← All articles

Blog

Cybersecurity Basics Every SMB Should Cover

Practical cybersecurity steps for SMB owners: MFA, phishing defence, backups, and incident response—grounded in real breach data.

5 min read
  • mid

Forty-three percent of all cyberattacks target small and medium businesses, yet fewer than half of those businesses have multi-factor authentication turned on. That gap is where attackers live. A breach at your scale does not look like a Hollywood intrusion—it looks like a bookkeeper clicking a convincing invoice email on a Tuesday afternoon, and then your QuickBooks credentials are in someone’s hands in Eastern Europe before you finish your coffee.

The good news is that the basics work. Most breaches are opportunistic, not targeted, which means closing the easy doors stops the majority of attacks.

Why SMBs Are the Preferred Target

Attackers follow economics. Large enterprises have dedicated security teams, SIEMs, and threat-hunting programmes. SMBs typically have none of that, but they still hold payment card data, employee records, or access to larger partner networks. According to IBM’s 2025 Cost of a Data Breach report, the global average breach cost stood at $4.44 million—a figure that shocks even executives at mid-sized firms. For businesses with fewer than 500 employees, average breach costs are substantially lower than enterprise figures but still run into millions once you factor in downtime, remediation, legal fees, and customer notification. Sixty percent of businesses that suffer a significant breach close within six months.

Ransomware payments alone exceeded $800 million in 2024, with average ransom demands reaching $2.73 million—almost always more than the cost of the preventive controls that would have stopped the attack.

The Five Controls That Matter Most

1. Multi-Factor Authentication on Everything

This is non-negotiable. The Verizon 2025 Data Breach Investigations Report found that roughly 60% of breaches involve a human element—stolen credentials, phishing, or misuse—and MFA neutralises the credential theft piece almost entirely. Turn it on for Microsoft 365 or Google Workspace, your accounting software (Xero, QuickBooks Online), your e-commerce back-end (Shopify Admin, WooCommerce), your payment processor (Stripe), and your domain registrar. If a vendor does not support MFA, treat that as a red flag. Passkeys (FIDO2) are the current best practice where supported; they are phishing-resistant in a way that SMS codes are not.

2. Phishing Awareness Training

Phishing accounts for 33.8% of all SMB breaches, making it the single most common attack vector. Training does not need to be a formal programme with a six-figure contract. Running quarterly simulated phishing exercises through a tool like KnowBe4 or Proofpoint Security Awareness, combined with a clear internal policy on how to report suspicious emails, cuts click rates dramatically. The specific thing to train on: look-alike domains (amaz0n-billing.com vs amazon.com), urgent payment requests from the “CEO,” and DocuSign impersonation. These three templates cover the majority of what hits inboxes.

One practical addition: configure your email gateway’s DMARC, DKIM, and SPF records correctly. These three DNS settings stop attackers from spoofing your own domain in outbound phishing—something many SMBs have never touched.

3. Patching and Endpoint Protection

Nearly 30,000 new CVEs were disclosed in 2024, over 4,600 rated critical. Unpatched systems are the second most exploited vector after credentials. The fix is not glamorous: enable automatic OS updates on every Windows and macOS device, keep browsers current, and run a managed endpoint detection and response (EDR) tool rather than a legacy antivirus. Microsoft Defender for Business costs around $3/user/month and is competent for most SMBs; CrowdStrike Falcon Go and Huntress are alternatives worth evaluating if you have managed service provider support.

Equally important: maintain an inventory of every device that touches company data. Shadow IT—staff using personal Dropbox accounts or unmanaged phones to access work files—is an endpoint you cannot protect because you do not know it exists.

4. Offline and Tested Backups

Ransomware encrypts every drive it can reach, including cloud sync folders and mapped network drives. The only reliable defence is a backup that the ransomware cannot reach: an offline copy, an immutable cloud backup (Backblaze B2 with Object Lock, AWS S3 with versioning, or Azure Blob with soft delete), or a tape rotation if your volume justifies it. Follow the 3-2-1 rule: three copies, two different media types, one offsite.

The word “tested” matters. A backup you have never restored from is not a backup—it is a hope. Run a restore drill at least once a quarter. Confirm the Recovery Time Objective (RTO) actually fits your business: if restoring your WooCommerce database takes 18 hours but your tolerance for downtime is 2 hours, you need a different architecture.

5. Vendor and Third-Party Access Control

Many SMB breaches do not come through the front door—they come through a supplier’s compromised credentials or an IT contractor who still has admin access six months after their engagement ended. Audit access quarterly. Remove accounts for departed staff and contractors the day they leave. Use a password manager (1Password, Bitwarden) to enforce unique passwords across vendors and give team members access to credentials without ever showing the actual password. Where possible, connect vendors via SAML/SSO rather than shared passwords so you can revoke access centrally in seconds.

A Note on Compliance

If you process EU customer data, GDPR requires you to implement “appropriate technical and organisational measures” and notify regulators within 72 hours of a breach. In the US, CCPA carries similar obligations for California residents’ data. SOC 2 Type II is increasingly demanded by enterprise buyers as a condition of doing business. None of these frameworks require perfection, but they all require evidence: logs, policies, and documented controls. The five areas above map directly to what auditors look for.

Getting Started Without Overwhelm

Prioritise in this order: MFA first (one afternoon), DMARC/SPF/DKIM second (one morning with your IT contact or DNS registrar), phishing training enrolment third, backup audit fourth, and access review fifth. None of these require a dedicated security team. Together they eliminate the attack vectors behind the majority of SMB incidents.

If you are unsure where your biggest gaps are, a lightweight security assessment—mapping your current controls against the NIST Cybersecurity Framework 2.0—will surface the priorities quickly and give you a defensible paper trail for insurers and customers.

We offer a no-charge initial conversation to walk through your current setup and identify what actually needs attention versus what can wait. No sales pitch, just a straight assessment. Reach out if that would be useful.


Sources: IBM Cost of a Data Breach 2025; Verizon 2025 Data Breach Investigations Report; Heimdal Security — Small Business Cybersecurity Statistics; NinjaOne — SMB Cybersecurity Statistics. Figures current as of mid-2026; verify against primary sources before acting.