Small businesses are not targeted despite being small — they are targeted because they are small. The attackers running automated phishing campaigns and ransomware deployments are not making strategic decisions about your revenue. They are running scripts that find unprotected systems, send deceptive emails to addresses they bought for pennies, and wait for someone to click.
The Verizon Data Breach Investigations Report consistently shows that over 60% of breaches targeting SMBs use credentials obtained through phishing or credential stuffing — attacks that multi-factor authentication alone would have blocked. The five controls below are not complex enterprise security programs. They are the baseline that every small business with computers connected to the internet should have implemented already.
This is the single highest-impact security control available to small businesses. MFA requires users to verify their identity with a second factor — typically a code from an authenticator app or a push notification — in addition to their password. Even if an attacker obtains a user's password through phishing or a data breach, they cannot log in without the second factor.
Where to enable it first: Email (especially Microsoft 365 or Google Workspace), your business banking and financial accounts, any cloud applications containing customer data, your domain registrar, and your firewall management interface. These are the accounts where a breach causes the most damage.
Free app for iOS/Android. Works with Microsoft 365 and most MFA-compatible services. The push notification approval UX is fast and employees adopt it without friction.
FreePaid MFA platform that adds granular policies — require MFA only from outside the office network, block logins from certain countries, require device health checks. Starts at ~$3/user/month.
PaidOne critical note: SMS-based MFA (a text message with a code) is better than nothing, but is vulnerable to SIM-swapping attacks. Authenticator apps or hardware keys (like YubiKey) are significantly more secure. For financial accounts especially, avoid SMS if a better option is offered.
Email is the primary attack vector for small businesses. The BEC (Business Email Compromise) attacks that have cost US businesses billions annually start with a phishing email. Ransomware is most commonly delivered via email attachment. Credential harvesting pages are linked from emails that look exactly like Microsoft, FedEx, or your bank.
Basic email filtering that comes with your email provider catches the obvious spam. It does not catch targeted phishing, malicious attachments that pass basic signature detection, or zero-day links. You need an additional layer.
Included in Microsoft 365 Business Premium ($22/user/month). Safe Links rewrites and scans all URLs at click time. Safe Attachments detonates suspicious files in a sandbox before delivering them. Worth the Business Premium upgrade over Business Basic for this alone.
M365 Business PremiumThird-party email security that layers on top of Microsoft 365 or Google Workspace. Stronger targeted phishing detection than native filters. Around $4/user/month. Good choice if you are on the lower M365 tiers and cannot upgrade.
~$4/user/monthEnable DMARC, DKIM, and SPF records on your domain. These email authentication standards tell receiving mail servers how to handle email that claims to be from your domain. They cost nothing to configure and prevent attackers from spoofing your email domain to attack your customers and partners. Your IT provider can configure these in under an hour.
Every Windows workstation and laptop in your business is an endpoint. Built-in Windows Defender has improved substantially over the past five years — it is no longer the joke it was in 2010. For many small businesses, properly configured Windows Defender with centralized management is a reasonable baseline. The key word is "configured" — default settings leave significant protection gaps.
For businesses handling sensitive data, in regulated industries, or with 10+ employees, a commercial EDR (Endpoint Detection and Response) product adds behavioral analysis, threat hunting, and response capabilities that traditional antivirus lacks.
If you are already on Microsoft 365 Business Premium, Intune is included and lets you manage Defender policies centrally across all devices. Enforce encryption (BitLocker), require screen lock, push security configurations, and get alerts on threats — all from one console.
Included in M365 Business PremiumBest-in-class EDR with behavioral AI detection and autonomous response. Can quarantine a compromised endpoint before ransomware spreads across the network. ~$5–8/endpoint/month. Recommended for businesses with any significant data exposure or compliance requirements.
$5–8/endpoint/monthA firewall that is running on factory defaults is doing almost nothing useful. The default rules on most consumer and small business routers allow all outbound traffic and block all inbound traffic — which sounds fine until you realize that modern malware does not need inbound connections. It phones home outbound, downloads a payload, and establishes a command-and-control channel. The firewall just waves it through.
Proper firewall configuration means explicit outbound rules for what is allowed, geo-blocking for countries you have no business relationship with, DNS filtering to block malicious domains, and application-level inspection. This is not a 30-minute job — it requires understanding your business's legitimate traffic patterns and building rules around them.
Open-source firewall platforms that run on commodity hardware. Full-featured: VLANs, VPN, IDS/IPS with Suricata, DNS filtering with pfBlockerNG or AdGuard Home. Free software, requires hardware ($200–$400 for a mini PC). Requires IT expertise to configure correctly.
Free (+ Hardware)Commercial next-gen firewalls with cloud management. Meraki MX has excellent visibility and auto-updated threat signatures. FortiGate offers more granular control at a lower licensing cost. Both include IPS, web filtering, and SSL inspection. Recommended for businesses that need managed appliances without deep IT knowledge.
Commercial NGFWThe best technical controls in the world get bypassed the moment an employee hands their credentials to a phishing page. Social engineering — manipulating people rather than systems — is the starting point for most successful breaches. The "forgot to update your password" email, the fake invoice from a vendor, the IT support impersonation call — these work because employees have not been trained to recognize them.
Security awareness training does not need to be a two-day seminar. It needs to be regular, short, and include practical exercises like simulated phishing campaigns that test whether employees actually report suspicious emails rather than click them.
Industry standard for SMB security awareness training. Includes a library of training modules, automated phishing simulation campaigns, and reporting on which employees click. Starts at around $24/user/year. Simulated phishing alone is worth the cost — you find your highest-risk employees before attackers do.
~$24/user/yearSimilar to KnowBe4 with strong integration with Proofpoint's email security product. Good choice if you are already using Proofpoint for email filtering. Integrated reporting shows correlation between training completion and phishing click rates.
PaidIf you implement nothing else from this article, do three things today: enable MFA on your Microsoft 365 or Google Workspace accounts, enable MFA on your business banking, and make sure every employee's work computer has updated antivirus with real-time scanning enabled. Those three steps alone block the majority of successful attacks against small businesses. Everything else is layers on top of that foundation.
The Cumulative Effect
These five controls are not independent islands. They work together. MFA stops credential theft attacks from succeeding even when email filtering misses a phishing message. Endpoint protection catches the malware that slips past the email filter. Firewall rules limit the damage radius when malware does execute. Employee training reduces the number of incidents that reach the technical controls in the first place.
Security is not about being impenetrable — it is about being harder to attack than the next target. Automated attack tools scan millions of systems looking for easy wins. Businesses with MFA enabled, patched endpoints, a configured firewall, and trained employees get skipped in favor of the easier targets. That is the goal.