Cybersecurity Basics Every Small Business Can Implement This Week

Small businesses tend to assume they're too small to be a target. Attackers love that assumption. Most breaches that hit small companies aren't sophisticated — they're automated, opportunistic, and entirely preventable with a handful of basics. You don't need a security team. You need to close the easy doors.

Here's the short list, in priority order.

1. Turn on two-factor authentication everywhere

If you do only one thing, do this. Two-factor authentication (2FA) means a stolen password isn't enough to get in — an attacker also needs a code from your phone. Enable it on:

• Email (this is the master key — if someone owns your email, they can reset everything else).
• Banking and payment tools.
• Your accounting software and CRM.
• Any admin account.

Use an authenticator app rather than SMS where possible. This single step blocks the overwhelming majority of account-takeover attacks.

2. Use a password manager

Reused passwords are how one leaked site compromises ten of your accounts. A password manager generates a unique, strong password for every login and remembers them for you. Roll one out to the whole team and make it the default. It's cheap, fast, and removes the temptation to use Password123 across the board.

3. Keep software updated

Most malware exploits known holes that already have fixes — the victim just hadn't installed the update. Turn on automatic updates for your operating systems, browsers, and apps. This applies to the desktop tools you run too: keep them current so security patches land. Update is the most boring security advice that exists, and one of the most effective.

4. Train the team to spot phishing

The weakest link is almost always a person clicking something they shouldn't. You don't need formal training — just a shared habit of suspicion. Teach the team to:

• Distrust urgent requests for money or credentials, even if they look internal.
• Hover over links before clicking to check the real destination.
• Verify unusual payment requests through a second channel (a quick call).

A five-minute conversation at a team meeting beats no training at all.

5. Back up your data — and test the restore

Ransomware's whole business model collapses if you can simply restore from backup. Follow the 3-2-1 rule: 3 copies of important data, on 2 different media, with 1 stored offsite (or in the cloud). Then — and people always skip this — actually test that you can restore. A backup you've never restored from is a hope, not a plan.

6. Limit access to what people need

Not everyone needs admin rights or access to financial data. Give each person the minimum access required to do their job. When someone leaves, revoke access the same day. This limits the blast radius if any single account is compromised.

A note on where your data lives

Every cloud tool you adopt is another place your data can leak if that vendor is breached. It's a real reason some businesses prefer desktop software that keeps sensitive data on their own machines — there's no third-party server to compromise. It's not a silver bullet (your machine still needs the basics above), but fewer copies in fewer places is a smaller attack surface.

The bottom line

Small business cybersecurity isn't about expensive tools — it's about discipline on the fundamentals: 2FA, a password manager, updates, phishing awareness, tested backups, and least-privilege access. Knock out this list this week and you'll have closed the doors attackers actually walk through.