Cybersecurity for Small Businesses — 5 Things to Do Today

1. Enable Multi-Factor Authentication (MFA) Everywhere

A password alone is no longer enough. Passwords leak in data breaches, get reused across services, and are guessed by automated tools. MFA (multi-factor authentication) adds an extra step — typically a code from an app on your phone — so that a stolen password alone isn't enough to log in.

Microsoft estimates that MFA blocks over 99% of all account takeover attacks. It is the single most effective measure you can implement.

How to do it: Enable MFA on every service that supports it — start with email (Microsoft 365 or Google Workspace), then banking, accounting software, and cloud services. Use an authenticator app like Microsoft Authenticator or Google Authenticator rather than SMS codes, which are vulnerable to SIM swapping.

2. Use a Password Manager

If your employees reuse the same password across multiple services — or write them on sticky notes — you are vulnerable. A password manager generates and stores unique, strong passwords for every service. Users only need to remember one master password.

How to do it: Choose a password manager that fits your organization — Bitwarden (free for individual users, affordable for teams), 1Password (popular for businesses), or the one built into Microsoft 365. Roll it out to all employees and make it mandatory. It takes an afternoon to set up, but it protects you from potentially devastating breaches.

3. Keep Systems and Software Updated

Many cyberattacks exploit known security vulnerabilities in software that already has a fix — but where the fix hasn't been installed. Patch management means systematically keeping operating systems, browsers, plugins, and business applications up to date.

The WannaCry attack in 2017, which affected hundreds of thousands of computers worldwide, exploited a vulnerability that Microsoft had patched months earlier. Those who had updated were protected.

How to do it: Enable automatic updates on all devices. For Windows computers, Microsoft Intune or Windows Update for Business can centrally manage and schedule updates. Make sure third-party applications (Adobe, Chrome, Zoom) are kept current as well.

4. Train Your Staff on Phishing

Technology can't stop everything — 91% of all cyberattacks start with a phishing email. These are fake messages designed to look like they come from trusted senders (your bank, a colleague, Microsoft) and trick the recipient into clicking a link or handing over credentials.

With modern AI tools, phishing emails have become frighteningly realistic. The grammar mistakes that used to reveal scams are largely gone.

How to do it: Conduct regular security awareness training — it doesn't have to be complicated. A 30-minute session per quarter showing real phishing examples makes a real difference. Teach employees to always check the sender address, be suspicious of urgent requests, and never click links in unexpected emails without verifying them first.

5. Invest in Proper Endpoint Protection

Windows Defender, which comes bundled with Windows, is better than nothing — but it's not enough for a business. Modern threats require EDR (Endpoint Detection and Response) that doesn't just block known viruses but actively monitors behavior, detects suspicious activity, and can isolate a compromised device before the damage spreads.

How to do it: Switch to a business-grade solution like Microsoft Defender for Business (included in Microsoft 365 Business Premium), SentinelOne, or CrowdStrike. These provide centralized monitoring, automated response, and reporting. Your IT provider should monitor alerts and act proactively — not just install the software.