Most small business security advice is a checklist of fifty items. This is not that. Six decisions, ranked by impact, separate small businesses that recover from incidents from those that close. Get these six right before worrying about anything else.
Analysis Briefing
- Topic: Small business security priorities and breach survival
- Analyst: Mike D (@MrComputerScience)
- Context: A technical briefing developed with a reader
- Source: Pithy Cyborg
- Key Question: If a small business can only do six security things well, which six actually matter?
Decision One ➞ MFA on Every Account That Touches Money or Data
The single highest-impact security decision for a small business is enabling multi-factor authentication on email, financial accounts, payroll systems, cloud storage, and any SaaS tool that holds customer data.
The Verizon Data Breach Investigations Report consistently finds credential theft as the leading initial access vector, present in the majority of breaches. MFA does not make credential theft impossible but it makes credential theft alone insufficient. An attacker who steals your password cannot use it without the second factor. This one decision closes the most common attack path.
Use an authenticator app rather than SMS wherever possible. Start with the accounts that control money and the accounts that control everything else: email first, then financial accounts, then everything else.
Decision Two ➞ Tested Backups With at Least One Offline Copy
Backups you have never restored are a hypothesis. A ransomware event is not the time to discover your backup job has been failing silently for three months or that the restore process takes four days you do not have.
Maintain at least one backup that is not continuously connected to your network. This can be an external drive that is plugged in for backups and unplugged afterward, or an immutable cloud backup with object lock enabled. Test a full restore from your backup at least twice a year. Document the restore procedure so someone other than the person who set it up can execute it.
Decision Three ➞ Endpoint Protection With Behavioral Detection on Every Device
Every device that touches your business network needs endpoint security software that includes behavioral detection, not just signature scanning. The free antivirus that came with your laptop does not qualify.
Modern endpoint protection from vendors like CrowdStrike, SentinelOne, or Microsoft Defender for Business at the paid tier includes behavioral detection that catches threats signature databases have never seen. The cost is tens of dollars per device per year. This is not a meaningful budget line for any business. Not having it is a meaningful risk.
Decision Four ➞ Documented Vendor Access Controls
Third-party access is a consistent and material breach vector for small businesses. A bookkeeper with access to your accounting software. A web developer with admin credentials to your site. A contractor with access to your cloud storage. Each is an attack surface you do not control.
Audit every third party that has access to your systems. Verify that access is limited to what they actually need. Remove access immediately when the relationship ends. Use a password manager to generate unique credentials for vendor access rather than sharing your own account credentials.
Decision Five ➞ A Written Incident Response Plan
When a breach occurs you will be operating under stress, possibly outside business hours, with time pressure and incomplete information. This is the worst possible state for making decisions about legal obligations, communication, and recovery steps.
A written incident response plan does not need to be long. It needs to answer: who do you call first, what do you do with affected systems, what are your legal notification obligations, who communicates with customers, and where are your backup credentials stored. Include your cyber insurance policy number and insurer contact details, and note that the insurer must be called before engaging any outside incident response firm. A one-page document with these answers is worth more than a fifty-page security policy nobody reads.
Store a printed copy somewhere accessible without your primary systems. If your systems are encrypted, the plan stored only on those systems is inaccessible when you need it most.
Decision Six ➞ Cyber Insurance
Cyber insurance is not a security control. It does not prevent breaches. It determines whether you survive the financial consequences of one.
A basic cyber insurance policy covers incident response costs, forensic investigation, legal fees, breach notification expenses, and in many cases ransom payments and business interruption losses. For a small business without the cash reserves to absorb a six-figure incident, this coverage is the difference between recovery and closure.
The policy also typically includes access to a panel of pre-vetted incident response firms, legal counsel with breach notification experience, and PR support for customer communication. These resources alone are worth the premium for a business that would otherwise be navigating a breach with no external support.
Get quotes before you need it. Cyber insurance underwriting has tightened significantly and premiums vary widely based on your security posture. Insurers now ask detailed questions about MFA, backup practices, and endpoint protection. The five decisions above directly affect your insurability and your premium.
| The Incident | Cost Without the “Six” | Cost With the “Six” | The “Survival” Factor |
| Ransomware | $5.08M (Avg. total cost) | $15k – $50k (Deductible/IR fees) | Tested backups negate the need to pay the ransom. |
| Email Breach | $200k+ (Lost business) | $0 (Prevented by MFA) | MFA stops 99% of bulk credential attacks. |
| Data Leak | $740k+ (Legal & Recovery) | Covered by Policy | Insurance provides the legal team you can’t afford. |
| System Outage | $2k – $5k (Per day) | < 24 Hours (Fast restore) | IR Plan tells everyone what to do in the first 60 mins. |
What This Means For You
- Enable MFA on email today if it is not already enabled. This is the single action with the highest impact-to-effort ratio in small business security.
- Test a backup restore this month. Schedule it now. It will reveal something you need to fix before you need the backup in an emergency.
- Check your endpoint protection. If the answer is “the antivirus that came with the laptop,” upgrade to a product with behavioral detection. The cost is tens of dollars per device per year.
- Audit third-party access this quarter. Remove anyone who no longer needs it. Former contractors with active credentials are a common and avoidable breach vector.
- Write a one-page incident response plan that answers at minimum: who do you call first, what do you do with affected systems, where are your backup credentials stored, and what are your legal notification obligations. Include your cyber insurer’s contact number. Store a printed copy outside your primary systems.
- Get cyber insurance quotes if you do not have a policy. The five decisions above directly affect what you qualify for and what you pay.
If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple.