If you run a small business, here's the uncomfortable truth: attackers aren't skipping you because you're small — they're targeting you because you're small. Most attacks aren't a hooded genius picking your company specifically; they're automated, sprayed across thousands of businesses at once, looking for the ones that left a door unlocked. The good news: the doors that matter most are few, and closing them doesn't require a security team or a big budget.
This is a practical starter plan, ordered by impact and built on guidance from CISA, the FTC, and the NIST Cybersecurity Framework. Do the first five things and you've closed the gaps behind the large majority of incidents.
The Foundational Five (do these first)
1. Turn on multi-factor authentication (MFA) everywhere
MFA is the single highest-impact security upgrade you can make — CISA describes it as essential because it blocks the vast majority of automated account-takeover attacks, even when a password is stolen. Start with email, banking, and any admin/cloud accounts today. Prefer a passkey or authenticator app over SMS codes where possible. New to this? See passkeys explained.
2. Back up your data with the 3-2-1 rule
Ransomware's whole business model is making your data unavailable. Beat it with backups: 3 copies, on 2 types of media, with 1 copy offsite (your cloud usually counts as offsite). Two things people skip:
- Test a restore before you need one — untested backups routinely fail at the worst moment.
- Keep at least one backup offline or immutable, so ransomware can't encrypt your backups too.
⚠️ 2026 reality: modern ransomware often steals data first, then encrypts ("double extortion") — so attackers can threaten to leak your files even if you restore from backup. Backups are essential but not sufficient; you also have to stop the intrusion (steps 1, 3, 4).
3. Turn on automatic updates
Most breaches exploit known holes that already have a fix. Turn on automatic updates for operating systems, browsers, apps, and devices, and stop postponing restarts. This one setting quietly closes a huge share of attack paths.
4. Train your team to spot phishing
Phishing is the #1 way attackers get in, and it usually only takes one click. Run short, regular training and simple phishing simulations so staff learn to pause on:
- unexpected urgency ("act now or your account closes"),
- a sender or link that's slightly "off,"
- requests to change payment details or share credentials.
Make it safe to report a mistake fast — speed of reporting limits the damage.
5. Use unique passwords + a password manager
Reused passwords turn one breach into many. Give every account a unique, strong password and let a password manager remember them so staff don't resort to sticky notes or "Password123!". Walkthrough: how to set up a password manager.
Use a simple framework so nothing slips
Once the Foundational Five are in place, the NIST Cybersecurity Framework gives you a checklist to grow into. It organizes security into six plain-language jobs:
| Function | What it means for you |
|---|---|
| Govern | Decide who owns security and what your rules are |
| Identify | Know what data, devices, and accounts you have |
| Protect | The Foundational Five — MFA, backups, updates, training, passwords |
| Detect | Notice when something's wrong (alerts, antivirus, logs) |
| Respond | Have a plan for when something happens |
| Recover | Restore operations and learn from it |
For a guided starting point built for small teams, CISA's free Cyber Essentials and the FTC's small-business resources are the best no-cost places to begin.
You also need a (simple) incident plan
Even a one-page plan beats panic. Write down, in advance:
- Who to call — your IT person/partner, your bank, your cyber-insurance contact, and (for serious incidents) law enforcement.
- How to isolate — disconnect an affected device from the network immediately.
- How to recover — where backups are and who restores them.
- Who communicates — what you tell staff and customers, and any breach-notification duties you have.
The 2026 twist: AI made phishing cheaper and more convincing
The biggest change this year isn't a new kind of attack — it's that AI lets attackers write cleaner, more personalized phishing at scale and very low cost. Generic "Dear customer, kindly verify" emails are being replaced by messages that look genuinely plausible. That doesn't change the defense; it raises the stakes on the basics: MFA (so a stolen password isn't enough) and training (so a convincing email still gets a second look). If your team uses AI tools too, keep an eye on what data goes into them.
A 30-minute monthly checkup
Security isn't a one-time project. Once a month: confirm updates are installing, check that backups ran and test one restore occasionally, review who has access (remove ex-employees and unused accounts), and send a quick phishing reminder. Small, regular passes beat a once-a-year scramble.
FAQ
What's the first thing a small business should do for cybersecurity? Turn on multi-factor authentication (MFA) on email, banking, and admin/cloud accounts. CISA cites it as the highest-impact step because it blocks the large majority of automated attacks even if a password leaks.
Do small businesses really get attacked? Yes — and often because they're small. Most attacks are automated and untargeted, hunting for easy gaps like missing MFA, unpatched software, or reused passwords. Being small is not protection.
How do I protect against ransomware? Combine prevention and recovery: MFA, automatic updates, phishing training, and the 3-2-1 backup rule with at least one offline/immutable copy. Note that modern ransomware also steals data, so preventing the intrusion matters as much as backups.
Is antivirus enough? No. Antivirus helps with "Detect," but it can't replace MFA, updates, backups, and training. Treat it as one layer, not the whole plan.
What free resources can I trust? CISA's Cyber Essentials and Cyber Guidance for Small Businesses, the FTC's Cybersecurity for Small Business, and the NIST Cybersecurity Framework — all free and vendor-neutral.
How much should a small business spend on cybersecurity? You can cover the Foundational Five with little or no new spend (most are settings + habits). Prevention is dramatically cheaper than recovering from an incident — start with what's free, then add tools as you grow.
The bottom line
You don't need to do everything — you need to do the highest-impact things first. Turn on MFA, set up 3-2-1 backups, enable automatic updates, train your team on phishing, and use a password manager. Then grow into a simple framework and keep a one-page incident plan handy. For the personal-account side of the same habits, see our password manager guide and passkeys explainer.
