Minimum Security Posture for a Small Business (The 6 Things That Matter)

Minimum Security Posture for a Small Business (The 6 Things That Matter)

Most small businesses don’t need “enterprise security.” They need a handful of habits and settings that prevent the common disasters: stolen passwords, email hijacks, ransomware, and expensive downtime.

If you do nothing else, do these six things.

1. Turn on MFA (two-factor) everywhere that matters

Start with email first. If someone gets your email, they can reset passwords to everything else.

Do this:

  • Enable MFA on email accounts (Microsoft 365 or Google Workspace)
  • Enable MFA on banking, payroll, and any admin accounts
  • Use an authenticator app when possible

Common mistake: Using one shared login for multiple people. That’s how you lose track of who did what—and how attackers stay hidden longer.

2. Use a password manager

The goal isn’t “perfect passwords.” The goal is unique passwords everywhere without forcing people to remember them.

Do this:

  • Pick a password manager and require it for work accounts
  • Generate unique passwords for every login
  • Use sharing features for shared accounts (don’t email passwords around)

Common mistake: Storing passwords in a spreadsheet or in a Notes app. It works until it really doesn’t.

3. Adopt a simple anti-phishing rule

Phishing is one of the top ways small businesses get hit. The fix is mostly behavior.

Do this:

  • Don’t click links in unexpected emails or texts
  • If you need to log in, type the site address yourself
  • Treat “urgent” payment requests as suspicious
  • Verify bank detail changes via a known phone number (not the email)

Common mistake: “It looked like QuickBooks/Microsoft/UPS.” Attackers rely on that.

4. Keep systems updated automatically

Updates are one of the highest-ROI security tools you have.

Do this:

  • Turn on automatic updates for Windows/macOS
  • Keep browsers updated (Chrome/Edge/Safari/Firefox)
  • Update routers/Wi-Fi equipment when possible
  • Replace end-of-life systems (they stop receiving security fixes)

Common mistake: Delaying updates forever because “something might break.” That trades small risk for large risk.

5. Have backups—and prove you can restore

Backups aren’t real until you test a restore.

Do this:

  • Ensure your critical files are backed up (and not only on one device)
  • Keep at least one backup that ransomware can’t encrypt (offline or protected)
  • Do a simple restore test once a quarter

Common mistake: Assuming “it’s in the cloud” means “it’s backed up.”

6. Separate admin accounts from daily accounts

Admin accounts should be rare and boring.

Do this:

  • Use a normal account for everyday work
  • Use a separate admin account only when needed
  • Limit who has admin rights

Common mistake: Everyone is an admin “because it’s easier.” That’s how one mistake becomes everyone’s problem.

Quick checklist

  • MFA on email and admin accounts
  • Password manager in use
  • Simple anti-phishing rule followed
  • Automatic updates enabled
  • Backups + restore test done
  • Separate admin accounts

Each of these topics has its own deep-dive post in this series if you want the details. But even without reading another word, this checklist covers a huge chunk of the real-world problems small businesses actually face.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE