The 5 Security Basics Every Small Business Should Have

Security vendors love fear, and small-business owners are tired of it. So here's the unscary truth: the overwhelming majority of attacks that actually hit small businesses — phishing, ransomware, account takeover — are stopped by five unglamorous basics. None of them requires an enterprise budget. If you do nothing else this year, do these.

1. Multi-factor authentication, starting with email

Email is the master key to your business: password resets for every other system land there. MFA (the code or prompt on your phone) blocks the vast majority of account-takeover attempts even when a password leaks. Turn it on for email first, then banking, then everything that supports it. It's free in Microsoft 365 and Google Workspace — it's just not enforced by default.

2. Backups that someone has actually tested

Ransomware turns from a catastrophe into an inconvenience when you can restore yesterday's files. Two things matter: backups must run automatically (humans forget), and someone must periodically test a restore. An untested backup is a hope, not a plan. And note: Microsoft and Google do not back your data up against deletion or ransomware the way most owners assume — cloud accounts need backup too.

3. Updates applied, on a schedule

Most successful attacks exploit vulnerabilities that were patched months earlier. The fix is boring: updates applied automatically on a schedule, for Windows and macOS but also browsers, routers, and that firewall nobody has logged into since 2021. This is exactly the kind of thing managed IT quietly does in the background.

4. Email security beyond the spam filter

Phishing is the front door for almost everything else on this list. Modern filtering catches most of it, and three DNS records — SPF, DKIM, and DMARC — stop criminals from sending email that looks like it came from your domain to your clients. Most small-business domains we assess have these misconfigured or missing entirely.

5. A password manager for the team

The pattern that kills small businesses: one password, reused everywhere, written in a shared spreadsheet. A team password manager gives every account a unique strong password, shares credentials safely, and — critically — lets you cut access the day someone leaves.

What about everything else?

Endpoint protection, security awareness training, access reviews, compliance — they all matter, and they're the right next layer once the five basics are solid. But order matters: a firewall upgrade means little while the owner's email has no MFA. If you want help getting the basics in place — or proof that yours already are — here's how we approach small-business security.