Enable Multi-Factor Authentication on Everything

Multi-factor authentication (MFA) is the single most effective security control available to small businesses, and it’s often free or already included in software you’re paying for. MFA requires users to verify their identity with a second factor — typically a code from an app or a text message — in addition to their password. Even if an attacker steals your employee’s password through phishing, they can’t access the account without the second factor. Enable MFA on Microsoft 365, Google Workspace, your banking portals, your VPN, your password manager, and every other business application that supports it. Make it mandatory for everyone, including ownership and leadership.

Train Your Team to Recognize Phishing

The vast majority of cyberattacks begin with a phishing email — a message that tricks an employee into clicking a malicious link, opening a weaponized attachment, or providing their login credentials to a fake website. You can have excellent technical security controls and still be compromised if your team clicks a convincing phishing email. Regular security awareness training and simulated phishing campaigns teach your employees to recognize suspicious messages and report them rather than clicking. This is not a one-time exercise — threat actors constantly update their tactics, and training needs to be refreshed regularly to remain effective.

Keep Software and Systems Patched

Unpatched software is one of the most common entry points for attackers. Software vendors regularly release security patches to fix vulnerabilities, and attackers actively exploit the window between patch release and when businesses apply the patch. Enable automatic updates for operating systems and common applications, and ensure your IT provider (or you) has a process for deploying patches consistently across all devices. This applies to your network equipment — routers, firewalls, and switches — which is often neglected but equally critical.

Implement Proper Backup and Recovery

No security measure is perfect, and ransomware can still succeed despite good defenses. The difference between a ransomware event that costs a few thousand dollars to recover from and one that puts you out of business is whether your backups are working and have been tested. Implement automated backups that run at least daily, store copies both locally and offsite (or in the cloud), and test your ability to restore from backup quarterly. Immutable backups — which can’t be encrypted or deleted by ransomware — are worth implementing for critical data.

Use a Password Manager and Strong Unique Passwords

Password reuse is rampant in small businesses — the same password for email, banking, and every business application. When one service is breached and credentials are exposed (and they are, constantly — check haveibeenpwned.com to see your business email addresses), attackers try those credentials everywhere. A password manager like Bitwarden, 1Password, or the password manager built into Microsoft Edge generates and stores unique, complex passwords for every site, so a breach at one service doesn’t cascade into a breach of everything else.