The 80/20 of SMB Cybersecurity: What Actually Matters

I've seen the aftermath of too many preventable incidents. Ransomware locking up an accounting system because someone clicked a link in an email that looked like it came from FedEx. A bookkeeper who wired $75,000 to what she thought was the vendor’s bank account, when in reality a business email compromise from a colleague allowed the attacker to swap in a new routing and account number. A former employee who still had admin access to the VPN and file server six months after they left because nobody remembered to revoke it.

None of these were sophisticated attacks. They were opportunistic, and they worked because the basics weren't covered.

You're Not Too Small to Be a Target

I hear this all the time. "We're just a 15-person firm, why would anyone come after us?" The answer is precisely because you're a 15-person firm. You have client data, banking credentials, and probably no dedicated security team. From an attacker's perspective, you're easier to hit than a Fortune 500 company and still worth the effort.

The goal here isn't to become Fort Knox. You just need to be harder to compromise than the next guy. Most attackers aren't persistent. They're scanning for easy wins. If you make it annoying enough, they'll move on.

Layers, Not Silver Bullets

I explain security to clients like a house. You've got locks on the doors to keep people out. You've got smoke detectors in case something goes wrong inside. And you've got insurance for when the worst happens anyway.

The first part is prevention: MFA, strong passwords, keeping your software updated, not clicking on sketchy links. Basic hygiene.

The second part is containment: if someone does get in, how do you limit the damage? That's where backups, access controls, and network segmentation come in. If your receptionist's laptop gets compromised, can the attacker pivot to your file server? They shouldn't be able to.

The third part is recovery: when something goes sideways, how fast can you get back to operational? Do you have a plan, or are you going to be figuring it out in the middle of a crisis?

None of this requires expensive tools. It requires thinking it through ahead of time.

Train Your People

Most security incidents start with a person, not a piece of code. Someone clicks a phishing link. Someone reuses their Netflix password for their work email. Someone shares credentials over Teams because it's faster than looking up the proper process.

The single best investment you can make is training your team to pause before they click with ongoing phishing simulations. Make it normal to ask "hey, is this email legit?" without feeling stupid. The culture shift costs almost nothing and prevents most of the stuff that actually happens to small businesses.

The Stuff You Actually Need to Do

I'm not going to give you a 47-point checklist. Here's what actually matters:

Turn on MFA everywhere. Email, banking, cloud apps, everything. This alone stops the majority of account takeovers.

Use a password manager. We use 1Password and include it in Athencia One Complete because it's dead simple and people actually use it. If your team is reusing passwords or keeping them in a spreadsheet, you're exposed.

Keep your software updated. I know updates are annoying. Automate them. Unpatched software is how a lot of ransomware gets in.

Encrypt your devices. Laptops get stolen. Phones get left in Ubers. If the drive is encrypted, losing the hardware is an inconvenience, not a breach.

That's it. Do those four things and you're ahead of most small businesses.

You Already Have Better Tools Than You Think

If you're on Microsoft 365, you're likely sitting on security features that most people never turn on. Defender, Conditional Access, Data Loss Prevention... it's all included, just not configured by default. I spend a lot of time helping clients flip those switches. It's one of the fastest ways to improve your security without spending another dollar.

I wrote a detailed post on the M365 Security Baseline a few weeks ago if you want the specifics.

Backups: The Thing Everyone Forgets Until They Need It

Here's something a lot of people don't realize: Microsoft and Google are not backing up your data in the way you think they are. They'll keep their infrastructure running, sure. But if you accidentally delete a folder, or ransomware encrypts your files, or a former employee wipes their mailbox on the way out, that's on you.

You need independent backups. Something that runs automatically, stores copies offsite, and that you've actually tested restoring from. A backup you've never tested is just a hope.

Have a Plan Before You Need One

At some point, something will go wrong. Maybe it's minor, maybe it's not. But if you're figuring out who to call and what to do in the middle of an incident, you've already lost valuable time.

Write down the basics: who gets notified, how do you isolate an affected system, when do you call your IT provider or your insurance carrier, what do you tell clients if their data might be involved. You don't need a 50-page document. A one-pager that everyone knows exists is better than a binder nobody has read.

The Point of All This

Security doesn't have to be scary or complicated. It's really just about not being an easy target. Cover the basics, train your people, and have a plan for when things go sideways.

Most attackers are lazy. Don't make it easy for them.

This post is part of a series on the five pillars of SMB IT success: Foundation, Security, Productivity, Growth, and Governance. It's based on concepts from my book, The SMB IT Playbook.

If you want a partner who actually looks at the whole picture, Athencia One combines visibility with protection so you're not left guessing.