What is the most important cybersecurity step for a small business?

Turn on two-factor authentication everywhere, especially email. Email is the master key to your other accounts, so protecting it with a second step blocks the most common and damaging attacks. Pair that with a password manager and reliable backups and you've covered the biggest risks.

Do small businesses really get hacked?

Yes, constantly. Attackers favor small businesses precisely because security is often weaker than at large companies. Most attacks aren't targeted; they're automated and opportunistic, hitting whoever has a weak password, an unpatched system, or a staffer who clicks a phishing link.

How much does small business cybersecurity cost?

Most of the high-impact steps are free or nearly free: two-factor authentication, software updates, a password manager (often under $5 a month per user), and cloud backups. The biggest investment is usually a few hours to set things up properly, far cheaper than recovering from a breach.

Cybersecurity for Small Business: A Plain-English Checklist

By Isaac Farris·Updated May 29, 2026·8 minute read

You don't need an IT department or a scary budget to protect your business. Most small-business breaches come down to a handful of basics that were never set up. Get these right and you've shut the door on the great majority of attacks. Here's the checklist I walk local business owners through, plain and practical.

If you do nothing else, do these three

1. Turn on two-factor authentication on your email and bank. 2. Use a password manager so every account has a unique password. 3. Set up automatic cloud backups so a ransomware attack or dead laptop can't wipe you out. These three stop most of what hits small businesses.

1. Lock down email first

Your email is the master key. Anyone who gets into it can reset passwords on your other accounts. So protect it hardest:

Turn on two-factor authentication (2FA). See how 2FA works.
Use a long, unique password you don't use anywhere else.
Be suspicious of any email asking you to "verify" your login. That's how accounts get stolen.

2. Use a password manager

Reused passwords are the number-one way businesses get popped. When one site is breached, attackers try that same password everywhere. A password manager creates and remembers a unique, strong password for every account so you don't have to.

Good options: Bitwarden, 1Password, or NordPass. Most have business plans.
Everyone on the team gets their own, and you can share specific logins securely instead of texting passwords around.
Our guide on setting up a password manager walks through it.

3. Turn on two-factor authentication everywhere

Not just email. Add 2FA to your bank, payment processor, accounting software, social media, and domain registrar. An authenticator app (or a hardware key for the important stuff) is stronger than text-message codes, though any 2FA beats none.

4. Back up your data automatically

Ransomware locks your files and demands payment. A dead hard drive does the same for free. Good backups make both a shrug instead of a disaster.

Follow the 3-2-1 rule: 3 copies, on 2 types of media, with 1 offsite (cloud counts).
Use automatic cloud backup so it happens without anyone remembering.
Test a restore occasionally; a backup you can't restore isn't a backup. See how to back up your computer and restore from a backup.

5. Keep everything updated

Most attacks exploit known holes that already have a fix. Turn on automatic updates for Windows or macOS, your browser, and your apps. Don't run software that's no longer supported. Replace gear too old to get security updates.

6. Train yourself and your team on phishing

The weakest point in any business is a person clicking a bad link. Teach the team to:

Slow down on any email creating urgency ("invoice overdue," "your account will be closed").
Hover over links to see the real address before clicking.
Verify any payment-change or wire request by phone, using a known number, not the one in the email. Invoice and "change our bank details" scams hit small businesses hard.
See how to spot phishing emails.

7. Secure your Wi-Fi and devices

Change the default router password and use WPA3 or WPA2 encryption.
Put customers and guests on a separate guest network, away from your business devices.
Require a screen lock and passcode on every phone, tablet, and laptop.
Turn on device encryption (FileVault on Mac, BitLocker on Windows Pro) so a stolen laptop doesn't hand over your files.

8. Limit access and plan for staff changes

Give each person only the access they need, not the keys to everything.
Use separate logins per person, never one shared account.
When someone leaves, disable their accounts the same day.

9. Run reputable security software

Windows Defender (built into Windows) is solid for most small businesses. If you want more, see our antivirus recommendations. Avoid the scary pop-ups claiming you're "infected", those are usually the scam, not the cure.

10. Know what you'd do after an incident

Have a simple plan: who to call, where the backups are, how to reset passwords, and how to reach your bank. Even a one-page document beats panic. If the worst happens, our what to do if you've been scammed and password breach response guides help.

Want a security check for your business?

Isaac can walk your business through this checklist, set up 2FA, a password manager, and automatic backups, and train your team to spot phishing. Local, plain-spoken, no scare tactics.

Get in touch Email Isaac

☕

Helped you out?

Tips keep these guides free.

Buy me a coffee