Here’s the uncomfortable truth: attackers love small businesses. You have money and data worth stealing, but rarely the dedicated security team that big companies have. The good news? Most attacks aren’t sophisticated. They walk through doors you left unlocked. Lock those doors and you’ve handled the majority of the risk.
You don’t need to understand firewalls or encryption algorithms. You need this checklist.
1. Turn on multi-factor authentication everywhere
If you do only one thing, do this. Multi-factor authentication (MFA) means logging in requires your password plus a code from your phone. Even if someone steals your password, they can’t get in.
Turn it on for:
- Email (this is the big one — your email is the master key to everything else)
- Banking and payment accounts
- Your business software and cloud storage
- Social media accounts
Use an authenticator app (like Google Authenticator or Authy) rather than text-message codes where you can — texts can be intercepted, apps can’t.
2. Use a password manager
Stop reusing passwords. When one site gets breached, attackers try that same password everywhere else — and if you reused it, they’re in. A password manager creates and remembers a unique, strong password for every account so you don’t have to.
The single most common way small businesses get compromised is a reused password from a breached site. A password manager eliminates this entirely for about $3/month.
3. Keep everything updated
Those update notifications you keep dismissing? Many of them patch security holes attackers actively exploit. Turn on automatic updates for:
- Computer operating systems (Windows, macOS)
- Phones and tablets
- Web browsers
- Any business software
An unpatched system is a known, advertised vulnerability. Updating is free and mostly automatic — just stop hitting “remind me later.”
4. Back up your data (the 3-2-1 rule)
Ransomware encrypts your files and demands payment. Good backups make that threat toothless — you just restore and move on. Follow 3-2-1:
- 3 copies of important data
- 2 different types of storage (e.g., a cloud service + an external drive)
- 1 copy kept offsite or offline
Test that you can actually restore from a backup. An untested backup is just a hope.
5. Train your team to spot phishing
Most breaches start with someone clicking a bad link or wiring money to a fake invoice. A 20-minute conversation covers the essentials:
- Be suspicious of urgent requests for money or passwords
- Check the sender’s actual email address, not just the display name
- When in doubt about a request from the “CEO” or a vendor, verify by phone
- Never enter your password on a page you reached by clicking an email link
6. Lock down the basics of your network
You don’t need enterprise gear. Just:
- Change the default admin password on your router
- Use a strong Wi-Fi password and WPA3 (or WPA2) encryption
- Put guest/customer Wi-Fi on a separate network from your business devices
A simple priority order
If this feels like a lot, do it in this order — each step is the highest-value thing you can do next:
| Priority | Action | Time | Cost |
|---|---|---|---|
| 1 | MFA on email + banking | 30 min | Free |
| 2 | Password manager | 1 hour | ~$3/mo |
| 3 | Turn on auto-updates | 30 min | Free |
| 4 | Set up backups | 2 hours | $5–10/mo |
| 5 | Team phishing chat | 20 min | Free |
That’s most of your real-world risk handled in an afternoon, for the price of a couple of coffees a month. Cybersecurity for a small business isn’t about being unhackable — it’s about not being the easy target. This checklist gets you there.