Most of the security incidents we help clients respond to aren’t sophisticated attacks. They’re missed fundamentals — the kind of thing that’s easy to fix when you know to look for it. Here are five habits that prevent the majority of small business breaches.
1. Multi-factor authentication on everything
If you do nothing else from this list, do this. MFA is the single biggest security improvement most businesses can make, and it’s free on Microsoft 365, Google Workspace, and almost every business platform. Yes, it’s mildly annoying. It’s also the difference between a stolen password being a non-event and a stolen password meaning a breach.
Start with email — that’s where attackers go first, because email access lets them reset everything else.
2. A real backup that’s been tested
A backup you’ve never restored from is not a backup; it’s a hope. We recommend the 3-2-1 rule: three copies of your data, on two different types of media, with one copy offsite. And at least once a quarter, actually try to restore something. If the restore fails, you want to find out now, not during a ransomware incident.
3. Software updates that aren’t optional
Most of the vulnerabilities attackers exploit are months or years old — patched long ago, but not on the affected machine. Set up automatic updates for operating systems, browsers, and any software that handles email or files. Make it the default. Resist the urge to “wait until things calm down.”
4. Limit who has admin rights
The fewer accounts that can install software or change system settings, the smaller your attack surface. Day-to-day work shouldn’t happen on an admin account. This is one of the simpler, higher-impact changes a business can make, and it costs nothing.
5. A plan for when (not if) it happens
Decide in advance who you call when something goes wrong. Write down the phone numbers, the order of operations, and what gets shut off first. Tape it to the wall if you have to. The middle of an incident is the worst time to figure out who’s in charge.
None of these are exotic. They’re the basics — but the basics are what stops most attacks. If you’d like help putting any of them in place, get in touch. We do this every day.