Small businesses are now among the most frequently targeted organizations in the world. Attackers focus on them not because they have the most to steal, but because they tend to have fewer defenses, smaller teams, and less time to spend on security. The good news is that the majority of attacks rely on a small set of well-understood techniques, and most of them can be prevented or contained with practical, affordable controls.
This guide walks through 15 essential cybersecurity actions for small businesses, organized by priority. You'll find step-by-step guidance for implementing each one, a simple incident response plan, recommendations on tools and observability, and answers to the questions small business owners ask most often. Whether you're a non-technical owner getting started or an IT manager building out a more mature program, the goal is the same: help you focus your time and budget where it matters most.
15 Essential Cybersecurity Actions for Small Businesses
The checklist below is organized by priority. Quick Wins are low-effort, high-impact actions you can implement this week. Important items are foundational practices every small business should have in place. Advanced items strengthen your posture as your program matures.
| # | Priority | Action |
|---|---|---|
| 1 | Quick Win | Use unique, strong passwords and a password manager |
| 2 | Quick Win | Turn on multi-factor authentication (MFA) everywhere |
| 3 | Quick Win | Keep operating systems and software up to date |
| 4 | Quick Win | Back up data regularly and test restores |
| 5 | Quick Win | Train staff to spot phishing and social engineering |
| 6 | Important | Apply the principle of least privilege |
| 7 | Important | Secure remote access and Wi-Fi |
| 8 | Important | Use reputable endpoint protection |
| 9 | Important | Protect business email with SPF, DKIM, and DMARC |
| 10 | Important | Gain network visibility with logging, observability, and network detection and response |
| 11 | Important | Vet vendors and require basic security from partners |
| 12 | Important | Write a simple incident response plan |
| 13 | Advanced | Maintain offline or immutable backups for ransomware defense |
| 14 | Advanced | Control physical access and secure mobile devices |
| 15 | Advanced | Consider cyber insurance and document recovery costs |
Why These Steps Matter
Most cyberattacks against small businesses fall into a handful of patterns. Understanding them helps explain why the checklist looks the way it does.
Phishing and business email compromise. Attackers send convincing emails to trick employees into handing over credentials, approving fraudulent payments, or installing malware. MFA, staff training and email authentication (SPF/DKIM/DMARC) are your strongest defenses.
Ransomware. Attackers gain a foothold, often through phishing or an unpatched system, and then quietly map your network before encrypting files and demanding payment. Patching, least privilege, offline backups and network observability all break links in this chain.
Credential theft and lateral movement. Once attackers have a valid login, they move from system to system looking for valuable data. Strong authentication, least privilege, and visibility into internal network traffic make this much harder.
Operational and reputational damage. Even a contained incident can cause days of downtime, lost revenue, regulatory exposure, and damage to customer trust. Preparation is almost always cheaper than recovery.
How to Implement Each Tip (Step-by-Step)
Each item below includes a short explanation, a practical roadmap (today, next week, next month) and a rough cost/effort indicator.
1. Use unique, strong passwords and a password manager
A password manager generates and stores long, random passwords so users don't have to remember or reuse them.
Today: Pick a reputable password manager and install it on your own devices.
Next week: Roll it out to staff with a short training session.
Next month: Audit shared accounts and migrate them into the manager's team vault.
Cost/effort: Low
2. Turn on multi-factor authentication (MFA)
MFA requires a second factor in addition to a password, usually an app or hardware key.
Today: Enable MFA on email, banking, and admin accounts.
Next week: Roll out to all staff and enforce via policy.
Next month: Document recovery procedures so locked-out users can be helped quickly.
Cost/effort: Low
3. Keep systems and software up to date
Patching closes known vulnerabilities that attackers actively scan for.
Today: Turn on automatic updates for operating systems, browsers and key applications.
Next week: Inventory systems that can't auto-update and schedule manual patch windows.
Next month: Add patch status to a monthly review.
Cost/effort: Low
4. Back up data regularly and test restores
Backups protect against ransomware, hardware failure and human error.
Today: Confirm what is and isn't being backed up today.
Next week: Implement the 3-2-1 rule with at least one offline or immutable copy.
Next month: Run a full restore test and document how long it took.
Cost/effort: Low to Medium
5. Train staff on phishing and safe email habits
Awareness training reduces the chance that a single click turns into a breach.
Today: Share a one-page guide on spotting phishing emails.
Next week: Schedule a 30-minute training session for the team.
Next month: Run a simulated phishing campaign and review results together, without blame.
Cost/effort: Low
6. Apply the principle of least privilege
Least privilege limits the damage any single compromised account can do.
Today: Review who has admin rights and remove access that isn't needed.
Next week: Create separate accounts for daily use and administrative tasks.
Next month: Establish a quarterly access review.
Cost/effort: Low
7. Secure remote access and Wi-Fi
Unsecured remote access and weak Wi-Fi are common entry points.
Today: Change default router credentials and enable WPA3 (or WPA2 at minimum).
Next week: Set up a VPN or zero-trust remote access tool for off-network users.
Next month: Segment guest Wi-Fi from your business network.
Cost/effort: Low to Medium
8. Use reputable endpoint protection
Endpoint protection blocks malware and flags suspicious behavior on user devices.
Today: Confirm every laptop, desktop and server has active endpoint protection.
Next week: Centralize alerts so someone actually sees them.
Next month: Review detections and tune any noisy rules.
Cost/effort: Medium
9. Protect email with SPF, DKIM, and DMARC
These DNS records prevent attackers from spoofing your domain in phishing emails.
Today: Check your current SPF, DKIM, and DMARC status with a free online tool.
Next week: Publish or correct the records with help from your email provider.
Next month: Move DMARC from monitor mode (p=none) to enforcement (p=quarantine or reject).
Cost/effort: Low
10. Gain network visibility with logging, observability, and network detection and response
You can't defend what you can't see. The vast majority of damaging attacks, including ransomware, business email compromise, and data theft, unfold inside the network in the hours and days after an initial foothold. Server and application logs are a starting point, but they only tell you what individual systems chose to record. Network observability and Network Detection and Response (NDR) go further, giving small IT teams a continuous, ground-truth view of what's actually happening across their infrastructure: which devices are talking to which, what's normal, and what isn't. Historically, NDR was reserved for enterprises with dedicated security operations centers, but tools like WhatsUp Gold's network performance monitoring and diagnostics NPMD and NDR capabilities have lowered the entry point so that small and mid-sized teams can adopt the same approach without enterprise complexity or cost.
Today: Confirm logging is enabled on critical servers, firewalls, and cloud applications, and centralize logs so they can be searched in one place.
Next week: Identify a few high-value alerts to act on (failed admin logins, new admin account creation, unusual outbound data transfers) and assign someone to review them daily.
Next month: Add network observability and NDR to fill the visibility gap that endpoint and perimeter tools leave open. WhatsUp Gold combines NPMD and NDR in a single platform, giving small IT teams a practical way to spot performance issues and security anomalies, including lateral movement and unusual east-west traffic, from one dashboard.
Cost/effort: Medium
11. Vet vendors and partners
Vendor security is your security when they touch your systems or data.
Today: List every vendor with access to your network, email or customer data.
Next week: Send a short security questionnaire to your highest-risk vendors.
Next month: Add basic security clauses (MFA, patching, breach notification) to contracts.
Cost/effort: Low
12. Write a simple incident response plan
A written plan removes panic and confusion when something goes wrong.
Today: Draft a one-pager naming who to call and what to do first.
Next week: Walk the team through it in a 20-minute tabletop exercise.
Next month: Update the plan with what you learned and store it somewhere accessible offline.
Cost/effort: Low
13. Maintain offline or immutable backups
Modern ransomware actively targets backups, so at least one copy needs to be out of reach.
Today: Identify which backups are connected to your network at all times.
Next week: Add an offline or immutable cloud copy for critical data.
Next month: Test restoring from the offline copy.
Cost/effort: Medium
14. Control physical access and secure mobile devices
Physical security and device management protect against theft, loss, and tampering.
Today: Enable full-disk encryption on laptops and screen locks on phones.
Next week: Enroll company mobile devices in a basic mobile device management (MDM) tool.
Next month: Review who has keys, badges, and access to server areas.
Cost/effort: Low to Medium
15. Consider cyber insurance and document recovery costs
Cyber insurance can offset the financial impact of an incident, but coverage depends on meeting baseline security requirements.
Today: Estimate what a week of downtime would cost your business.
Next week: Request quotes from two or three reputable insurers.
Next month: Review the policy's security requirements and close any gaps before you need to file a claim.
Cost/effort: Medium to High
Prioritization and Resource Allocation
Trying to do everything at once is the fastest way to do nothing well. Use the following sequence to focus your effort.
First week: Quick wins
Enable MFA, turn on automatic updates, deploy a password manager, confirm your backups are running, and share a one-page phishing guide with staff. Each of these can be done in hours and removes the most common attack vectors immediately.
First 90 days: Foundational investments
Roll out endpoint protection across every device, set up SPF/DKIM/DMARC for your email domain, write your incident response plan, vet your top vendors, and start basic logging and network observability. This is where most of the meaningful risk reduction happens.
Ongoing: Higher-cost and lower-frequency items
Cyber insurance, formal security awareness programs, immutable backup architecture and more advanced observability fit here. These typically require budget approval and benefit from being layered on top of the foundations above.
A Simple Incident Response Plan for Small Businesses
If something goes wrong, the difference between a manageable incident and a disaster usually comes down to how quickly and calmly you respond. The following five-step framework (Detect, Contain, Communicate, Recover, Review) is enough for most small businesses to start with.
Detect. Notice something is wrong as early as possible. Indicators include unexpected file encryption, unusual login activity, slow systems, or alerts from your endpoint or observability tools. The earlier you catch it, the less damage there will be.
Contain. Disconnect affected systems from the network, but do not power them off, since you may need the memory contents for investigation. Preserve backups by taking them offline. Reset credentials for any accounts that may have been compromised.
Communicate. Notify the people who need to know: the business owner, your IT support, your insurer, and, depending on the nature of the incident, affected customers and regulators. Keep messages factual and avoid speculation.
Recover. Restore from clean backups, verify systems are free of malware before reconnecting them, and bring services back online in a controlled order. Do not rush this step.
Review. Within a week of the incident, document what happened, what worked, what didn't, and what you'll change. Update your controls and your response plan based on what you learned.
Working with Vendors and Partners
Vendor compromises now account for a significant share of small business breaches. Before granting a vendor access to your systems or data, ask them a short set of questions: Do you require MFA on all accounts? How quickly do you patch critical vulnerabilities? Do you maintain tested backups? How will you notify us if you experience a breach? Document the answers, and revisit them annually.
If you're the vendor in the relationship, expect to be asked the same questions. Having clear answers ready, along with evidence of basic policies and recent vulnerability scans, will save time and win business.
Building a Cyber-Aware Culture
Technology alone doesn't keep a business secure. People do. Run short phishing simulations a few times a year, make it easy and blameless to report suspicious messages and publish a simple acceptable use policy that covers passwords, BYOD, and remote work. Celebrate good catches publicly. The goal is a team where security is everyone's job, not just IT's.
Tools and Network Observability for Small Businesses
You don't need an enterprise security stack to be well-defended. For most small businesses, a thoughtful selection from a few core categories covers the majority of risk.
- Endpoint protection (EPP/EDR) for laptops, desktops, and servers.
- Backup and recovery, including at least one offline or immutable copy.
- Multi-factor authentication, ideally via an app or hardware key rather than SMS.
- Email filtering and authentication (SPF, DKIM, DMARC).
- Secure remote access via a VPN or zero-trust remote access tool.
- Network observability and infrastructure visibility to spot performance issues and unusual traffic patterns early.
When choosing tools, prioritize ease of use, quality of support, and the ability to grow with you. The most expensive product on the market is the one your team doesn't actually use.
What basic network observability looks like
At a minimum, you should be able to see when key systems go down, when administrative accounts are used, and when unusual amounts of data move across your network. Simple indicators worth watching include sudden off-hours logins, unexpected outbound traffic, mass file changes, and failed login spikes.
Network observability tools like WhatsUp Gold are designed for small and mid-sized IT teams that need clear visibility into their infrastructure without the complexity of an enterprise SIEM. WhatsUp Gold combines network performance monitoring and diagnostics (NPMD) with Network Detection and Response (NDR) in a single platform, lowering the entry point for capabilities that were once reserved for enterprises with dedicated security operations centers. Combining performance and availability data with insight into east-west network traffic gives small teams a practical way to catch both operational problems and early signs of a security incident in the same dashboard.
Frequently Asked Questions
How much do cybersecurity solutions cost for a small business?
Most small businesses can build a strong baseline for a few hundred dollars per user per year, covering endpoint protection, MFA, password management, email security and backups. Costs scale with the number of users, the sensitivity of your data, and any regulatory requirements you need to meet.
What if I can't afford a dedicated IT person?
Many small businesses work with a managed service provider (MSP) on a monthly retainer instead of hiring in-house. An MSP can handle patching, backups, observability, and incident response at a fraction of the cost of a full-time hire. Make sure the contract clearly defines security responsibilities.
Should I pay a ransom if I'm hit with ransomware?
Most law enforcement agencies and security professionals advise against paying. Payment funds further attacks, doesn't guarantee you'll get your data back, and can create legal exposure depending on who the attackers are. The best defense is tested, offline backups so you never have to make the choice.
How often should I train staff on cybersecurity?
Short, frequent training works better than annual marathons. Aim for a brief refresher every quarter and one or two simulated phishing exercises per year. Onboard new hires with security basics during their first week.
What should I do if customer data is exposed?
Notify your insurer and legal counsel first. They can guide you through any regulatory notification requirements, which vary by jurisdiction and by the type of data involved. Be transparent with affected customers, explain what happened in plain language, and tell them what you're doing to prevent it from happening again.
The Bottom Line
Small business cybersecurity is not about buying the most expensive tools or implementing every framework on the market. It's about doing the basics consistently: strong authentication, regular patching, tested backups, trained staff, and enough visibility into your systems and network to catch problems early. The 15 actions in this guide cover the ground that matters most.
Start with the Quick Wins this week. Tackle the foundational items over the next 90 days. Revisit the advanced items as your business grows. Every step you take makes you a less attractive target than the business next door that hasn't started yet.
If network visibility is on your list, WhatsUp Gold combines network performance monitoring and diagnostics (NPMD) and Network Detection and Response (NDR) in a single platform built for small and mid-sized IT teams, making enterprise-grade observability accessible without enterprise cost or complexity. Learn more on the WhatsUp Gold homepage.