How to Protect Your Small Business From a Cyberattack: The 10 Essentials

If you own a small business, "cybersecurity" can feel like a bottomless pit of jargon and fear designed to sell you something. So let me cut through it. After years of doing this work — including for environments where the stakes were a lot higher than a spreadsheet — I can tell you that the vast majority of small-business attacks come through a short, predictable list of openings. You do not need a six-figure budget or a security team. You need to close those specific doors, in roughly the order below.

Here is the part nobody selling you fear will say plainly: several of the most important steps are free. They cost time and a little discipline, not money. The goal is not to be unhackable — nobody is. The goal is to stop being the easy target, because attackers, who are mostly running automated, opportunistic campaigns, move on to softer ones. Let's go through the ten.

1. Turn on phishing-resistant MFA everywhere (free, do it first)

Most break-ins start with a password — stolen, reused, guessed, or phished. Multi-factor authentication (MFA) means a password alone is not enough; an attacker also needs the second factor. This one control stops the largest share of attacks, which is why it is number one. Turn it on for email first (your email is the master key that resets every other account), then for banking, your line-of-business apps, and remote access.

One nuance that matters in 2026: prefer an authenticator app or a hardware security key over text-message codes, and know that attackers now try to trick people into approving prompts or handing over codes. We wrote about exactly that in MFA fatigue and push bombing. "Phishing-resistant" MFA (app-based number matching or a physical key) is the version that holds up. Cost: usually $0. Impact: enormous. Start here today.

2. Patch fast — turn on automatic updates (free)

A huge number of attacks simply walk through a known hole that a vendor already fixed, on a machine where nobody installed the update. Turn on automatic updates for Windows, your web browsers, and your applications, and don't ignore firmware and router updates. The monthly Patch Tuesday cycle exists for a reason, and the gap between "patch released" and "you installed it" is the window attackers race to exploit. If any machine is running an operating system that no longer gets updates at all — like an out-of-support Windows 10 box — that is the first thing to fix. Cost: $0. It just requires that updates aren't being endlessly postponed.

3. Remove everyday admin rights (free)

If the account your team uses all day can install software and change the whole system, then one bad click can too. Run daily work from standard user accounts, and keep a separate administrator account for when you genuinely need to install something. This single change — called least privilege — dramatically shrinks the damage of a phished login or a malicious download, because the malware inherits only the limited rights of a normal user. It is the quiet hero of identity hardening, and it costs nothing but a little setup.

4. Run real EDR with 24/7 monitoring (not just antivirus)

Old-school antivirus only recognizes known bad files. Modern attacks routinely use stolen logins, legitimate tools, and brand-new malware that antivirus has never seen. The current standard is endpoint detection and response (EDR) — it watches behavior, not just signatures — backed by someone actually monitoring it around the clock. That human-plus-tooling layer is what catches an intrusion at 2 a.m. on a Saturday and stops it before it spreads. We made the case for why minutes matter in the 22-seconds / MDR post. This is a paid layer, but a modest per-device one, and it is the difference between "we caught it" and "we found out when the files were encrypted."

5. Keep tested, isolated backups (your ransomware insurance)

When everything else fails, backups are what let you recover instead of pay. But two details make or break them. First, isolation: modern ransomware hunts down and deletes the backups it can reach, so your backup must be offline or behind separate credentials the attacker can't get to. Second, testing: a backup you've never restored is a guess, not a safety net. Automate it, monitor it, and restore-test it on a schedule. Our backup and disaster recovery guide walks through the "3-2-1" approach. One caveat — backups bring your data back, but they don't undo data theft, which is why they're one layer of several.

6. Train your people — they're the most-targeted layer

Your employees are not your weakest link; they're your largest attack surface, and that's fixable with a little practice. Most modern attacks are really aimed at a person: a convincing email, a fake invoice, a "help desk" message on Teams, a phone call posing as IT like the FBI's Silent Ransom warning. Short, regular security-awareness training plus the occasional simulated phishing test teaches people to pause and verify. Give them one rule that defeats most of it: when someone pressures you to act fast, stop and verify through a channel you trust. Modest cost, outsized payoff.

7. Secure your email (filtering + anti-spoofing)

Email is the number-one delivery method for attacks, so harden it specifically. Use a good spam-and-phishing filter, and set up the three anti-spoofing records — SPF, DKIM, and DMARC — so criminals can't easily send email that looks like it came from your own domain (a favorite trick for fake-invoice and CEO-fraud scams). Most businesses on Microsoft 365 or Google Workspace already have these tools available and simply haven't turned them on or configured them correctly. It's a one-time setup with lasting payoff.

8. Lock down remote access (free to fix, dangerous to ignore)

Remote access is a top way attackers get in. Two rules. First, never expose Remote Desktop (RDP) directly to the internet — it's relentlessly scanned and brute-forced; put it behind a VPN or a zero-trust gateway. Second, require MFA on your VPN and remote tools, because a stolen VPN login is exactly how many ransomware intrusions begin. If you're not sure whether anything is exposed, that uncertainty is itself the finding — it's a quick thing to check and usually free to fix.

9. Write a one-page incident plan (free, do it on a calm day)

The worst time to figure out what to do is mid-incident. Spend an hour now writing a single page: who decides, who to call (your IT provider, your insurer, your bank, legal), where the backups and recovery keys live, and how you'll communicate if email is down. Having this written turns a panicked, expensive scramble into a calm checklist. It costs nothing and it's the step almost everyone skips — until they wish they hadn't.

10. Get cyber insurance — and actually meet its requirements

Even with everything above, you want a financial backstop. Cyber insurance helps cover the very real costs of an incident — response, recovery, legal, notification. But here's the catch owners miss: insurers now require controls like MFA, EDR, and tested backups, and a claim can be denied if you said you had them and didn't. So this step and the nine above are connected: doing the work is what makes the policy pay out. Our cyber-insurance renewal checklist covers what carriers are asking for now.

How to actually use this list

Don't try to do all ten this afternoon. Work down the order. This week, knock out the free, high-impact ones: MFA everywhere (1), automatic updates (2), remove admin rights (3), and check remote access (8). This month, add the monitored layers: EDR (4), isolated backups (5), email hardening (7), and security training (6). This quarter, write the incident plan (9) and review insurance (10). That sequence gets you most of the protection in the first few days, for little or no money.

The throughline of all ten is defense in depth: no single control is perfect, so you layer several cheap ones until getting through all of them is more trouble than you're worth. That's the whole game for a small business. You're not trying to beat a nation-state; you're trying to be a harder target than the next company on the attacker's list — and that bar is very reachable.

Frequently asked questions

What is the single most important thing to protect a small business from a cyberattack?

Phishing-resistant MFA on email and every important account. Most small-business breaches start with a stolen or guessed password, and MFA is the control that most reliably stops a working password from becoming a full account takeover. If you do one thing this week, turn on MFA everywhere it's offered, and prefer an authenticator app or hardware key over text-message codes.

How much does it cost a small business to be reasonably secure?

Less than most owners expect, and far less than one incident. Many high-impact controls — MFA, least-privilege accounts, automatic updates — cost little or nothing beyond setup time. The paid layers (managed EDR, monitored backups, security-awareness training) typically run a modest per-user monthly fee. For most five-to-fifty-person businesses, a solid baseline costs a small fraction of a single ransomware event or a denied insurance claim.

We are too small to be a target. Why would anyone attack us?

Most attacks on small businesses aren't personal — they're automated and opportunistic. Criminals scan the internet for any exposed weakness and any inbox they can phish, regardless of company size. Small businesses are attractive precisely because they often have weaker defenses, valuable data, and the ability to pay. Being small doesn't make you invisible; it usually makes you an easier target than a large enterprise with a security team.

Do backups protect me from ransomware?

Good backups are essential, but only if they're tested and isolated. Modern ransomware crews seek out and delete or encrypt the backups they can reach before triggering the attack, so a backup on the same network or login isn't safe. You want backups that are offline or separately credentialed, automatically monitored, and restore-tested on a schedule. Note that backups don't protect against data theft and extortion, which is why they're one layer of several.

Isn't antivirus enough to protect my business?

No. Traditional antivirus only catches known threats, and many modern attacks use stolen logins, social engineering, or living-off-the-land techniques it never sees. The current standard is endpoint detection and response (EDR) backed by 24/7 monitoring, which watches behavior rather than just matching signatures and can stop an intrusion in progress. Antivirus is one ingredient, not a security program by itself.

Can a small business do this itself, or do we need a managed IT provider?

A motivated owner can absolutely do the free basics: turning on MFA, enabling automatic updates, removing local-admin rights, and setting up backups. The layers that need round-the-clock attention — monitoring, detection and response, fleet-wide patch enforcement, and incident response — are where a managed IT provider earns its keep, because they need tools and staff watching outside business hours. Many businesses do the basics themselves and bring in a provider for the always-on layers and to verify nothing important is missing.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.