Background
Cyberattacks are not only for big corporations - small businesses lose thousands to phishing and hacks. These three simple steps can protect you without breaking the bank. In this article, we will describe how three security controls can reduce the likelihood of an incident or breach from occurring. Considering this article is tailored for small businesses, the security controls listed will not include data recovery and backup, penetration testing, third-party risk management, or controls of the like; these controls are simply out of scope for a three man manufacturing shop or a local retailer. The controls in this article are tangible items that a small business can implement over the weekend with some assistance from Google search and a large language model (LLM), such as Grok or ChatGPT.
Why Small Businesses Are Targets
Many small business owners believe they're "too small" to be targeted by cybercriminals. Unfortunately, this mindset is exactly what makes them attractive targets. Hackers know that SMBs often have:
- Limited security resources
- Valuable customer data
- Connections to larger companies
- Less sophisticated security measures
In this article, we'll focus on three practical security controls that any small business can implement over a weekend with some assistance from Google and AI tools like ChatGPT.
Step 1: Know Your Digital Assets
First and foremost is understanding the number, type, and location of all your digital assets. You can't protect what you don't know you have.
Your assets include desktops, laptops, smartphones, tablets, software licenses, cloud storage accounts, and customer databases.
How to Create an Asset Inventory
For small businesses, a simple spreadsheet will do. Track these key items:
- Device name: What you call it (e.g., "Front desk computer")
- Device type: Desktop, laptop, tablet, etc.
- Location: Physical location or "cloud"
- Owner: Who's responsible for it
- Purpose: What it's used for
This inventory becomes the foundation for all other security measures. You now have visibility into what needs protection.
Step 2: Enable Multi-Factor Authentication (MFA)
This is the single most effective security measure you can implement today. MFA adds a second verification step that blocks 99.9% of automated attacks.
Where to Enable MFA
Priority accounts for MFA:
- Email accounts (especially business email)
- Banking and financial services
- Cloud storage (Google Drive, Dropbox, etc.)
- Social media accounts
- Any service with customer data
Most services you already use have MFA built in. Look for "Two-Factor Authentication" or "2FA" in your account security settings.
Step 3: Build Security Awareness
Technology can only do so much. Your team is your first line of defense against social engineering attacks, which remain the #1 attack method.
Quick Security Awareness Tips
Hold brief monthly meetings to remind your team to watch for:
- Unexpected payment requests - Especially from services you don't use
- Suspicious domains - Like "m1crosoft[.]com" instead of "microsoft.com"
- Urgency tactics - "Act now or your account will be closed!"
- Grammar mistakes - Professional companies proofread their emails
Modern phishing emails use AI to write convincing messages. When in doubt, verify requests by calling the company directly using a number from their official website.
Start Small, Stay Secure
Cybersecurity doesn't have to be overwhelming. These three steps - asset inventory, MFA, and security awareness - form a solid foundation that dramatically reduces your risk.
Remember: Perfect security doesn't exist, but good security is achievable for any business. Start with these basics, and build from there as your business grows.