// TL;DR

Most small business breaches are basic-controls failures, not sophisticated attacks. Eight categories cover the controls that actually prevent the breaches we see. Work through them in order. None require enterprise budget.

  • 1 · Passwords & MFA: Highest impact, lowest cost
  • 2 · Data backups: Your ransomware insurance
  • 3 · Employee training: The human firewall
  • 4 · Network security: Firewall, Wi-Fi, VPN
  • 5 · Endpoint protection: EDR, MDM, encryption
  • 6 · Patch management: Close known holes
  • 7 · Access control: Least privilege, fast offboarding
  • 8 · Incident response: Plan before the fire

The quick answer

If you only do four things this quarter: turn on MFA everywhere, set up automated offsite backups, train your team to spot phishing, and run a single restore test. That combination prevents the majority of breaches we see in small business engagements.

The harder reality is that "most" isn't "all." The other four categories on this list close the gaps that determined attackers exploit when the obvious doors are shut. Cybersecurity is layered for a reason — no single control stops everything.

This is the same checklist we work through during a BadgerLayer cybersecurity assessment. Eight categories, real controls, no theater.

Why small business gets hit

A persistent myth: "we're too small to be a target." The opposite is true. Small businesses are preferred targets precisely because they typically have weaker defenses than enterprises but still hold valuable data and money.

The hacker doesn't care that you're small. The automated tooling doesn't even know you're small.

Most attacks aren't hand-crafted. They're run by bots that scan the internet for unpatched servers, brute-force exposed remote desktops, and blast phishing emails at every address they can scrape. Whether the resulting victim is a 5-person law firm or a 5,000-person bank doesn't matter to the bot. Whoever's vulnerable gets hit.

Three numbers worth holding in your head:

  • 43% of cyberattacks target small businesses. SMBs are not flying under any radar.
  • $35,000+ average cost of a single SMB ransomware incident. That's before counting downtime, reputational damage, or customer notification costs.
  • 60% of small businesses close within 6 months of a significant data breach. The cost of recovery is often the cost of going out of business.

Threat & defense matrix

Most small business compromises trace back to one of four attack categories. Here's what each one actually does, what it targets, and the controls that stop it.

// Threat Matrix · Phishing × Ransomware × Credential Theft × Unpatched Exploit
Profile
Phishing
Ransomware
Credential theft
What it does
Tricks employeesEmail or SMS impersonation
Encrypts your dataDemands payment for keys
Steals login credentialsResold or used directly
Primary target
PeopleEmail inboxes
File systemsServers, NAS, workstations
Cloud accountsMicrosoft 365, banking, VPN
How it gets in
Email link or attachmentUser clicks, malware runs
Phishing or RDP exposureOften via a phishing payload
Reused passwordsOr credential phishing pages
Best defense
Training + email filterCatch step 3 covers it
Backups + EDRSteps 2 + 5
MFA + password managerStep 1 covers most of it

Notice the pattern: every column points back to a checklist step. The 8-step structure isn't arbitrary — it's organized around the threats that actually hit small business.

Step 1: Passwords & multi-factor authentication

MFA is the single highest-impact cybersecurity control available. Microsoft has published research showing that MFA blocks 99.9% of automated account compromise attacks. If you do nothing else this year, do this.

Passwords alone are no longer a security control — they're a bottleneck. Reused passwords get leaked in third-party breaches and replayed against your systems. A password manager makes unique passwords easy. MFA makes leaked passwords useless on their own.

// Passwords & MFA checklist
  • Deploy a password manager (Bitwarden, 1Password) across the organization
  • Every account has a unique password — no shared, no reused
  • MFA enabled on every email account
  • MFA enabled on financial accounts, payroll, banking
  • MFA enabled on remote access tools, VPNs, and cloud services
  • Admin accounts use separate credentials from daily-use accounts
  • Default passwords changed on routers, switches, and network devices
  • Password manager admin recovery key stored securely offline
// Worth knowing

Authenticator apps (Microsoft Authenticator, Google Authenticator, Duo) are significantly more secure than SMS codes. Hardware keys (YubiKey) are stronger still. Use SMS only when nothing better is available.

Step 2: Data backups

Backups are the difference between a ransomware infection that ruins a weekend and one that closes the business. The bar is the 3-2-1 rule: three copies of your data, on two different media types, with one offsite or air-gapped.

The most common backup failure isn't that backups don't exist — it's that they've never been restored. A backup you haven't tested is a wish, not a backup.

// Backup checklist
  • Critical business data backed up daily, automated, no manual steps
  • Backups stored offsite or in cloud storage, not on the same machine
  • Restoration tested at least once per quarter
  • At least one backup copy is offline or air-gapped (ransomware can't encrypt what it can't reach)
  • Backup retention policy defined — how long are backups kept?
  • Microsoft 365 and Google Workspace data included in backup scope
  • Backup credentials stored separately from primary admin accounts
  • Backup restoration runbook documented and accessible during an outage

Want this monitored?

BadgerLayer manages cybersecurity for small business: MFA enforcement, backups, EDR, training, and 24/7 monitoring.

Cybersecurity services →

Step 3: Employee security training

Phishing is the #1 way breaches start. Not because employees are careless — because attackers are good at impersonation, and good at urgency. The fix isn't scolding people. It's building the muscle memory to slow down when an email creates pressure.

Training works when it's frequent and short. One annual two-hour seminar fades within weeks. Monthly five-minute refreshers stick.

// Training checklist
  • All new employees trained on phishing recognition before their first day
  • Security training refreshed at least annually, ideally quarterly
  • Employees know exactly who to contact when they spot something suspicious
  • Clear policy: never wire money or share credentials based on email alone
  • Phishing simulation run at least once per year
  • Remote and hybrid workers included in all training, not just in-office staff
  • Training covers SMS phishing (smishing) and voice phishing (vishing), not just email
  • No-blame reporting culture — people report when they click before they hide it

The goal isn't a workforce that never clicks anything bad. It's a workforce that reports it within five minutes.

Step 4: Network security

Network controls keep attackers out of your environment and limit damage if something does get in. Most small business networks have at least one configuration we'd flag: guest Wi-Fi sharing the business VLAN, RDP exposed to the internet, or a router still running factory firmware from 2019.

// Network security checklist
  • Business Wi-Fi and guest Wi-Fi on separate networks — never share
  • Wi-Fi uses WPA3 or WPA2 encryption (WPA3 preferred, WEP and WPA1 are insecure)
  • Firewall enabled and configured on the perimeter router
  • Remote Desktop Protocol (RDP) not exposed directly to the internet
  • VPN required for remote employees accessing internal systems
  • Network devices (routers, switches, access points) on current firmware
  • Unused network ports disabled on managed switches
  • DNS filtering blocks known malicious domains at the network level
  • Network segmentation isolates critical systems (payment terminals, servers) from general workstations

Step 5: Endpoint protection

Every laptop, desktop, and server is a potential entry point. Modern endpoint protection has moved beyond signature-based antivirus — today's standard is EDR (endpoint detection and response), which watches for behavior, not just known malware.

Endpoints also need to be manageable. If you can't push a patch, revoke access, or wipe a stolen laptop remotely, you're flying blind.

// Endpoint protection checklist
  • EDR or modern antivirus installed on every device, including servers
  • All company devices enrolled in centralized management (MDM/RMM)
  • Automatic screen lock after 5–10 minutes of inactivity on all devices
  • Full disk encryption enabled (BitLocker on Windows, FileVault on Mac)
  • Personal devices accessing company data covered by a BYOD policy
  • Terminated employee device access revoked immediately upon departure
  • Lost or stolen devices can be remotely wiped
  • USB device usage policy in place (block, warn, or allow with caution)

Step 6: Software & patch management

Most ransomware exploits vulnerabilities that had patches available months before the attack. Patching is unglamorous, repetitive, and the second-most-effective control on this list (after MFA). Automated patching beats manual patching every time, because manual patching becomes "next quarter" patching becomes "never" patching.

// Patch management checklist
  • Operating system updates applied within 30 days of release, ideally automated
  • Third-party software (browsers, Office, Adobe, PDF readers) kept current
  • No unsupported software in use — Windows 10 reached end of life in October 2025
  • Software inventory maintained — you can't patch what you don't know exists
  • Unused software and browser extensions removed
  • Firmware on routers, printers, and network devices updated regularly
  • Server patching scheduled with rollback plan for any critical workloads
  • Critical vulnerabilities (CISA KEV catalog) patched within 14 days
End-of-life software still in use?Status
Windows 10End of life October 2025 — replace
Windows Server 2012 / 2012 R2End of life October 2023 — replace
Office 2016 / 2019Both end of life October 2025 — replace
Exchange Server 2016 / 2019October 2025 / October 2025 — migrate
SQL Server 2014July 2024 — upgrade or extended support
macOS Monterey (12) and earlierNo longer receiving security updates

Step 7: Access control

The principle of least privilege: nobody has more access than they need to do their job. When breaches happen, least-privilege limits the damage. An attacker who compromises a marketing account shouldn't be able to access payroll.

Access control fails most often at offboarding. An ex-employee account left active for three weeks is a backdoor that nobody's monitoring. Every termination should trigger a same-day access review.

// Access control checklist
  • Principle of least privilege applied — employees only access what they need
  • Administrator privileges not used for day-to-day tasks
  • Access review conducted when employees change roles or departments
  • Offboarding checklist includes immediate revocation of all system access
  • Shared accounts eliminated — every user has their own login
  • Vendor and contractor access time-limited and revoked when work is complete
  • Quarterly access audit of admin accounts and privileged groups
  • Service accounts inventoried and rotated on a schedule

Recently let someone go and not sure if it's clean?

We run access audits as a one-time engagement or as part of managed services. Includes admin review and dormant-account cleanup.

Get an audit →

Step 8: Incident response planning

The worst time to figure out who to call is during an incident. The best time is right now, when nothing is on fire and decisions can be made carefully. An incident response plan doesn't need to be 50 pages. A one-page reference that answers "who do we call and what do we do first" is enough to dramatically reduce chaos during an actual breach.

// Incident response checklist
  • Documented incident response plan exists, not just in someone's head
  • Key contacts identified: IT support, cyber insurance, legal counsel
  • Employees know who to call if they suspect a breach or ransomware
  • Cyber liability insurance policy in place and reviewed annually
  • Critical system restore procedures documented and tested
  • State data breach notification requirements understood (Wisconsin, Illinois, etc.)
  • Communication templates pre-written for customers, vendors, regulators
  • Annual tabletop exercise — walk through a hypothetical incident with the team
// Being honest

If your incident response plan is "call the IT person we use," verify they actually answer their phone at 2am. Most ransomware deploys overnight or on weekends specifically to delay response. A response partner with documented after-hours procedures is worth significantly more than one without.

Cybersecurity tips for employees

The checklist above covers systems and policies. Employees are involved in the majority of security incidents not because they're careless, but because attackers specifically target people. The most important habits to build:

  • Treat unexpected emails with skepticism. If an email creates urgency, asks for credentials, or requests a wire transfer, slow down. Verify through a separate channel before acting.
  • One password per account, always. Password managers make this easy. There's no longer a reason to reuse passwords.
  • Lock your screen when you walk away. Windows: Win+L. Mac: Ctrl+Cmd+Q. Takes one second, prevents a lot of problems.
  • Report suspicious emails — don't just delete them. If you got a phishing email, a colleague probably did too. Reporting protects everyone.
  • Never plug in unknown USB drives. Attackers leave infected drives in parking lots. This is a real attack and it works.
  • Keep work and personal separate. Don't use work accounts for personal services. Don't use personal devices for sensitive work without IT approval.

The best security training makes these behaviors automatic. One-time sessions fade. Regular short reminders stick.

What's new in 2026

The threat landscape shifts every year. A few things that matter specifically in 2026:

  • Windows 10 is end of life. Microsoft ended support in October 2025. Any machine still running Windows 10 isn't receiving security patches and is a liability. Plan replacement now if you haven't.
  • AI-generated phishing is indistinguishable from real emails. The spelling errors and broken English that used to signal phishing are gone. Train employees on behavioral red flags, not just grammatical ones.
  • MFA is no longer optional anywhere. Cyber insurance carriers have started denying claims when MFA wasn't enforced. Most regulated industries (HIPAA, GLBA, PCI) now expect it as table-stakes.
  • Cyber insurance requires documented controls. Insurers ask 30–60 question security questionnaires at renewal. Wrong answers either raise premiums or void coverage. The checklist above answers most of those questions correctly.
  • Supply chain attacks target your vendors. A breach at a software vendor or MSP can cascade to your systems. Vet your vendors' security practices and limit third-party access through scoped credentials and time-limited tokens.
  • Deepfake voice attacks are happening. Attackers clone the voice of a CEO or finance director and call the controller asking for a wire transfer. Build verification protocols that don't rely on voice recognition.

What level of cybersecurity do you actually need?

Not every small business needs the same level of protection. Here are the four tiers we use to honestly tell prospects where they should land based on size, industry, and risk profile.

I
If you're 1–5 people with no regulated data...
→ DIY essentials are enough
Work through this checklist yourself. Microsoft 365 Business Standard with MFA, a password manager, and cloud backup gets you most of the way. Quarterly self-review, annual phishing test. You can do this without an MSP.
II
If you're 5–25 people with customer data or payment info...
→ Outsource the fundamentals
A managed service handling MFA enforcement, EDR, backups, and patch management runs $50–100 per user per month. At this size, the time you'd spend doing it yourself costs more than the service. Phishing simulations and quarterly reviews included.
III
If you're regulated (healthcare, financial, federal contractor)...
→ Managed monitoring required
HIPAA, GLBA, CMMC environments need 24/7 monitoring, documented controls, and audit-ready evidence. Plan on $100–200 per user per month for managed cybersecurity that includes compliance documentation. Free assessment first to scope the gap.
IV
If you've already had an incident or your insurer is asking hard questions...
→ Assessment first, then plan
Don't guess at gaps. A cybersecurity assessment ($499–$3,500 depending on size) maps your current posture to the controls above and produces a written prioritized roadmap. Most clients close the highest-risk gaps within 30 days of the assessment.

At BadgerLayer, every cybersecurity engagement starts with a free conversation about what level fits your business. Sometimes the right answer is "you don't need us yet — here's the checklist, call us in 18 months."

Want a free cybersecurity assessment?

Free conversation, written assessment if you want a deeper look. Based in Whitewater, Wisconsin, serving small business across the Midwest.

Cybersecurity services →