 88% overall.
- The same snapshot lists common initial access paths like credential abuse (22%), exploitation of vulnerabilities (20%), and phishing (16%).
- The FBI’s IC3 says its 2024 report includes 859,532 complaints and reported losses exceeding $16B, up 33% from 2023.
So the question isn’t “Do we need cybersecurity?”
It’s “What’s the smallest set of actions that meaningfully reduces risk without turning us into a big-company IT department?”
This guide is that: a Minimum Viable Security playbook for small businesses—practical, readable, and based on widely trusted sources.
The small business threat model in plain English
You don’t need to defend against “everything.” You need to defend against what’s most likely to hurt you.
For most small businesses, cyber incidents fall into a handful of buckets:
1) Someone steals a password → takes over email → steals money
Business Email Compromise (BEC) is one of the most common small-business killers because it hijacks trust and payment workflows.
The FBI/IC3 calls BEC a “$55 billion scam” (Oct 2013–Dec 2023 exposed losses) and notes it targets small local businesses to larger corporations.
2) Ransomware locks systems → downtime becomes the crisis
Ransomware isn’t just an IT problem. It’s a “can we operate?” problem—and SMBs are hit hard.
3) Unpatched stuff gets exploited (especially “edge” devices)
Vulnerability exploitation is a major initial access vector, and Verizon notes growth in exploitation as a breach entry path (including mentions of zero-days targeting edge devices and VPNs).
4) A third party becomes your problem
Third-party involvement in breaches doubled (15% → 30%) in Verizon’s reporting.
5) Sensitive data leaks through normal tools (cloud sharing + AI)
Verizon also points to data leakage risks from employees using GenAI tools: 15% routinely accessed GenAI systems on corporate devices, with many using non-corporate emails or corporate emails without integrated authentication.
The “Minimum Viable Security” Checklist (what matters most)
Below are the controls that consistently show up across federal guidance for businesses and small-business frameworks—and they map cleanly to real-world attack paths.
1) Require MFA everywhere that matters (email, finance, admin, remote access)
If you do only one thing this month, do this.
- The FTC explicitly recommends requiring multi-factor authentication, especially to protect sensitive information and network/device access.
- NIST emphasizes that passwords alone are not effective for sensitive assets and explains MFA as using two or more factors (“something you know/have/are”).
Practical standard for small businesses
- MFA on: email, payroll, banking, accounting, admin portals, cloud admin, and any remote access.
- Use phishing-resistant options for admins if you can (NIST calls out that some MFA methods are stronger and discusses phishing-resistant authenticators like FIDO/WebAuthn).
Common pitfall: “We turned on MFA for some people.”
Attackers look for exceptions (contractors, shared mailboxes, “temporary” bypasses).
2) Treat email as critical infrastructure
Email is where invoices, links, resets, and approvals live.
The FTC includes a specific section on email authentication, noting spoofing risk and that authentication can make it harder for scammers to impersonate your domain.
What to implement
- Domain-level email authentication (commonly SPF/DKIM/DMARC)
- Stronger controls on mailbox forwarding rules and suspicious logins
- “Out-of-band verification” policy for payment changes (see BEC section below)
3) Patch faster than attackers can reuse known exploits
This is unglamorous—and it matters a lot.
Verizon’s SMB snapshot highlights exploitation of vulnerabilities as a major breach entry path and notes edge devices/VPNs as a growing target area.
The FTC also stresses updating security software regularly and points out that updates provide critical security fixes for vulnerabilities.
The SBA similarly recommends configuring software to install updates automatically across operating systems, browsers, and apps.
A simple small-business patch rule
- Turn on auto-updates wherever possible.
- Set a policy like: “critical patches within 7–14 days; high within 30.”
- Track completion (don’t rely on hope).
4) Encrypt laptops and phones (because they will get lost)
The FTC recommends full-disk encryption for laptops and protecting data stored on devices.
Minimum bar
- Full-disk encryption on every company device
- Screen lock and remote wipe enabled
5) Backups that can survive ransomware (and prove it)
Backups are only real if you can restore.
The FTC recommends regularly backing up data.
The SBA recommends regular backups and specifically calls out critical data types (finance, HR, accounting, documents, databases).
What “good” looks like
- At least one backup copy is offline/immutable (not just “sync”)
- Restore tests are scheduled (even quarterly for critical systems; at minimum annually)
Common pitfall: “Our cloud drive is our backup.”
Sync helps availability—but ransomware and mass deletion can sync too.
6) Remove unnecessary admin rights (least privilege)
Most malware damage gets worse when users are local admins.
The FTC recommends limiting access to sensitive assets to only those who need it.
The SBA recommends restricting administrative privileges to trusted IT staff/key personnel and performing access audits.
Practical steps
- No local admin by default
- Separate admin accounts for IT/admin functions
- Quarterly access review (especially after staffing changes)
7) Protect remote work like it’s normal (because it is)
The FTC gives practical remote access guidance like:
- using VPN for employees/vendors (as appropriate),
- ensuring home routers use WPA2/WPA3 encryption,
- separating guest Wi‑Fi from business networks.
The SBA also recommends VPN use for remote employees and securing networks with encryption/firewalls.
Minimum bar
- Managed devices only for accessing sensitive systems
- MFA for remote access
- Home Wi‑Fi guidance + “no shared family devices for work logins”
8) Train people—because phishing is still everywhere
The FBI’s IC3 press release lists phishing/spoofing among the top cyber crimes by complaint count in 2024.
The FTC recommends training everyone who uses business devices to recognize common attacks and perform basic cyber hygiene tasks.
The SBA points to employees and work communications as key pathways into systems and recommends training on phishing and safe practices.
Training that actually works for SMBs
- 10 minutes monthly > 1 hour once a year
- Teach one behavior at a time:
- “hover before you click”
- “verify payment changes out of band”
- “report suspicious emails fast”
9) Write a one-page incident plan (and make it usable)
The FTC explicitly recommends creating a cybersecurity incident response plan and also references disaster recovery and business continuity planning.
Your small-business IR plan can be one page
Include:
- who decides what (owner/COO/IT)
- bank contact and steps for fraud
- password reset + MFA reset procedure
- how to isolate an infected device
- who you call for technical help (internal or external)
Bonus: Run a 30-minute tabletop once per quarter: “CEO mailbox compromised” or “ransomware on accounting PC.”
10) Add “money movement controls” (anti-BEC) to your operations
This is cybersecurity that protects your cash flow.
The FBI/IC3 BEC PSA recommends prevention steps like using secondary channels / two-factor verification for changes in account info and acting quickly with financial institutions if a fraudulent transfer occurs.
Minimum policy
- Any bank detail change requires verification via a known phone number (not the one in the email)
- Two-person approval for wires above a threshold
- No payment changes approved solely via email
Quick self-audit: your small business cyber score (10 questions)
Give yourself 1 point per “Yes”:
- MFA is enforced for email and finance tools (no exceptions).
- Admin accounts are separate and tightly controlled.
- All devices auto-update OS and critical apps.
- Laptops are encrypted and can be remote wiped.
- Backups include an offline/immutable copy and you’ve tested restore this year.
- Email authentication is set up to reduce spoofing risk.
- Remote access requires secure connection + MFA.
- Staff have short, regular phishing training.
- You have a one-page incident response plan.
- Payment changes require out-of-band verification.
0–3: you’re exposed in the most common ways SMBs get hit.
4–7: good momentum—close the gaps that affect money (email + finance) and recovery (backups).
8–10: strong baseline—focus next on vendor risk and monitoring discipline.
A realistic 30‑day rollout plan (small-business sized)
Week 1: Protect identity + money
- Enforce MFA on email, banking, payroll, accounting, admin portals
- Turn off legacy/weak login methods where possible
- Implement “no payment change by email” policy
Week 2: Patch + harden endpoints
- Turn on auto-updates (OS + browsers + core apps)
- Remove local admin rights by default
- Encrypt laptops + ensure remote wipe is enabled
Week 3: Backups + restore test
- Confirm backup scope (finance/HR/shared drives/cloud data)
- Add an offline/immutable copy
- Do one restore test and document it
Week 4: Email defense + incident readiness
- Configure email authentication (reduce spoofing)
- Run a 30-minute tabletop: “BEC attempt” or “ransomware”
- Finalize a one-page incident response plan
“We don’t have a security team.” That’s normal—and solvable.
NIST’s small business resources explicitly acknowledge that most small business owners aren’t cybersecurity experts—and that building a cybersecurity-ready team can range from a single in-house role to a fully outsourced approach or a mix.
NIST’s CSF 2.0 Small Business Quick-Start Guide also notes that if there are activities you don’t understand or don’t feel comfortable handling yourself, it can be a prompt to involve outside help such as a managed security service provider (MSSP).
A non-salesy way to decide if you need outside help
Consider an MSP/MSSP (including cybersecurity-focused providers like CyberDuo) when:
- patching and MFA enforcement are inconsistent,
- nobody is clearly responsible for backups and restore testing,
- you don’t have time to monitor alerts or respond after hours,
- vendor access and offboarding are messy,
- you need to become “insurance-ready” or meet customer requirements.
The goal isn’t outsourcing for its own sake—it’s operational consistency.
If you’re hit tomorrow: the first 60 minutes (keep this handy)
- If money moved incorrectly: call your bank immediately; time matters.
- If a device is infected: disconnect it from the network. The FTC advises disconnecting infected devices without powering them down (to preserve potentially useful investigation info).
- Reset passwords + revoke sessions for compromised accounts; enforce MFA.
- Notify leadership and start your IR plan.
- Report cybercrime so patterns can be tracked; the FBI emphasizes reporting as a critical step and points to IC3 as the intake for cyber-enabled crime reporting.
Final takeaway: small business cybersecurity is mostly habits + a few hard controls
Cybersecurity for small business isn’t about buying “enterprise everything.”
It’s about consistently doing a few things that break the most common attack chains:
- MFA everywhere that matters
- patching and device hygiene
- backups that restore
- email and money-movement controls (BEC-proofing)
- a simple response plan