Small businesses are disproportionately targeted by cyberattacks. According to Verizon’s Data Breach Investigations Report, 43% of breaches involve small and mid-sized businesses, and the average cost of a breach for companies with fewer than 500 employees exceeds $3 million. The reason is straightforward: attackers know that smaller organizations tend to have weaker defenses and fewer resources to detect and respond to threats.
The good news is that you do not need a Fortune 500 security budget to meaningfully reduce your risk. The seven measures below address the attack vectors responsible for the vast majority of breaches targeting small businesses, with specific tools and implementation steps for each one.
1. Enable Multi-Factor Authentication on Everything
If you only do one thing on this list, make it this. MFA blocks over 99% of automated credential attacks according to Microsoft’s own data. A stolen password alone becomes useless if the attacker also needs a second factor to log in.
Where to Enable MFA
Start with email — it is the most common entry point for attackers. Then extend to VPN access, remote desktop connections, cloud admin consoles (Azure, AWS, Microsoft 365), financial applications, and any system that contains sensitive data.
Which MFA Method to Use
Not all MFA is equally strong. SMS-based codes are better than nothing but can be intercepted through SIM swapping. Authenticator apps like Microsoft Authenticator, Duo, or Google Authenticator are significantly more secure. Hardware security keys (YubiKey, Google Titan) are the strongest option and work well in office environments where the same people use the same workstations.
Implementation Tips
Most cloud services — Microsoft 365, Google Workspace, Salesforce, QuickBooks Online — support MFA natively at no additional cost. Enable it tenant-wide rather than leaving it optional for individual users. The biggest pushback will be from staff who find it inconvenient. Set clear expectations from leadership that this is not negotiable, and provide hands-on help during the rollout. The disruption lasts a week; the protection is permanent.
For organizations using Microsoft 365, conditional access policies (available in Business Premium and above) let you require MFA based on risk signals — unfamiliar locations, unmanaged devices, or impossible travel patterns — rather than prompting every single login.
2. Deploy Modern Endpoint Detection and Response
Traditional antivirus that scans for known malware signatures is not enough anymore. Modern threats use fileless techniques, living-off-the-land binaries, and polymorphic code that signature-based tools miss entirely. You need endpoint detection and response (EDR) that monitors behavior patterns and can isolate a compromised device in real time.
Product Recommendations by Budget
Enterprise-grade: CrowdStrike Falcon Go starts at $59.99 per device per year and is consistently rated at the top of independent evaluations by MITRE and AV-TEST. SentinelOne Singularity offers similar capabilities with an autonomous response engine that can remediate threats without human intervention.
Budget-friendly: Microsoft Defender for Business is included with Microsoft 365 Business Premium ($22/user/month) and provides EDR capabilities that would have cost thousands per year just a few years ago. For organizations already on Microsoft 365, this is often the most cost-effective path to real endpoint protection.
Free baseline: Windows Defender (built into Windows 10 and 11) has improved dramatically and now scores well in independent testing for basic protection. It is better than nothing, but it lacks the behavioral analysis and response capabilities of dedicated EDR solutions.
What to Look For
Your EDR solution should provide real-time threat detection, automated response capabilities (isolate a device, kill a process), threat hunting tools, and centralized management. If you are working with a managed security provider, they should be monitoring your EDR console and responding to alerts on your behalf.
3. Invest in Security Awareness Training
Phishing remains the number one initial attack vector. You can have the best technical controls in the world, and a single employee clicking a convincing phishing link can bypass all of them. Security awareness training reduces phishing susceptibility by 60% or more when done consistently.
Recommended Platforms
KnowBe4 is the market leader with the largest library of training content and simulated phishing templates. They offer plans starting at around $18 per user per year for smaller organizations. The platform lets you run simulated phishing campaigns to test employees, then automatically enrolls anyone who fails into targeted training.
Proofpoint Security Awareness Training (formerly Wombat) integrates well if you are already using Proofpoint for email security. Curricula takes a more engaging, story-based approach that some organizations find gets better employee participation.
Making Training Effective
Annual compliance training alone does not change behavior. The most effective programs combine:
- Monthly simulated phishing campaigns with varied difficulty levels
- Short (5-10 minute) monthly training modules on specific topics
- Immediate feedback when someone clicks a simulated phish — a quick lesson right at the moment of failure
- Recognition for employees who consistently report suspicious emails
- Metrics tracking over time to measure improvement
Set up a simple way for employees to report suspicious emails — a “Report Phish” button in Outlook or Gmail. KnowBe4 and Proofpoint both offer plug-ins that add this button and feed reported emails into analysis workflows.
4. Automate Patch Management
Unpatched software is the second most common attack vector after phishing. The gap between when a vulnerability is disclosed and when attackers start exploiting it has shrunk from months to days. In some cases, exploitation begins within hours of a patch release through reverse-engineering the fix.
What Needs Patching
Operating systems (Windows, macOS) are the obvious targets, but do not overlook third-party applications. Adobe Reader, Java, web browsers, Zoom, VPN clients, and network device firmware all need regular updates. Many of the most exploited vulnerabilities in recent years have been in third-party software and network appliances, not in Windows itself.
Tools for Automated Patching
Microsoft Intune (included with Microsoft 365 Business Premium) handles Windows update management and can deploy third-party application updates through integration with the Microsoft Store or third-party patch management add-ons.
Automox is a cloud-native patching platform that handles Windows, macOS, and Linux along with third-party applications. It is popular with MSPs and works well for distributed workforces.
ConnectWise Automate and NinjaRMM are RMM (remote monitoring and management) platforms commonly used by managed service providers that include patch management as a core feature.
Patch Management Best Practices
- Set a patch cadence: critical security patches within 72 hours, all others within 30 days
- Test patches on a small group before broad deployment when possible
- Maintain an inventory of all software and versions — you cannot patch what you do not know about
- Monitor for out-of-support software (Windows Server 2012, older Office versions) that no longer receives security updates
5. Implement Network Segmentation
If an attacker gets into one part of your network, segmentation determines whether they get access to everything or just one isolated segment. Flat networks — where every device can talk to every other device — let ransomware spread laterally across your entire organization in minutes.
Practical Segmentation for Small Businesses
You do not need a massive overhaul. Start with these separations:
Guest Wi-Fi on a separate VLAN. Visitors and personal devices should never be on the same network as your business systems. Most modern business-grade access points (Meraki, UniFi, Aruba) support multiple SSIDs with VLAN tagging out of the box.
Separate your servers from workstations. Put servers in their own VLAN with firewall rules controlling which workstations can reach which services. A compromised laptop should not have direct access to your file server or database.
Isolate IoT devices. Security cameras, smart TVs, printers, and similar devices are notoriously insecure and make easy pivot points for attackers. Put them on their own network segment with no access to your production systems.
Segment by department or sensitivity. If you handle financial data, patient records, or other sensitive information, the systems that store that data should be in a more restricted segment with tighter access controls.
What You Need
A managed firewall or Layer 3 switch with VLAN support. Options like Cisco Meraki, Fortinet FortiGate, or even UniFi’s gateway products for smaller environments all support VLAN-based segmentation. Your IT services provider can design and implement a segmentation plan appropriate for your environment.
6. Build a Real Backup Strategy
Backups are your last line of defense against ransomware, accidental deletion, and catastrophic failures. But having backups and having recoverable backups are two different things.
The 3-2-1 Rule
This is the gold standard and it is straightforward:
- 3 copies of your data (the original plus two backups)
- 2 different types of storage media (local disk plus cloud, or NAS plus tape)
- 1 copy stored offsite or in the cloud
For ransomware protection specifically, you need at least one copy that is immutable or air-gapped — meaning ransomware that encrypts your production systems cannot reach and encrypt your backups too.
Backup Tools and Services
Veeam is the industry standard for on-premises and hybrid backup, supporting physical servers, virtual machines, Microsoft 365 data, and cloud workloads. Their Community Edition is free for up to 10 workloads.
Datto (now Kaseya) provides backup appliances with built-in disaster recovery that are popular with MSPs — they can spin up a virtual copy of your server directly on the backup appliance if the production server fails.
Azure Backup and AWS Backup are native cloud backup solutions that work well for organizations already operating in those cloud environments.
For Microsoft 365 specifically, do not assume Microsoft backs up your data. They provide infrastructure redundancy, but if an employee deletes a SharePoint site or a mailbox gets compromised, your recovery options from Microsoft alone are limited. Third-party backup solutions like Veeam for Microsoft 365, Druva, or Spanning are necessary.
Test Your Restores
Schedule quarterly restore tests. Pick a random backup, restore it to a test environment, and verify the data is intact and the systems actually boot. Document the results. A backup that fails during a real recovery scenario is worse than no backup at all — it gives you a false sense of security.
7. Create an Incident Response Plan
Most small businesses do not have an incident response plan until they need one, at which point it is too late to create one thoughtfully. Having a documented plan means the difference between a contained security event and a full-blown crisis.
What Your Plan Should Include
Roles and responsibilities. Who makes the call to isolate systems? Who contacts your insurance carrier? Who communicates with employees and customers? Who coordinates with your MSP or security provider? These decisions should not be made during an active incident.
Contact information. Keep an offline (printed) copy of critical contacts: your MSP’s emergency line, your cyber insurance carrier’s breach hotline, legal counsel, and key internal stakeholders. If your email and file shares are compromised, you need this information accessible elsewhere.
Containment procedures. Step-by-step instructions for isolating compromised systems from the network. Your IT team or MSP should be able to execute these quickly. For ransomware specifically, the priority is stopping lateral movement — disconnecting affected systems from the network before the encryption spreads.
Communication templates. Pre-drafted communications for employees, customers, and business partners. You do not want to be wordsmithing a breach notification email while under stress. Have templates ready for different scenarios and adjust as needed.
Recovery priorities. Which systems need to come back online first? What is the order of operations for restoring from backups? What constitutes “business operational” versus “fully restored”?
Test the Plan
Run a tabletop exercise at least once a year. Gather the people named in the plan, present a realistic scenario (ransomware hits on a Friday afternoon — your file server and email are both encrypted), and walk through the response step by step. You will find gaps. That is the point.
Putting It All Together
None of these measures works in isolation. MFA protects accounts, but phishing can steal session tokens. EDR catches malware, but social engineering bypasses it. Backups recover data, but only if they were not also encrypted. A layered approach — where each control compensates for the gaps in the others — is what makes the difference between a minor incident and a business-ending event.
If you are not sure where your organization stands on these seven areas, a security assessment is the logical starting point. Exodata provides comprehensive cybersecurity assessments and managed security services for small and mid-sized businesses. We identify the gaps, prioritize the fixes based on actual risk, and implement the solutions — whether that means deploying EDR, building a backup strategy, or standing up a complete security program from scratch. Get in touch to start the conversation.