Skip to content
← pwnsy/blog
beginner24 min readMar 4, 2026Updated Mar 11, 2026

Cybersecurity for Small Business: The Essential Checklist

incident-response#small-business#security-awareness#endpoint-security#backup#incident-response

Key Takeaways

  • Before choosing controls, understand what you're actually defending against.
  • If you implement one control from this entire guide, make it MFA.
  • Email is where most small business breaches begin.
  • Backups are your insurance against ransomware.
  • Every device that connects to your business network or accesses business data is an attack surface.
  • Every account is a potential breach entry point.

In 2022, a small healthcare provider in Chicago called Brookside ENT and Hearing Center permanently closed after a ransomware attack. The two-physician practice paid the ransom but the attackers destroyed their data anyway. They had no usable backups, couldn't restore patient records, and shut down after 40 years of operation. Two physicians lost their practices. Their patients lost their doctors.

That story represents one end of the spectrum. At the other end: a $9/month Backblaze subscription and a functioning backup test might have saved everything.

Small businesses account for approximately 43% of all cyberattacks according to Verizon's Data Breach Investigations Report — not because attackers particularly want your data, but because you are statistically easier to compromise than enterprise targets. You don't have a 24-hour security operations center. Your employees haven't been to security awareness training. Your systems may not have been patched in months. You represent the path of least resistance for attackers who cast wide nets.

The economics of your security posture matter in a specific way: most attacks against small businesses are automated and opportunistic. They scan millions of IP addresses looking for unpatched vulnerabilities. They send phishing emails to millions of targets and wait for the 1% who click. They don't specifically want you — they want whoever is most vulnerable. Raise your security posture meaningfully above the average and you stop appearing in those automated sweeps.

This guide gives you the specific controls that address the attacks you'll actually face, organized by priority and with budget tiers for each category.

The Threat Model for Small Businesses

Before choosing controls, understand what you're actually defending against. The DBIR (Verizon Data Breach Investigations Report) consistently shows that small business breaches follow predictable patterns:

Ransomware is the dominant threat by damage. Attackers encrypt your files and demand payment to restore them. Modern ransomware attacks also exfiltrate data before encrypting it — "double extortion" — threatening to publish sensitive information (customer records, financial data, private communications) if you don't pay.

Average ransom demand for small businesses in 2023: $572,000 (Sophos State of Ransomware report). Average actual payment: $400,000. Average total cost including downtime, recovery, and remediation: $1.82 million. Median downtime: 24 days.

Phishing and BEC (Business Email Compromise) are the most common initial access vectors. An attacker sends a convincing email that tricks an employee into clicking a malicious link, opening an infected attachment, or wiring money to a fraudulent account. FBI IC3 2024 data shows $2.9 billion in BEC losses in the US alone.

Credential theft and account takeover — attackers buy credential databases from previous breaches, run automated credential stuffing against your business applications, and take over accounts where passwords were reused. Once inside your email, they have access to everything the email account can reach.

Supply chain attacks via MSP and software vendors — the 2021 Kaseya attack compromised approximately 1,500 small businesses by attacking their managed service provider. Attackers increasingly target the tools that small businesses use rather than attacking each business directly.

Understanding these threat categories determines your control priorities. The controls below are sequenced by impact on these specific threats.

Priority 1: Multi-Factor Authentication

If you implement one control from this entire guide, make it MFA. Not because it's the most technically interesting control — it isn't — but because it directly blocks the most common attack vector against small business accounts with the lowest implementation effort.

The 2023 Microsoft Digital Defense Report found that MFA prevents more than 99.9% of account takeover attacks. This isn't because MFA is unbreakable — it isn't — but because automated credential stuffing (the dominant attack against SMB accounts) uses stolen password databases without the capability to handle MFA challenges. When attackers hit an MFA-protected account with a stolen password, they move on to the next target.

Priority Order

1. Email accounts — Your email is the master key to your digital business. Every account reset, every financial notification, every vendor communication flows through it. An attacker with email access can reset every other account password, intercept wire transfer confirmations, and impersonate you to your bank, suppliers, and customers. Protect email first.

2. Financial accounts — Business banking, payroll (ADP, Gusto, Paychex), accounting software (QuickBooks, Xero), and payment processors. These are where money leaves your business.

3. Domain registrar and DNS — Whoever controls your domain controls your email, your website, and every service authenticated through your domain. Domain takeover is irreversible in the short term.

4. Cloud storage and business management — Google Drive, Dropbox, OneDrive (customer data, contracts), your CRM, project management tools, HR systems.

5. Remote access — VPN, RDP, SSH. These are the attack paths most commonly exploited by ransomware operators. If you have any remote access to your business systems, it must have MFA.

MFA Type Selection

| Type | Protection Level | Cost | Best For | |------|-----------------|------|---------| | Hardware security key (FIDO2) | Phishing-resistant | $25-$50 per key | Executives, finance, anyone who handles large transactions | | Authenticator app (TOTP) | Strong | Free | All employees, standard accounts | | SMS code | Moderate | Free (carrier) | Acceptable only if no other option exists | | Email code | Moderate | Free | Last resort |

SMS-based MFA is vulnerable to SIM swapping. For any account where fraud losses could exceed a few thousand dollars, upgrade to an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) or hardware security key.

YubiKey 5 NFC ($50): A hardware security key that works with USB and NFC (for phones). Plugs into the laptop; tap to the phone for mobile login. Supported by Google, Microsoft, Dropbox, GitHub, and most major business applications. Buy two (one backup) and keep the backup in a safe. The protection hardware keys provide against phishing — an attacker who steals your password still can't log in without the physical key — justifies the cost for high-value accounts.

Implementation for Google Workspace

Admin Console → Security → Authentication → 2-step verification
→ Allow users to turn on 2-Step Verification: Enabled
→ Enforcement: Turn on enforcement from [date]
→ New user enrollment period: 0 days (require immediately)
→ Methods allowed: Security key and authenticator apps
  (Note: remove "SMS or voice call" if you want to prohibit SMS)

Implementation for Microsoft 365

Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy
→ Multi-factor authentication → Configure MFA (this opens the legacy MFA admin portal)
OR (preferred modern approach):
Azure Active Directory → Security → Conditional Access → New policy
→ Users: All users → Cloud apps: All cloud apps
→ Grant: Require multi-factor authentication
→ Enable policy

Per-user MFA (legacy portal): Admin center → Users → Active users → Multi-factor authentication → Enable for each user.

Security defaults (free, simpler alternative): Microsoft 365 Admin Center → Azure Active Directory → Properties → Manage security defaults → Enable security defaults. This forces MFA for all users, blocks legacy authentication, and requires MFA for admin accounts.

Password Manager for All Employees

MFA is significantly more effective when paired with unique strong passwords for each account. Credential reuse — using the same password at multiple sites — turns one breach into universal account compromise.

Bitwarden Teams ($3/user/month): Open source, independently audited (2022 Cure53 audit, 2023 Insight Risk audit), fully featured. The free tier covers individuals; Teams adds shared vaults for business credentials.

1Password Business ($7.99/user/month): Strong business focus, Travel Mode (hides vaults at borders), integrations with HR systems for automatic provisioning/deprovisioning.

Keeper Business ($4.50/user/month): Particularly strong admin controls, BreachWatch monitoring for exposed passwords.

Set a company policy: all business accounts get a unique randomly generated password stored in the company password manager. Personal password reuse for business accounts is not permitted. This policy costs nothing to implement beyond the password manager subscription.

Priority 2: Email Security and Anti-Phishing

Email is where most small business breaches begin. Phishing emails deliver ransomware payloads. BEC emails redirect wire transfers. Credential theft emails capture login details for business accounts.

SPF, DKIM, DMARC: Free and Essential

These three DNS records prevent attackers from sending email that appears to come from your domain — crucial both for protecting your customers (attackers can't impersonate you to them) and for protecting your organization (inbound DMARC enforcement prevents spoofing against your employees).

Quick implementation guide:

Step 1 — Check your current state:

# MXToolbox DNS check (free web tool):
mxtoolbox.com/spf.aspx?domain=yourdomain.com
mxtoolbox.com/dkim.aspx?domain=yourdomain.com&selector=default
mxtoolbox.com/dmarc.aspx?domain=yourdomain.com

Step 2 — SPF record: Add a TXT record to your domain DNS. The exact record depends on your email provider:

  • Google Workspace: v=spf1 include:_spf.google.com -all
  • Microsoft 365: v=spf1 include:spf.protection.outlook.com -all
  • Both (you switched and are transitioning): v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
  • Custom SMTP server at 203.0.113.10: v=spf1 ip4:203.0.113.10 -all

If you use additional services that send email on your behalf (newsletters, invoicing software, CRM), add their include: directives. Check their documentation.

Step 3 — DKIM:

For Google Workspace:

Admin Console → Apps → Google Workspace → Gmail → Authenticate email
→ Select domain → Generate new record → Copy the DNS TXT record
→ Add to your domain DNS registrar as a TXT record at google._domainkey.yourdomain.com
→ Start authentication

For Microsoft 365:

Microsoft 365 Defender → Email & collaboration → Policies → Email authentication settings
→ DKIM → select your domain → Enable → Create DKIM keys
→ Add the two CNAME records to your DNS registrar

Step 4 — DMARC monitoring:

Start with monitoring before enforcement:

# Add this TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

Use a free DMARC reporting tool (EasyDMARC free tier, Postmark DMARC) to receive and interpret reports. After 2-4 weeks when you understand your mail flow, advance to:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Then:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; sp=reject; pct=100

Phishing Simulation and Training

Technical controls catch most phishing attempts. Training catches the remainder — and humans are frequently targeted precisely because technical controls have gotten better.

GoPhish (free, open source): An open-source phishing simulation platform you self-host. Create convincing phishing email templates, target your own employee list, track who clicks and who enters credentials, and enroll clickers in training. More technical to set up than SaaS alternatives.

KnowBe4 (~$18-$32/user/year): The market leader in security awareness training and phishing simulation. Includes a large library of phishing templates (including real-world examples from current phishing campaigns), automated campaign scheduling, and a comprehensive training content library. Pricing is volume-dependent — contact for SMB pricing.

Proofpoint Security Awareness Training (~$20-$30/user/year): Competitive with KnowBe4, stronger integration with Proofpoint's email security products.

Cofense PhishMe: Enterprise-grade but has SMB pricing. Their specialty is teaching employees to recognize and report phishing rather than just testing whether they fail.

For organizations that can't justify per-user training costs:

  • Google's Phishing Quiz (phishingquiz.withgoogle.com): Free 8-question quiz that teaches employees to identify phishing indicators. Run this quarterly as part of a team meeting.
  • CISA Cybersecurity Awareness Training (cisa.gov/cybersecurity-awareness-month): Free government-produced training materials.

Configure Your Email Provider's Built-In Security

Google Workspace — Gmail safety settings:

Admin Console → Apps → Google Workspace → Gmail → Safety

Enable:

  • Protect against domain spoofing based on similar domain names
  • Protect against spoofing of employee names
  • Protect against inbound emails spoofing your domain
  • Protect against any unauthenticated emails
  • Protect your groups from inbound spoofing
  • Enhanced pre-delivery message scanning

Microsoft 365 — Anti-phishing policy:

security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Anti-phishing

Configure:

  • Enable impersonation protection for your executives and key domains
  • Enable mailbox intelligence
  • Enable first contact safety tips
  • Action for impersonated users/domains: quarantine

If your Microsoft 365 plan includes Defender for Office 365 Plan 1 (included in Business Premium), also configure:

  • Safe Attachments: Block policy for all users
  • Safe Links: Enable for email with "do not allow users to click through"

Priority 3: Backup Strategy

Backups are your insurance against ransomware. Ransomware only generates leverage if you don't have a clean copy of your data. Organizations with functioning, tested backups that are offline or immutable can recover from ransomware without paying — and without permanently losing data.

"Functioning and tested" is doing a lot of work in that sentence. Most small business backup failures in ransomware incidents fall into one of three categories:

  1. Backups existed but weren't tested — the backup process had silently failed months earlier and no one knew until they tried to restore
  2. Backups were network-connected — ransomware encrypted the backup server alongside everything else
  3. Backups were cloud sync folders — the ransomware encrypted files locally and the changes synced to the cloud, destroying the cloud copies too

The 3-2-1 Rule: Minimum Standard

  • 3 copies of your data: one production copy and two backups
  • 2 different storage media: local plus cloud (or local plus external drive)
  • 1 offsite copy: cloud backup or physical media at a different location

The 3-2-1 rule has an important addition for ransomware: at least one backup must be air-gapped (physically disconnected from your network when not actively backing up) or immutable (write-once, cannot be modified or deleted for a defined retention period).

Implementation by Budget

$0/month (free):

Windows built-in backup: Windows 10/11 includes File History (Settings → Update & Security → Backup → Back up using File History) and Windows Backup (Settings → System → Storage → Advanced storage settings → Backup Options). These backup to a connected drive or network location.

macOS Time Machine: Built into every Mac. Connect an external drive and enable Time Machine in System Settings → General → Time Machine. Simple and reliable.

Free cloud backup (limited): Google Drive (15GB free), OneDrive (5GB free), iCloud (5GB free). Not sufficient for business data volumes but functional for critical document backup when storage fits.

$10-50/month (small team, critical data protected):

Backblaze Computer Backup ($9/month per computer, unlimited storage): The best value for small business endpoint backup. Continuously backs up all user files to Backblaze's cloud infrastructure. Point-in-time restore lets you recover files as they existed at any date in the past (up to 1 year). Setup takes 10 minutes.

Backblaze B2 + Rclone (~$6/TB/month): For server backup. Rclone is an open-source tool that syncs files to B2. Pair with B2's Object Lock feature (WORM storage) for immutable ransomware-resistant backups.

$50-200/month (full business continuity):

Veeam Backup & Replication Free (up to 10 workloads): Enterprise backup software with a free tier. Backs up VMs, physical servers, and workstations to local or cloud destinations. The free tier covers most small businesses.

Acronis Cyber Protect (~$10-15/user/month): Combines endpoint protection (antivirus) with cloud backup and disaster recovery. Single pane of glass for security and backup management.

Datto ALTO/SIRIS (varies, typically $200-500/month): Appliance-based backup and disaster recovery specifically marketed to SMBs through managed service providers. Includes local backup with cloud replication and the ability to "run" your server from the backup appliance during recovery.

The Non-Negotiable: Test Your Restores

A backup you've never tested is not a backup. It's a file you hope contains data.

Ransomware recovery is the worst possible time to discover that your backup job has been silently failing for three months. Test your backups monthly:

Monthly restore test procedure:

  1. Pick a random file or folder from 2 weeks ago
  2. Restore it from backup without touching the production copy
  3. Verify the data is intact and the file opens correctly
  4. Document the test: date, what was restored, time to restore, result

Quarterly disaster simulation:

  1. On a test machine (or a VM), perform a full restore of a critical server or workstation
  2. Verify the restored system boots and critical applications function
  3. Measure actual restore time (how long would recovery take in a real incident?)
  4. Document gaps and remediate before the real incident

Cloud Sync Is Not Backup

Google Drive, Dropbox, and OneDrive are file sync services, not backup solutions. Ransomware encrypts your local files; the encryption sync to the cloud. Some of these services offer version history that can recover pre-encryption versions, but:

  • Version history retention varies (30 days for free tiers, up to 180 days for paid)
  • Recovery requires going file-by-file unless you use the provider's bulk restore feature
  • Recovery from version history doesn't work for all file types consistently

Use cloud sync for collaboration and access convenience. Use a separate backup solution for disaster recovery.

Priority 4: Endpoint Protection and Patch Management

Every device that connects to your business network or accesses business data is an attack surface. A single unpatched laptop with administrator rights can be the entry point for a ransomware attack that destroys the entire business.

Patching: The Highest-ROI Security Control

The majority of successful ransomware attacks exploit known vulnerabilities for which patches already existed at time of attack. Verizon's DBIR consistently shows this. WannaCry (2017) exploited MS17-010, an SMB vulnerability patched by Microsoft two months before the ransomware campaign launched. NotPetya (2017) exploited the same vulnerability. Hundreds of organizations that hadn't patched in two months lost everything.

Enforce automatic updates:

Windows: Settings → Windows Update → Advanced Options → Receive updates for other Microsoft products → ON; Configure automatic updates via Group Policy or Microsoft Intune for managed devices.

macOS: System Settings → General → Software Update → Enable "Automatically keep my Mac up to date" and all sub-options.

Don't allow indefinite deferrals. If employees can defer OS updates indefinitely, some will defer forever. Set maximum deferral windows — Microsoft Intune, JAMF, and Mosyle can enforce patch compliance with grace periods before mandatory installation.

Third-party application patching: Chrome, Firefox, Adobe Acrobat, and Java are among the most exploited applications. Enable automatic updates for all of them:

# Chrome: automatically updates by default; verify with:
chrome://settings/help

# Firefox: Settings → General → Firefox Updates → Install updates automatically

# Adobe Reader: Preferences → Updater → Automatically install updates

# Track unpatched third-party software with:
# Ninite Pro (~$20/month for 50 endpoints): automates patching for 100+ common apps

Antivirus and EDR

Windows Defender (built-in, free): As of 2023, Microsoft Defender has AV-TEST scores competitive with paid alternatives. It's installed by default on every Windows machine, receives regular definition updates, and integrates with Microsoft 365 Defender for centralized management. For most small businesses, enabling and properly configuring Defender is sufficient and costs nothing.

# Verify Defender is running:
Get-MpComputerStatus | Select-Object -Property AntivirusEnabled, AMServiceEnabled, RealTimeProtectionEnabled

# Force a signature update:
Update-MpSignature

# Run a quick scan:
Start-MpScan -ScanType QuickScan

Malwarebytes for Teams ($40/endpoint/year): Adds behavior-based detection (catches zero-day malware that definition-based scanners miss), ransomware rollback (can restore files encrypted by ransomware to their pre-encryption state), and centralized management. Good complement to Windows Defender.

Huntress ($7/endpoint/month): Marketed to managed service providers but available direct. Includes persistent foothold detection (finds malware that survives reboots), managed antivirus, and a 24/7 security operations center that reviews detections and advises on response. Particularly good value for businesses that need "always-on" security expertise without hiring a security team.

CrowdStrike Falcon Go ($59.99/device/year): Enterprise-grade EDR (Endpoint Detection and Response) with SMB-accessible pricing. Better than Malwarebytes for detection of sophisticated threats but more expensive.

Disk Encryption

BitLocker (Windows Pro, free): Full-disk encryption for Windows. If a laptop is stolen, the data is inaccessible without the encryption key (tied to the user's login or a separate PIN). Takes 30 minutes to configure, zero ongoing cost, and protects all data at rest.

# Enable BitLocker via PowerShell (run as Administrator):
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes128 -UsedSpaceOnly -Pin (Get-Credential).Password -TpmAndPinProtector

# Or via GUI: Control Panel → System and Security → BitLocker Drive Encryption → Turn on BitLocker

FileVault (macOS, free): System Settings → Privacy & Security → FileVault → Turn On FileVault. Store the recovery key in a secure location (your password manager, or enable recovery key escrow through your MDM solution).

Require encryption through MDM: If employees access business data from personal devices, your MDM solution (Microsoft Intune, JAMF, Mosyle) can require disk encryption as a compliance condition before allowing device access to corporate resources.

Mobile Device Management (MDM)

If employees access business email, customer data, or internal systems from mobile devices — personal or company-owned — you need MDM.

Microsoft Intune (included in Microsoft 365 Business Premium at $22/user/month): Manages iOS, Android, Windows, and macOS. Enforce disk encryption, screen lock, OS update requirements. Remote wipe if a device is lost or stolen. Conditional access: require MDM enrollment before allowing access to Microsoft 365.

Google Workspace MDM (included): Basic MDM included in all Google Workspace tiers. Require screen lock, device encryption, manage corporate data. More limited than Intune but sufficient for basic requirements.

JAMF Pro (Apple-focused MDM, $7.17/device/month): Best-in-class for managing Apple devices (Mac, iPhone, iPad). If your business is all-Apple, JAMF is the appropriate choice. JAMF Now is the SMB-tier product.

Priority 5: Access Control

Every account is a potential breach entry point. Every access right an account holds is potential damage in a breach. Access control limits both.

Remove Former Employees Immediately

Stale accounts are a documented attack vector. A former employee's account — still active weeks after they left, with full access to systems they no longer need — is credential stuffing gold for attackers who obtain it from a breach database.

Day-one offboarding process:

  1. Revoke access to all business applications simultaneously (password manager, Google Workspace or Microsoft 365 admin console, CRM, financial software)
  2. Disable or delete the account (disable first; delete after confirming no critical data depends on the account)
  3. Transfer ownership of any critical files or projects before disabling
  4. Revoke any hardware tokens or physical access (if applicable)
  5. Document the off-boarding in your HR system with timestamp

Most account takeover breaches involving stale accounts could be prevented by a consistent same-day offboarding process. Many small businesses handle this informally and inconsistently, leaving accounts active for weeks.

Least Privilege: Nobody Gets More Than They Need

Every account should have access only to the systems and data required for the person's job. This is the principle of least privilege.

Practical implementation:

No admin rights for standard users. An employee who needs to install software can request temporary elevation. Day-to-day work doesn't require administrator access, and most malware uses whatever privileges the current user has. A malware infection on a non-admin account does far less damage than on an admin account.

# Check which accounts have local admin rights on Windows:
Get-LocalGroupMember -Group "Administrators"
 
# Remove a user from local admins (run as admin):
Remove-LocalGroupMember -Group "Administrators" -Member "UserName"

Separate admin accounts for administrative tasks. Anyone who needs admin access (IT staff, owner) should have two accounts: a regular user account for daily work and a separate admin account used only for administrative operations. Never use the admin account to browse the web or read email.

Role-based access in applications. In Google Workspace, Microsoft 365, your CRM, and every other business application, assign the minimum role necessary. Not everyone needs admin access to the CRM. Not everyone needs to see HR records. Audit role assignments quarterly.

Network Segmentation

If you have a physical office and you're technically capable, VLAN segmentation provides meaningful protection:

VLAN 10 (192.168.10.0/24): Business workstations
VLAN 20 (192.168.20.0/24): Servers and NAS
VLAN 30 (192.168.30.0/24): IoT devices (printers, smart TVs, cameras)
VLAN 40 (192.168.40.0/24): Guest Wi-Fi

A compromised workstation on VLAN 10 cannot directly reach your servers on VLAN 20 unless firewall rules explicitly allow it. Most managed business routers (Ubiquiti UniFi, Cisco Meraki, Netgear Orbi Pro) support VLANs at no additional license cost.

Minimum segmentation if full VLAN is too complex: At least put guest Wi-Fi and IoT devices on a separate network from business workstations. Most consumer routers support a guest network that's isolated from the main network. Use it.

Priority 6: Incident Response Planning

Something will go wrong. The question is whether you'll know what to do when it does or whether you'll be making decisions under panic pressure with your business hanging in the balance.

A written incident response plan doesn't need to be a 50-page NIST document. For a small business, a two-page document answers the critical questions and lives somewhere accessible even when your systems are down.

The Two-Page Minimum Viable IR Plan

Print it. Put a copy in a filing cabinet. Email it to yourself at a personal account and to your attorney.

Your IR plan answers these questions before the incident:

1. Who's in charge? Name a specific person (or role) who owns incident response. If your business has fewer than 10 people, this is probably the owner. If you have IT staff, it's them. Write the name and direct phone number.

2. Who do you call?

  • Internal lead: [Name, Phone]
  • External IT/MSP: [Company, Emergency Phone]
  • Cyber insurance provider: [Company, Policy Number, Emergency Hotline]
  • Attorney: [Name, Phone] — for understanding notification obligations
  • FBI Cyber Division: (855) 292-3937 — for significant ransomware incidents

3. How do you contain a compromised device?

  • Isolate from the network immediately: unplug the ethernet cable and turn off Wi-Fi
  • Do NOT turn the computer off (volatile memory may contain evidence)
  • Do NOT try to "clean" it yourself
  • Call your IR contact

4. How do you contain a compromised email account?

  • Sign out all active sessions from your email admin console
  • Reset the password
  • Enable MFA if not already enabled
  • Check for forwarding rules (attackers frequently create forwarding rules to maintain access after password change)
  • Review emails sent from the account in the past 24-48 hours for BEC or supplier fraud

5. What are your legal notification obligations? Under federal law, HIPAA requires notification within 60 days of a breach involving protected health information (PHI). Various state breach notification laws require notification of affected individuals within 30-90 days. If you handle credit card data, PCI DSS has incident response requirements. Know your obligations before the incident. Your attorney helps you understand these for your industry and state.

6. What is your restore procedure?

  • Who has access to the backups?
  • Where are the backups stored?
  • What is the estimated restore time?
  • Who executes the restore?

7. How do you document the incident? Create a running log: timestamp every action, every call, every observation. Include what was affected, when it was discovered, what you did, and what the outcome was. This documentation is required for insurance claims, regulatory reporting, and potential legal proceedings.

Reporting Resources

  • CISA Incident Reporting: cisa.gov/report (federal cybersecurity agency, free guidance and resources)
  • FBI IC3: ic3.gov (for reporting criminal cyber activity, including ransomware)
  • Local FBI Field Office Cyber Division: fbi.gov/contact-us/field-offices (field offices prefer direct contact for active incidents)

Cyber Insurance: What It Covers and What It Requires

The cyber insurance market has changed dramatically since 2020. Insurers have paid out significant ransomware claims and have responded by:

  • Raising premiums significantly (50-100% increases in 2021-2022)
  • Adding security control requirements to coverage
  • Excluding or sublimiting ransomware coverage in some policies
  • Requiring evidence of security controls at application and renewal

What most cyber policies cover:

  • Ransomware payment (though many policies now require pre-authorization)
  • Incident response and forensics costs
  • Data recovery and restoration costs
  • Business interruption (revenue lost during downtime)
  • Third-party liability (if customer data was exposed)
  • Crisis communications and PR
  • Regulatory defense and fines

What insurers typically require as prerequisites for coverage:

  • MFA on email and remote access (often specifically listed as required)
  • Functioning, tested backup with offsite copy
  • Endpoint protection on all devices
  • Documented security awareness training
  • Documented incident response plan

Misrepresenting your security posture at application time creates coverage denial risk — insurers are investigating claims more aggressively and denying claims where security controls were represented as in place but weren't.

Cost range for SMB cyber insurance:

  • $1M/$2M policy (most common SMB tier): $1,000-$10,000/year depending on industry, revenue, and security posture
  • Healthcare and financial services: higher premiums due to regulatory exposure
  • Retail and professional services: mid-range
  • Pure software/services with no PHI or financial data: lower end

The application process itself is useful: the questionnaire forces you to evaluate and document your current security posture, which identifies gaps.

The Budget Tiers: What You Can Do At Every Level

Tier 0: $0/month (Free Controls)

These cost nothing but implementation time. Do them all.

| Control | Implementation | |---------|---------------| | MFA on Google Workspace or Microsoft 365 | Admin Console or Azure AD, 1 hour | | SPF, DKIM, DMARC | DNS records + provider setup, 2-4 hours | | Windows Defender with cloud protection | Already installed, enable features | | FileVault / BitLocker | System settings, 30 minutes per device | | Automatic OS updates enforced | Group Policy or Settings | | Offboarding checklist | Document and train HR, 2 hours | | Incident response plan (2-page) | Write it, 2 hours | | Backups with Windows built-in + external drive | Configure, 1 hour | | USPS Informed Delivery + mail security | Register at informeddelivery.usps.com | | CISA training materials | Download and run quarterly meeting |

Time investment: approximately 20 hours of setup, 2 hours monthly maintenance

Tier 1: ~$100-500/month (Strong SMB Posture)

| Control | Cost | Coverage | |---------|------|---------| | Backblaze Computer Backup | $9/computer/month | Endpoint backup, unlimited storage | | Bitwarden Teams | $3/user/month | Password manager for all employees | | Google Phishing Quiz or KnowBe4 (entry) | $0 / $18/user/year | Phishing simulation and training | | YubiKeys for executives and finance | $50/person (one-time) | Phishing-resistant MFA for high-value accounts | | DMARC reporting service (Postmark, EasyDMARC free tier) | $0-14/month | Aggregate report parsing |

Total: ~$50-150/month for a 5-10 person business

This tier addresses the primary attack vectors with purpose-built tools. Businesses at this tier who also implement the free controls above have a meaningfully above-average security posture for their size.

Tier 2: ~$500-2,000/month (Professional-Grade SMB)

| Control | Cost | Coverage | |---------|------|---------| | Microsoft 365 Business Premium | $22/user/month | Includes Intune MDM, Defender for Office 365 Plan 1, Azure AD P1 | | Huntress | $7/endpoint/month | Managed EDR + SOC monitoring | | Veeam + cloud backup (offsite) | $50-150/month | Server and VM backup with tested restore | | KnowBe4 | $18-25/user/year | Full phishing simulation platform | | Cyber insurance | $100-500/month | Risk transfer |

Total: ~$500-1,500/month for a 10-20 person business

This tier provides enterprise-grade protections in SMB-appropriate packaging. An organization at this tier has functioning backups, centralized device management, managed security monitoring, enforced MFA with conditional access, and meaningful phishing defenses.

Tier 3: ~$2,000-5,000+/month (High-Risk or Regulated Industries)

For businesses in healthcare, financial services, legal, and other regulated industries with contractual or regulatory security requirements:

| Control | Cost | Coverage | |---------|------|---------| | Microsoft 365 E5 or equivalent | $57/user/month | Full Defender suite, Purview compliance | | CrowdStrike Falcon Pro or SentinelOne | $15-25/endpoint/month | Enterprise EDR | | Datto ALTO or similar BDR appliance | $300-600/month | Appliance-based backup with instant recovery | | Proofpoint Essentials or equivalent | $7-12/user/month | Advanced email security | | Penetration test (annual) | $5,000-20,000 (annual) | Find your own vulnerabilities before attackers do | | vCISO engagement | $2,000-5,000/month | Fractional security leadership |

Where to Start: The 30-Day Plan

If you're reading this with zero security controls currently in place, here's the prioritized implementation sequence:

Week 1 (Today):

  • Enable MFA on your email provider for all accounts
  • Set up Bitwarden or 1Password for all employees
  • Configure automatic OS updates on all workstations
  • Install Backblaze on all computers and verify first backup completes

Week 2:

  • Configure SPF, DKIM, and DMARC (monitoring mode) for your domain
  • Enable disk encryption (BitLocker/FileVault) on all laptops
  • Enable Windows Defender with cloud protection on all Windows machines
  • Test one backup restore

Week 3:

  • Audit all user accounts — remove former employees, review admin rights
  • Write your 2-page incident response plan and distribute it
  • Enable email provider security settings (anti-phishing, anti-spoofing)
  • Run your team through Google's Phishing Quiz

Week 4:

  • Advance DMARC from p=none to p=quarantine after reviewing reports
  • Configure network segmentation (guest Wi-Fi at minimum)
  • Begin cyber insurance application (the questionnaire identifies gaps)
  • Schedule monthly backup test on recurring calendar

The cost of this 30-day plan: zero in licensed software (using free tiers and built-in tools), approximately 40 hours of implementation time. The cost of a ransomware attack that this plan would likely prevent: tens or hundreds of thousands of dollars and potentially your business.

That math is not complicated.

Sharetwitterlinkedin

Related Posts

What to Do After a Data Breach: Step-by-Step Response

Your data was exposed in a breach. Here's exactly what to do in the first 24 hours, the first week, and long-term to protect yourself.

Incident Response 101: From Detection to Recovery

A practical guide to the NIST incident response lifecycle — preparation, detection, containment, eradication, recovery, and lessons learned.

How to Set Up Two-Factor Authentication (2FA) Properly

2FA is your best defense against account takeover. Learn the different types, which to avoid, and how to set it up on every account that matters.