Key Takeaways
- The vast majority of SMB cyber attacks are opportunistic — they target unpatched systems and weak credentials, not specific businesses.
- Automatic patching, MFA on email, and a password manager eliminate three of the top four attack vectors for no meaningful cost.
- The 3-2-1 backup rule is the only reliable defence against ransomware — if you cannot restore from backup, you have no defence.
- Most SMBs have no incident response plan; a one-page document covering who to call and what to disconnect first is enough to avoid the panicked decisions that make breaches worse.
- Cyber insurance requires evidence of basic controls to pay out; implementing these 10 controls also improves your coverage eligibility.
Most small businesses that get hit by a cyber attack were not specifically targeted. They were convenient. Ransomware operators and phishing campaigns scan the internet automatically for known vulnerabilities, exposed credentials, and open doors. If your business shows up in those scans with an unpatched system or a password that appeared in a 2021 data breach, you are on the list — not because anyone chose you, but because no one had a reason to skip you.
That is actually good news. It means the calculus is simple: make yourself a harder target than average, and the vast majority of automated attacks move on. You do not need a dedicated security team. You need ten controls implemented consistently. Here is what they are and why they matter.
1. Patch Everything Automatically
Unpatched software is the single largest entry point for ransomware. When a vulnerability is disclosed publicly, criminal groups weaponise it within days. The window between "patch available" and "actively exploited" is short and getting shorter.
Enable automatic updates on every operating system, every application, and every network device in the building. Windows Update, macOS Software Update, and automatic browser updates cover the endpoints. Your router firmware is the one thing most businesses forget — check it and set it to auto-update if the option exists. If it does not, put a calendar reminder to check manually every quarter.
2. Enable MFA on Email and Admin Accounts
Phishing combined with credential reuse is the most common attack path for SMBs. Multi-factor authentication (MFA) breaks that path even when a password is compromised. An attacker who obtains your email password through a phishing link or a breached database still cannot log in without the second factor.
Turn on MFA for email first — it is the highest-value target and the account most likely to be used for password resets across every other service. Then add MFA to your accounting software, payroll system, and any admin-level accounts. Authenticator apps (Google Authenticator, Microsoft Authenticator) are more secure than SMS codes, which can be intercepted through SIM swapping.
3. Use a Business Password Manager
Password reuse across services is why a breach at one company becomes a breach at yours. When credentials from a compromised third-party service are sold and tested against your business tools, a reused password is all it takes.
A business password manager — 1Password, Bitwarden, or similar — generates and stores a unique, complex password for every account. Employees stop knowing passwords and start using the manager. That eliminates both reuse and the temptation to write passwords on sticky notes. Business plans typically include admin visibility into which accounts are covered, which matters if an employee leaves. At $3–5 per user per month, this is the cheapest risk reduction available.
4. Separate Admin Accounts from Daily-Use Accounts
Admin accounts — the ones with rights to install software, change system settings, or access all company data — should not be used for routine tasks like reading email, browsing, or opening documents. If a phishing link executes malicious code under an admin account, it has unrestricted access to everything on that machine and potentially the network.
Create a separate admin account for each person who needs admin rights. Use it only for admin tasks. Do day-to-day work from a standard user account. This single change limits the blast radius of any successful attack significantly.
5. Back Up with the 3-2-1 Rule — and Test It
If ransomware encrypts your files and you cannot restore from backup, you have two options: pay the ransom or lose the data. Neither is acceptable. The 3-2-1 rule exists specifically to make ransomware survivable.
Three copies of the data. Two different storage types — for example, a local external drive and a cloud backup. One copy stored offsite or in cloud storage that is not directly accessible from your main network. Ransomware that encrypts your local files cannot reach a properly isolated cloud backup.
Backups that have never been tested are not backups — they are assumptions. Run a restoration test every quarter. Pull a backup, restore a sample of files, confirm they open correctly. Discovering a broken backup during an actual incident is not a good moment.
6. Segment the Network
Every device on the same network can see every other device. A compromised smart TV, a visitor's laptop, or an IoT sensor on the same network as your accounting software is a potential lateral movement path.
Most modern business routers support guest network isolation — use it. Visitors connect to the guest network; business devices connect to the main network. If you have IoT devices (printers, smart locks, cameras, thermostats), put them on a third, separate network segment. This is a router configuration change, not a procurement exercise.
7. Configure Email Authentication Records
SPF, DKIM, and DMARC are DNS records that tell the world which servers are authorised to send email on behalf of your domain, and what to do when something else tries to. Together they make it significantly harder for attackers to send convincing phishing emails that appear to come from your domain — which matters both for protecting your employees and your customers.
Check whether your records are configured using MXToolbox or a similar free tool. If they are missing or misconfigured, your email hosting provider will have documentation on how to set them up. Pair this with an email gateway that filters inbound phishing attempts and scans attachments — Google Workspace and Microsoft 365 both include basic filtering; dedicated products like Proofpoint or Mimecast go further if you need more control.
8. Set Up Endpoint Protection
Windows Defender, built into every modern Windows installation, is a competent baseline. Keep it on and keep it updated. It is not the answer to everything, but turning it off or ignoring it is not justified by any business need.
If you want better logging and detection — particularly for catching unusual activity before it escalates — Bitdefender GravityZone Business Security or similar SMB-focused endpoint protection adds centralised management and more granular alerting. This matters most if you have more than five or six machines to manage, since the centralised dashboard tells you which machines have outdated signatures or disabled protection.
9. Apply Least-Privilege Access
Employees should only have access to the systems and data they need for their specific role. The person in accounts payable does not need access to the HR system. The sales team does not need read access to the engineering file share. The fewer systems a compromised account can reach, the less damage it can do.
Review permissions when people change roles or leave the company. Offboarding is the most commonly overlooked permission risk — former employees whose accounts remain active and accessible represent an ongoing exposure. Make account deactivation part of the offboarding checklist, not a task that gets done whenever someone remembers.
10. Write an Incident Response Plan
The decisions made in the first thirty minutes of a breach determine how bad it gets. Without a plan, those decisions get made under panic — which typically means infected machines stay connected to the network longer than they should, the wrong people get called first, and nobody documents anything for the insurance claim.
A one-page plan is enough to start. It should answer: Who do you call first (IT support, cyber insurance provider, legal)? How do you isolate an affected machine without powering it off? Where are the backup activation instructions? Who has authority to take systems offline during business hours? What needs to be logged and timestamped for regulatory or insurance purposes?
Print it. Keep a copy somewhere that is accessible if your systems are down. Review it once a year or after any security incident.
Frequently Asked Questions
What is the biggest cyber security risk for small businesses?
Phishing targeting email accounts, followed by credential stuffing on business tools using reused passwords. Both are solved by the same two controls: MFA on email accounts and a business password manager with unique passwords per service. Most SMB breaches do not involve sophisticated techniques — they involve employees reusing passwords from previously breached sites or clicking phishing links.
How much does cybersecurity cost for a small business?
The core controls — MFA, password manager, automatic patching, and configured email authentication (SPF/DKIM/DMARC) — cost effectively nothing beyond time to configure. Windows Defender is built-in and free. A business password manager runs $3–5 per user per month. Network segmentation requires a decent router, and most modern business routers support guest network isolation by default. A meaningful baseline is achievable for under €10 per user per month total.
What should a small business do after a cyber attack?
Isolate the affected machine — disconnect it from the network, but do not power it off — to prevent further spread. Contact your IT support or incident response service immediately. Do not pay ransomware demands without legal and technical advice. Activate your backup restoration plan. Notify your cyber insurance provider. Document what happened and when — insurance claims and regulatory notifications (if applicable under GDPR) require this. This is precisely why having even a one-page incident response plan matters.