Cybersecurity articles are terrifying. Advanced persistent threats. Nation-state actors. Zero-day exploits.

Here’s the reality for most SMBs: you’re not being targeted by sophisticated hackers. You’re at risk from opportunistic attacks, phishing emails, weak passwords, and unpatched software.

The good news: basic security measures stop most of this. Here’s what actually matters.

The Essentials (Do These First)

1. Enable Multi-Factor Authentication (MFA)

This is the single most important thing you can do. Period.

MFA means logging in requires something you know (password) plus something you have (phone). Even if someone steals a password, they can’t get in without the second factor.

Where to enable:

• Email (Google Workspace, Microsoft 365)
• CRM and other business-critical SaaS
• Banking and finance applications
• Any system with access to customer data

How to do it:

• Most platforms have MFA in settings
• Use authenticator apps (Google Authenticator, Authy) rather than SMS when possible
• Make it mandatory for all users, not optional

2. Use a Password Manager

People use weak passwords because strong ones are hard to remember. Password managers solve this.

Options:

• 1Password ($8/user/month)
• Bitwarden (free for individuals, $4/user/month for teams)
• LastPass ($4/user/month)

Implementation:

• Deploy company-wide
• Require unique passwords for each service
• Generate random passwords for everything

3. Keep Software Updated

Unpatched software is how most breaches happen. Updates fix security holes.

What to update:

• Operating systems (Windows, macOS)
• Browsers (Chrome, Edge, Firefox)
• Business applications
• Mobile devices

How to manage:

• Enable automatic updates where possible
• For managed devices, consider an MDM (Mobile Device Management) solution
• Patch critical vulnerabilities within a week of release

4. Backup Your Data

Ransomware encrypts your data and demands payment. Good backups mean you can just restore.

Backup rules:

• 3-2-1: Three copies, two different media types, one offsite
• Test restores regularly (backups that don’t restore aren’t backups)
• Include cloud data (Microsoft 365, Google Workspace, etc.)

Options:

• Cloud backup services (Acronis, Backblaze for Business)
• Microsoft 365 backup (native retention isn’t enough, get third-party backup)
• Local backup for critical on-premise data

5. Train Your People

Most breaches start with someone clicking something they shouldn’t.

Training focus:

• Recognising phishing emails
• Verifying unusual requests (especially money transfers)
• Reporting suspicious activity

How to do it:

• Quarterly awareness reminders
• Simulated phishing tests (KnowBe4, Proofpoint)
• Clear reporting process for suspicious emails

Important (Do These Next)

6. Secure Email

Email is the main attack vector for SMBs.

Configuration:

• Enable spam filtering (built into Google Workspace/M365)
• Enable DMARC, SPF, and DKIM (email authentication)
• Block attachment types commonly used for malware (.exe, .js, .scr)

7. Endpoint Protection

Antivirus has evolved into “endpoint protection” with more capabilities.

Options:

• Microsoft Defender (included with M365, actually good now)
• CrowdStrike, SentinelOne (if you need more)
• Mac users still need protection, despite myths

8. Limit Admin Access

Not everyone needs administrator rights on their computer or access to every system.

Principle of least privilege:

• Regular users don’t need admin rights
• Limit CRM admin access to those who need it
• Review access quarterly

9. Secure Your Network

If you have an office:

• Change default passwords on routers and access points
• Keep guest WiFi separate from business network
• Consider a business-grade firewall if handling sensitive data

10. Have an Incident Response Plan

When (not if) something happens, you need to know what to do.

Basic plan includes:

• Who to contact (IT/MSP, leadership, legal if needed)
• How to isolate affected systems
• How to communicate with staff and customers
• Where backups are and how to restore

Good to Have (When Resources Allow)

11. Mobile Device Management (MDM)

Control and secure company devices.

• Remote wipe capability for lost/stolen devices
• Enforce passwords and encryption
• Manage application installation

12. Security Assessment

Annual security review identifies gaps.

• Can be done by MSP or security consultant
• Focuses on your specific risk profile
• Results in prioritised improvements

13. Cyber Insurance

Transfers some risk. Increasingly common and sometimes required.

• Coverage for breach response costs
• Business interruption coverage
• Legal and regulatory costs

14. Email Encryption

For businesses handling sensitive data:

• Encrypted email for confidential communications
• Built into Microsoft 365, needs configuration

What You Don’t Need

Enterprise security solutions are overkill for most SMBs. You probably don’t need:

• Security Operations Centre (SOC)
• SIEM platforms
• Extensive penetration testing
• Zero-trust architecture implementation

These are for larger companies with bigger threat profiles and bigger budgets. Basic hygiene stops most SMB attacks.

The Quick Start

If you’re doing nothing today, start here:

This week:

1. Enable MFA on email for all users
2. Enable MFA on banking
3. Check that backups are running

This month: 4. Deploy a password manager 5. Ensure automatic updates are enabled 6. Run one phishing awareness session

This quarter: 7. Review who has admin access 8. Check email security configuration 9. Create basic incident response plan

The 80/20 of SMB Security

MFA, password managers, updates, and backups. That’s 80% of your security.

Training, email security, and endpoint protection get you to 95%.

Everything else is incremental improvement.

Don’t let perfect be the enemy of good. The sophisticated attacks that bypass these controls target companies with more valuable targets. For SMBs, the basics work.

Get them in place. Then worry about advanced stuff.