Cybersecurity for Small Businesses: The 7 Basics That Prevent 90% of Attacks

The average cost of a data breach for a small business is $200,000 — enough to close most companies. The good news: most breaches are preventable with basic security hygiene. Hackers do not write custom code to target your business specifically. They use automated tools that scan for the same common weaknesses, over and over. Fix the basics, and you eliminate the vast majority of your risk.

1. Use a Password Manager

Reused or weak passwords are the root cause of most breaches. A password manager (1Password, Bitwarden) generates and stores unique complex passwords for every account. Every employee should use one. This single change eliminates credential stuffing attacks — one of the most common attack vectors — entirely.

2. Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) requires a second verification step beyond a password — usually a code sent to your phone. Enable it on email, banking, cloud services, and any admin tools. Even if a password is stolen, MFA stops attackers from getting in. It takes 10 minutes to set up and prevents the most costly account takeovers.

3. Keep Software and Systems Updated

Unpatched software is a door left open. The majority of successful attacks exploit known vulnerabilities that patches already exist for — businesses just haven't applied them. Enable automatic updates on all operating systems, browsers, and software. Schedule monthly checks for anything that requires manual updates.

4. Back Up Your Data — and Test the Restore

Ransomware attacks encrypt your files and demand payment to get them back. The defence is simple: maintain encrypted, automated backups that are disconnected from your main network. Critically, test the restore process at least once a quarter. A backup you've never tested is not a backup — it's a hope.

5. Train Your Team on Phishing

90% of cyberattacks start with phishing — a deceptive email that tricks someone into clicking a link or handing over credentials. Regular 15-minute training sessions on how to spot phishing emails are the highest-ROI security investment you can make. Teach your team to verify unexpected requests by calling the sender directly.

6. Control Access — Least Privilege Principle

Every employee should have access only to the systems and data they need for their role — nothing more. When someone leaves, revoke all access immediately. Review access permissions quarterly. Most insider threats and compromised account attacks succeed because accounts had more access than they should.

7. Have an Incident Response Plan

Know what you will do before something happens: who to call, how to isolate affected systems, how to notify clients if required. A written one-page plan reviewed annually is enough for most small businesses. When an incident occurs, clarity under pressure determines whether you recover in hours or weeks.