Small businesses account for 43% of cyberattack targets. Most of them think they’re too small to be worth attacking. That’s exactly why they’re targeted — they have weak defences and valuable data.

You don’t need a security operations centre. You don’t need to hire a CISO. You need to get the basics right. Here’s what that actually means.

Passwords Are Still the Biggest Problem

I know you’ve heard this before. I’m going to say it again because the data shows most small businesses still haven’t fixed it.

The majority of breaches start with compromised passwords. Weak passwords, reused passwords, or passwords exposed in previous data breaches.

The fix is simple: use a password manager. LastPass, 1Password, or Bitwarden. Pick one. Have everyone in your business use it. Generate unique, long passwords for every account.

This single step prevents more attacks than any other security measure.

Two-Factor Authentication Is Non-Negotiable

If your email, banking, and business software accounts don’t have two-factor authentication enabled, stop reading this and go enable it. Right now.

Email is the most critical. If someone gets into your email, they can reset passwords for everything else. Your email account is the master key to your digital life.

Authenticator apps (Google Authenticator, Microsoft Authenticator) are better than SMS codes. SMS can be intercepted through SIM swapping. It’s rare, but authenticator apps eliminate the risk entirely.

Phishing Is Getting Smarter

Phishing emails used to be obvious. Bad grammar, Nigerian princes, urgent requests from unknown senders.

Modern phishing is much better. AI tools can generate convincing emails that mimic your contacts’ writing styles. They reference real projects you’re working on. They come from email addresses that look almost identical to legitimate ones.

Training your team to spot phishing is essential. Not a one-off training session. Regular reminders and simulated phishing tests. The companies that do this monthly see dramatically lower click rates.

Key rules: never click links in unexpected emails. Go directly to the website instead. If a supplier sends you new banking details, call them on a number you already have to verify. This simple step prevents most business email compromise fraud.

Backup Everything

Ransomware encrypts your files and demands payment for the decryption key. If you have good backups, ransomware is an inconvenience instead of a catastrophe.

The 3-2-1 backup rule works: three copies of your data, on two different types of storage, with one copy offsite.

Cloud backup services automate this. But make sure your backups aren’t connected to your main network in a way that ransomware could reach them. If the backup drive is always connected, it’ll get encrypted too.

Test your backups regularly. A backup that doesn’t restore is worse than no backup because it gives false confidence.

Software Updates Aren’t Optional

Every time you dismiss that update notification, you’re leaving a known vulnerability open. Attackers actively scan for systems running outdated software.

Enable automatic updates on everything. Operating systems, browsers, business software. If automatic updates aren’t available, schedule a monthly update day and do them all at once.

This applies to your website too. If you’re running WordPress, keep it updated. Outdated WordPress sites are one of the most common entry points for attackers.

Your Wi-Fi Network

If your business Wi-Fi uses the same password it did when it was set up, change it. If you’re using WPA2, upgrade to WPA3 if your router supports it.

Create a separate guest network for visitors. This prevents guests from accessing your internal network and any devices connected to it.

If your team works remotely, they should use a VPN when connecting to public Wi-Fi. Business VPN solutions like NordVPN Teams or Cloudflare WARP are affordable and simple to deploy.

The Human Factor

Most security breaches involve a human mistake. Someone clicks a link. Someone shares a password. Someone leaves a laptop unlocked in a coffee shop.

You can’t eliminate human error. But you can reduce it through culture. Make security part of how your business operates, not an afterthought.

This means talking about security regularly. Sharing examples of attacks that happened to businesses like yours. Making it easy for people to report suspicious activity without feeling stupid.

If you’re working with external partners on your technology setup, make sure they take security seriously too. Firms like an AI consultancy that handle business technology should have security built into their process, not bolted on.

Start Today

You don’t need to do everything at once. Start with the three highest-impact items:

1. Get a password manager and enable two-factor authentication everywhere
2. Set up proper backups and test them
3. Enable automatic updates on all systems

These three things will protect you against the vast majority of attacks targeting small businesses. They’re free or cheap, and they can be done this week.

Don’t wait until after a breach. That’s an expensive way to learn these lessons.