When most business owners hear “cybersecurity,” they picture server rooms and teams of people in hoodies. That’s enterprise security. You don’t need it. But you’re not off the hook just because you’re not a Fortune 500 company.

According to Accenture’s Cost of Cybercrime study, 43% of cyber attacks target small and mid-sized businesses. If you run a plumbing company that stores customer addresses in QuickBooks, a dental practice with patient records, or a contractor who processes credit cards on a tablet — you have data worth stealing.

The Cost of Getting Hit

A data breach doesn’t just mean embarrassment. According to IBM’s Cost of a Data Breach Report, the average breach costs a small business between $120,000 and $1.24 million. That includes downtime, lost customers, legal fees, and regulatory fines. For a company doing $1 to $5 million in revenue, that’s existential.

60% of small businesses that suffer a cyber attack close within six months. Not because the attack itself is fatal — but because the cost of recovery, lost trust, and downtime is more than they can absorb.

And here’s the part that matters most for businesses your size: Verizon’s Data Breach Investigations Report found that 82% of breaches involve a human element — phishing emails, stolen passwords, simple mistakes. These aren’t sophisticated attacks exploiting billion-dollar firewalls. They’re someone clicking a bad link or reusing the same password everywhere.

That means the fix isn’t a massive technology purchase. It’s six practical things you can do this month.

1. Get a Password Manager for the Whole Team

Eighty percent of hacking-related breaches involve compromised or weak passwords. That’s not a guess — it’s what Verizon’s data shows year after year. People reuse passwords. They pick ones they can remember, which means ones that are easy to crack.

A password manager like Bitwarden or 1Password generates and stores strong, unique passwords for every account. Your team just needs one master password. Most plans run $3 to $8 per person per month — for a 15-person company, that’s $45 to $120 a month to close the single biggest attack vector in cybersecurity.

Where to start: Pick a password manager, roll it out to your team, and start with the accounts that matter most — email, banking, and any system that stores customer data.

2. Turn On Multi-Factor Authentication Everywhere

Multi-factor authentication is that second code you get on your phone when you log in. Even if someone steals your password, they can’t get into your account without your phone. It’s free on almost every service you already use — email, banking, accounting software, social media. Turning it on takes about two minutes per account. If your team does nothing else on this list, do this one.

Where to start: Turn it on for your email accounts first — email is the master key to everything else. Then move to banking, QuickBooks, and any platform where customer data lives.

3. Turn On Automatic Updates

Software updates aren’t just new features. Most of them patch known security holes. When you put off that Windows update, you’re leaving a door open that attackers already know about. They share lists of these vulnerabilities and scan for businesses that haven’t patched them.

Where to start: Turn on automatic updates for Windows or macOS on every computer in your office, plus your phones and tablets. Set updates to install overnight so they don’t interrupt the workday. Yes, the occasional restart is annoying. It’s less annoying than ransomware.

4. Teach Your Team to Spot Phishing

Phishing — those fake emails pretending to be from your bank, a vendor, or even a coworker — is the most common attack, accounting for 33.8% of all data breaches according to Verizon. And since 82% of breaches involve human factors, your team is both your biggest risk and your best defense.

You don’t need a formal training program. Your people need to know three things: don’t click links in unexpected emails, don’t open attachments they weren’t expecting, and when in doubt, call the sender directly to verify.

Where to start: Send your team a short email explaining what phishing looks like. Show them a real example (search “phishing email examples” for plenty). Make it clear that asking “is this real?” is always the right move, never an overreaction.

5. Set Up a Real Backup Strategy

Ransomware — where someone locks your files and demands payment — is one of the fastest-growing threats to small businesses. Without backups, you’re choosing between paying a ransom with no guarantee or losing everything.

The standard is the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite. In practice: your working files on your computer, an automatic backup to an external drive, and a cloud backup like Backblaze or Carbonite running in the background.

Where to start: Sign up for a cloud backup service for your most critical computers (plans start around $7 per month per machine). Set up a local backup to an external drive as your second copy. And test your backups by actually restoring a file — a backup you’ve never tested is not a backup.

6. Limit Who Has Access to What

Not everyone on your team needs admin access to everything. Your office manager probably doesn’t need access to your accounting system’s admin settings. Your field techs don’t need access to customer financial records. When everyone has access to everything, one compromised account can reach everything.

Where to start: Review who has admin access to your email, accounting, and customer management systems. Remove admin rights from anyone who doesn’t specifically need them. It’s not about trust — it’s about limiting the damage if one account gets compromised. Most platforms make this a five-minute change.

What You Don’t Need

I want to be clear about what is not on this list: a Security Operations Center, a SIEM platform, enterprise endpoint detection, or an annual penetration test. Those are real tools for businesses with dedicated IT teams and six-figure security budgets. They’re not where a 15-person service company should spend its time or money.

After years of professional security assessment work, I can tell you that the vast majority of breaches at small businesses come down to weak passwords, no multi-factor authentication, unpatched software, and someone clicking a phishing link. The six measures above address exactly those things.

The Bottom Line

  • 43% of cyber attacks target small businesses, and 60% of those that get hit close within six months. You don’t need enterprise security, but you do need the basics.
  • 82% of breaches involve human factors. A password manager, multi-factor authentication, and basic phishing awareness address the vast majority of risk.
  • The 3-2-1 backup rule (three copies, two media types, one offsite) is your insurance policy against ransomware. Test your backups regularly.
  • Total cost for all six measures: roughly $50 to $200 per month for a 15-person team. That’s less than you’d pay for a single hour of incident response if something goes wrong.

Want to figure out where your business stands on these basics? Let’s have a conversation. I help established businesses assess their security posture and close the gaps that actually matter.

Keep reading: If you’re considering AI for your business, What AI Agents Actually Do For Small Businesses covers the privacy and security tradeoffs of running AI on your own hardware vs. the cloud. And if anyone in your organization is using AI agent tools like OpenClaw, read OpenClaw Security: What CTOs Need to Know — 104 advisories in four months and a poisoned marketplace are things every business leader should understand.