Small Business Cybersecurity: The Complete Guide for Under-100 Employee Companies

#Small businesses keep getting hit because nobody writes for them

Every cybersecurity article I read is written for the CISO of a Fortune 500 company. Or a Series B startup with a 10-person security team. Or a compliance-obsessed healthcare system with a CMIO and a dedicated security officer.

Meanwhile most US businesses are under 50 employees. They have one IT person (sometimes the owner's nephew), no security staff, and a budget that won't touch Vanta's annual price. They're the single biggest ransomware target in the country. They're the businesses that lose everything, close down, and never come back after a breach.

This is the complete small business cybersecurity guide. Not written for enterprises with infinite budgets. Written for the 5-person law firm, the 30-person machine shop, the 12-person accounting practice, the 25-person dental group. The businesses that can't afford failure and also can't afford a full-time CISO.

You can build a real security program for $2,000 to $15,000 a year. Not perfect. Better than 80% of your peers. Enough to make you not the low-hanging fruit the attackers are looking for.

#Who this is for

• Business owners with 5-100 employees.
• Office managers at small professional services firms.
• "The IT person" at small companies who isn't a security specialist but is getting asked to do security.
• Small manufacturers facing supply chain cybersecurity pressure.
• Healthcare practices, law firms, accounting firms, consultants.
• Small retailers.

If you're a 500-person company, this guide is too basic. Go read our compliance-specific posts.

#The threat model for small businesses

What actually happens when a small business gets attacked:

#Scenario 1. Ransomware

Attacker gets in via phishing or exposed RDP. Encrypts file shares, workstations, servers. Demands $50K-$500K. Your backups are either also encrypted (flat network, same AD credentials) or don't exist in usable form. You pay or close.

Percentage of small businesses that close within 6 months of a ransomware incident: about 60%.

#Scenario 2. Business email compromise

Attacker phishes an employee credential. Logs into email. Watches email for a few weeks. Identifies a pending wire transfer or invoice. Sends a fake invoice or intercepts a real one, replacing the bank account number with theirs. You pay the wrong account. Money is gone.

Average BEC loss: $50K to $500K per incident.

#Scenario 3. Supply chain credential theft

Attacker compromises one of your employees via infostealer malware (Lumma, Raccoon, Rhadamanthys) delivered through a cracked software download or malicious ad. Steals saved browser passwords. Sells the credentials on Russian criminal forums. Buyers use the credentials to breach your customers, your suppliers, your bank accounts.

#Scenario 4. Data theft + extortion

Attacker gets in, spends a few days moving around, exfiltrates your client records / financial data / IP. Demands ransom not to publish. If you don't pay, they publish and notify your customers directly.

Costs: $50K-$500K ransom plus breach notification costs plus reputation damage.

#Scenario 5. Wire fraud via spoofed email

Attacker doesn't even need to compromise your email. They register a domain that looks like yours (yourco.net instead of yourco.com) or a vendor's. Send a convincing invoice. You pay the wrong account.

Cost: usually equal to whatever invoice they faked.

#Scenario 6. Account takeover on SaaS

Attacker phishes or credential-stuffs an employee SaaS account (Microsoft 365, QuickBooks, Google Workspace). Uses the access to steal data, send phishing from your domain, pivot to other systems.

#The 10 controls every small business needs

Ordered by cost-benefit. Start at 1, work down the list. Most small businesses can get through item 7 in a month for under $5K total.

#1. MFA on every business login

Non-negotiable. Absolutely everything you sign into that touches business data needs MFA.

• Email (Microsoft 365 or Google Workspace)
• Accounting software (QuickBooks Online, Xero, FreshBooks)
• Payroll
• CRM
• File storage (Dropbox, OneDrive, Google Drive, SharePoint)
• Banking
• Cloud services (AWS, Azure, GCP if applicable)
• Social media accounts
• Domain registrar
• VPN

Use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy, Duo). Avoid SMS MFA where you can - it's better than nothing, worse than app-based.

Cost: $0. Built into every major platform.

Time to implement: A weekend for a small team.

#2. Strong unique passwords via a password manager

The #1 cause of small business breaches: password reuse. One compromised password from any breach in the last five years can be used against your business accounts if you reused it.

Deploy a password manager for the whole team.

• 1Password Teams. $7.99/user/month. Best overall.
• Bitwarden Teams. $3/user/month. Best free/cheap option.
• Keeper Business. $4/user/month.

Have every employee import their passwords, identify reused/weak ones, migrate to unique generated passwords.

Cost: $30-$100/month for a small team.

Time to implement: First weekend for deployment. Ongoing rolling rollout for passwords.

#3. Email security with anti-phishing

Microsoft 365 Business Premium and Google Workspace Business Standard include email security. Make sure the following are turned on:

• Attachment sandboxing (Safe Attachments / Gmail scanning)
• Link rewriting (Safe Links / Gmail URL safety)
• Impersonation protection
• Anti-spoofing
• DMARC, SPF, DKIM on your domain

If you're on a non-M365 and non-Google email system, either migrate or add dedicated email security (Abnormal, Mimecast, Proofpoint).

DMARC. Most small businesses have \p=none\ (monitoring only, no enforcement). Upgrade to \p=quarantine\ or \p=reject\. Your IT person or an email consultant can do this in an hour.

Cost: Already included in M365 Business Premium ($22/user/month) or Google Workspace Business Standard ($14.40/user/month).

Time: 2-4 hours to verify settings + upgrade DMARC.

#4. Endpoint protection on every device

Windows Defender is decent. Not enough for a business where an incident can close you down. Deploy real EDR.

• Microsoft Defender for Business. $3/user/month. Part of M365 Business Premium. Good starter.
• Bitdefender GravityZone. $30-60/endpoint/year.
• SentinelOne Singularity. $4-8/endpoint/month.
• CrowdStrike Falcon Go. $60/endpoint/year.

Install on every workstation and server. Even the owner's personal laptop if it accesses business data.

Cost: $300-$1500/year for a 10-person business.

#5. Backups. With the 3-2-1-1-0 rule.

Covered in depth in our backup strategy post. The short version for small businesses:

• Primary backup to a cloud service (Backblaze B2, iDrive, Carbonite, or MSP-managed).
• Secondary backup to a local NAS OR a separate cloud account.
• One copy immutable (Object Lock on S3-compatible storage, or tape) to survive ransomware.
• Test restore annually.

Don't rely on "we have Microsoft 365, we're backed up." M365 is not a backup. If your account gets compromised or ransomed at the data layer, M365 won't save you. Use a third-party M365 backup (Veeam for M365, Datto SaaS Protection, Dropsuite).

Cost: $50-$500/month depending on data volume.

#6. Patching + updates

Keep every business device current:

• Operating systems (Windows, macOS, Linux)
• Applications (browsers, Office, Adobe, QuickBooks, etc.)
• Firmware on routers, printers, IoT

Automate where possible. Microsoft Intune for Windows/macOS (part of some M365 plans). WSUS for Windows. Configuration management on Mac (Jamf Now for small teams at $4/device/month).

For consumer-grade routers: enable auto-updates or replace quarterly.

Cost: $0-$100/user/month depending on tooling.

#7. Security awareness training

Annual minimum. Simulated phishing quarterly.

• KnowBe4. The market leader. $15-$30/user/year for small businesses.
• Hoxhunt. $20-$40/user/year.
• Proofpoint Security Awareness. Similar pricing.
• Curricula. $5-$10/user/year. Budget option.

Training that covers: phishing, BEC, password hygiene, reporting suspected incidents.

Cost: $150-$1000/year for a 10-person business.

#8. Cyber insurance

You are not able to self-insure against ransomware. Buy the policy.

Small business cyber insurance: $750-$3000/year for $1M-$2M limits. Hiscox, Travelers, Chubb, Cowbell, At-Bay.

Before buying:

• Answer the application honestly. Don't claim MFA is enabled if it isn't.
• Read the exclusions. War, nation-state, pre-existing conditions, social engineering vs. direct fraud all matter.
• Check incident response retainer benefits.

#9. Secure remote access

If employees work from home or connect to systems remotely, don't use exposed RDP. Don't use consumer VPNs for business access. Use one of:

• Cloudflare Zero Trust free tier (up to 50 users).
• Tailscale Starter ($6/user/month).
• Microsoft Entra Private Access (part of Entra ID P1).
• Traditional VPN + MFA (OpenVPN, SonicWall, etc.)

Disable direct RDP over the internet. Every time.

Cost: $0-$300/user/year.

#10. Basic monitoring + detection

You don't need a SIEM as a small business. You need:

• M365 / Google Workspace security alerts reviewed weekly
• Endpoint protection alerts reviewed weekly
• Banking notifications for any unusual activity
• DNS filtering via DNS provider (Cloudflare for Families, Quad9, NextDNS)

If you can afford managed detection from an MSSP like Huntress ($10-$30/endpoint/month), consider it. Huntress specifically targets the SMB market and is good value.

Cost: $0-$300/month.

#The starter program. $2,000/year

For a 10-person business with basic office work:

• M365 Business Premium (includes email security, MFA, Defender for Business). $22/user/month = $2640/year.
• 1Password Teams. $7.99/user/month = $960/year.
• Backblaze Business Backup. $8.33/device/month = $1000/year.
• KnowBe4 Silver. $15/user/year = $150/year.
• Cyber insurance (small business policy). $1200/year.

Total: ~$5,950/year.

Minus the M365 since you're probably paying for office software anyway: ~$3,300/year additional security spend.

Huge uplift in posture versus starting point.

#The growth program. $15,000/year

For a 30-person business in a regulated industry (healthcare, finance, legal):

• M365 Business Premium. $7,920/year.
• 1Password Teams. $2,880/year.
• Veeam for M365 backup. $1,200/year.
• Backblaze B2 + local NAS backup infrastructure. $2,400/year.
• KnowBe4 Silver with simulated phishing. $450/year.
• Huntress MDR. $6,000-$12,000/year.
• Cyber insurance. $2,500/year.
• Cloudflare Zero Trust. $1,800/year.
• Annual pentest (if regulated). $8,000-$15,000/year.

Total: $33K-$46K/year. Budget accordingly.

#Industry-specific considerations

#Healthcare (small practices, specialty clinics)

Add:

• HIPAA-compliant email if not using M365/Google (both are HIPAA-compatible with BAA signed)
• BAA with every vendor that touches PHI
• Documented risk analysis
• Documented security policies
• Annual pentest (as of 2025 NPRM)

Cost add: $15K-$50K/year above base.

#Law firms

Add:

• Client data classification
• Data retention / destruction policies aligned to bar rules
• Encrypted client portals instead of email for sensitive documents
• Specific attention to email security (law firms are high-value BEC targets)
• Document management system (iManage, NetDocuments) over raw file shares
• Client confidentiality insurance

Cost add: $10K-$40K/year.

#Financial services (small advisors, accountants, bookkeepers)

Add:

• GLBA compliance (FTC Safeguards Rule, WISP document)
• Consumer financial data protection
• MFA on all client-data access
• Encrypted client portals instead of email
• State-level insurance requirements if applicable

Cost add: $10K-$30K/year.

#Manufacturing / DIB

Add:

• CMMC 2.0 if subcontracting to DoD (major investment)
• ITAR / EAR export controls if applicable
• Network segmentation between office and shop floor
• Industrial control system (ICS) security if applicable

Cost add: variable - low thousands for ITAR awareness, hundreds of thousands for CMMC.

#Real estate / title

Add:

• Wire fraud-specific controls (callback verification, dual authorization)
• Encryption of client financial data at rest and in transit
• BAA / data processing agreements with every vendor touching client data

Cost add: $5K-$15K/year.

#The 10 fastest things you can do right now

If you're reading this at 9 PM on a weeknight and want to do something immediately:

1. Enable MFA on your email account.
2. Enable MFA on your business banking.
3. Change your password if you've been reusing it.
4. Sign up for a password manager.
5. Check if your business email has proper DMARC (mxtoolbox.com, put in your domain, look at DMARC record).
6. Verify you have current backups. Try to restore a random file to prove it works.
7. Look at your domain registrar for unauthorized domain transfers pending.
8. Google your company name + "breach" + your industry. See if any of your vendors had an incident affecting you.
9. Check your business insurance policy for cyber coverage.
10. Look at your M365 or Google Workspace admin console for unknown users, unknown apps, unusual login activity.

Every one of those is free and takes under 10 minutes.

#What to NOT waste money on

Things small businesses buy that don't help much:

• "Dark web monitoring" services. Your passwords probably leaked in breaches years ago. Paying to be told this doesn't help. Use HaveIBeenPwned (free) and rotate if you see a hit.
• Consumer-grade VPN as security. NordVPN, ExpressVPN etc. protect browsing privacy. They don't protect your business from ransomware. Don't substitute them for business security tools.
• Blockchain-based anything for security. Almost always marketing.
• AI-powered everything for security. Most "AI-powered" security products are traditional tools with a marketing coat. The AI label adds cost without value.
• Executive identity protection services. The $1000/year "reputation monitoring" for executives mostly helps executives feel protected. It doesn't prevent breaches.

#When to hire a specialist

Some things are worth outsourcing at SMB scale:

Hire an MSP for: day-to-day IT operations, patching, user support, network management, basic security.

Hire an MSSP (or MSP with security specialty) for: 24/7 monitoring, incident response, alert triage.

Hire a pentester for: annual testing, compliance (if required), specific concern investigation.

Hire a specialist consultant for: compliance readiness (SOC 2, HIPAA, PCI), IR planning, board reporting on security, major security project oversight.

Don't hire a full-time CISO at under 150 employees. Use a virtual CISO or fractional CISO service. $1,500-$5,000/month depending on intensity.

#Building the program over 12 months

For a business starting from zero:

Month 1-2. MFA rollout. Password manager deployment. Basic backup.

Month 3-4. Email security configuration. DMARC upgrade. Awareness training rollout.

Month 5-6. EDR deployment. Patching baseline. Cyber insurance.

Month 7-8. Incident response plan. Tabletop exercise with key staff.

Month 9-10. Vendor review. Risk assessment. Policy documentation.

Month 11-12. Internal audit. External assessment. Second-year planning.

End of year 1: You're ahead of 80% of your peers. You're not the low-hanging fruit.

#The incident you're inevitably going to have

You will have a security incident. Every business does. The goal isn't to never have one. The goal is to have a small one that stays small.

Signs of a real incident:

• Unusual logins to your accounts from unknown locations
• Unexpected wire transfer requests
• Vendor claiming to have changed bank accounts
• Ransom note appearing on any device
• Files suddenly can't be opened (encrypted)
• Customers receiving suspicious emails appearing to come from you
• Unusual charges on business accounts
• Sudden account lockouts for multiple employees

When you think you have an incident:

1. Stop. Don't panic.
2. Write down what you know.
3. Don't pay anything yet.
4. Don't delete anything.
5. Call your insurance carrier.
6. Call your IT provider / MSP.
7. Call your lawyer if customer data was involved.
8. Call law enforcement if wire fraud (FBI ic3.gov for amounts over $10K).

#How we help small businesses

Valtik Studios does work at small-business scale. Our small business engagements include:

• Security gap assessment ($500-$1,500). A real look at your current posture, not a generic checklist.
• Platform security audit ($1,500-$3,500). Your M365 / Google Workspace / QuickBooks / whatever is thoroughly reviewed.
• Full stack audit ($3,500+). For businesses with more complex environments.
• Penetration testing for regulatory compliance ($5,000+ depending on scope).

We're based in Connecticut and serve the New England small business market plus remote engagements for small businesses elsewhere.

Valtik Studios, valtikstudios.com.