Free Guide

SMALL BUSINESS CYBERSECURITY QUICK-START GUIDE

Eight foundational controls that stop the majority of attacks — prioritized for business owners and IT staff who need to make progress without a large security team or budget.

How this guide is structured

Steps are grouped into three tiers based on impact and urgency. Do not skip ahead — the “Do First” controls provide the most protection per hour of effort.

Do First — Highest impact, address immediatelyDo Next — Important, address within 30–60 daysBuild Over Time — Mature your program progressively
1
Do First

Enable Multi-Factor Authentication Everywhere

Over 80% of account compromise incidents involve stolen or weak passwords. MFA stops the vast majority of these attacks cold — even when credentials are breached.

Action steps

  • Enable MFA on all Microsoft 365, Google Workspace, and email accounts.
  • Require MFA for any remote access tools (VPN, RDP, remote desktop software).
  • Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS where possible.
  • Enroll all employees and set MFA as mandatory — not optional.

Tools to use

Microsoft Authenticator, Google Authenticator, Duo (free tier available). Your Microsoft 365 or Google Workspace admin console enforces MFA at the tenant level.

2
Do First

Deploy Endpoint Protection on Every Device

Endpoints — laptops, desktops, and servers — are the primary target in ransomware and malware attacks. Basic antivirus alone no longer stops modern threats.

Action steps

  • Deploy endpoint detection and response (EDR) software to all company-owned devices.
  • Ensure coverage is monitored — a device not reporting in is a gap.
  • Confirm Windows Defender (built into Windows 10/11) is enabled as a minimum on any device without EDR.
  • Extend protection to any personal devices that access company systems if possible.

Tools to use

Microsoft Defender for Business (affordable for SMBs), CrowdStrike Falcon Go, SentinelOne. Windows Defender is a free baseline included with Windows.

3
Do First

Back Up Your Data — and Test the Restore

A backup you have not tested is not a backup. Ransomware specifically targets and destroys connected backup systems. Isolated, tested backups are the fastest path to recovery.

Action steps

  • Back up critical data at least daily — files, databases, and email if applicable.
  • Store at least one backup copy offline or in a separate cloud environment (not the same account as production).
  • Test a full restore at least once a year; document the date and what was tested.
  • Define how long you can afford to be offline — that drives the backup frequency you need.

Tools to use

Veeam (free tier for small deployments), Backblaze Business, Windows Server Backup. Microsoft 365 Backup for email and OneDrive. Cloud object storage (S3, Azure Blob) with versioning enabled for off-site copies.

4
Do Next

Patch Operating Systems and Software Consistently

Attackers routinely exploit vulnerabilities that have had patches available for months. A consistent patching cadence removes the most commonly exploited entry points.

Action steps

  • Enable automatic updates for Windows and macOS on all employee devices.
  • Patch critical vulnerabilities within 30 days; apply updates broadly within 60.
  • Include browsers, Office applications, Adobe products, and other commonly exploited software.
  • Review servers and network devices separately — they often require manual patching.

Tools to use

Windows Update for Business (Microsoft 365), Automox, or NinjaRMM for centralized patching. Free: enable automatic updates in Windows Settings on each device.

5
Do Next

Secure Your Email Against Phishing and Impersonation

The vast majority of cyberattacks start with email — phishing, business email compromise, and malicious attachments. Email security is foundational, not optional.

Action steps

  • Publish SPF, DKIM, and DMARC DNS records for your email domain.
  • Enable advanced spam and phishing filters in your email platform (Microsoft Defender for Office 365, Google Workspace Advanced Protection).
  • Turn on alerts for unusual sign-in activity and forwarding rules.
  • Create a simple process for employees to report suspicious emails to IT.

Tools to use

MXToolbox to verify DMARC/SPF/DKIM. Microsoft Defender for Office 365 Plan 1 (included in Microsoft 365 Business Premium). Google Workspace has built-in phishing and malware filtering.

6
Do Next

Train Your Employees to Recognize Attacks

Employees are targeted precisely because they are effective entry points. Awareness training significantly reduces click rates on phishing simulations and real attacks.

Action steps

  • Conduct security awareness training for all employees at least once a year.
  • Run phishing simulation tests quarterly to measure and reinforce learning.
  • Cover the essentials: how to spot phishing, password hygiene, what to do if something seems wrong.
  • Make reporting easy and blame-free — employees who report suspicious emails are an asset.

Tools to use

KnowBe4 (free trial), Proofpoint Security Awareness Training, Cofense. Many email platforms include basic phishing simulation capabilities.

7
Build Over Time

Know Your Vendors and Manage Their Access

A significant portion of breaches originate through third-party vendors and service providers. You are responsible for what your vendors can access.

Action steps

  • Build a simple list of every vendor that accesses your systems or handles your data.
  • Review and revoke vendor access when relationships end — unused accounts are a persistent risk.
  • Ask critical vendors about their security practices before renewing contracts.
  • Add basic security obligations (breach notification, minimum controls) to vendor contracts.

Tools to use

A spreadsheet is a fine starting point for a vendor inventory. Your identity provider's admin console to audit third-party access and OAuth grants.

8
Build Over Time

Have a Plan for When Something Goes Wrong

Incidents will happen — the question is whether you respond in minutes with a plan or in hours with confusion. A simple plan dramatically reduces breach cost and recovery time.

Action steps

  • Write a one-page incident response plan: who to call, what to isolate, how to notify affected parties.
  • Know your legal notification obligations — most states have breach notification laws.
  • If you have cyber insurance, know the carrier's notification hotline before an incident, not during one.
  • Walk through a hypothetical scenario with your leadership team once a year.

Tools to use

CISA's free Incident Response planning resources. Your cyber insurance policy's incident response section. Legal counsel for state breach notification requirements.

Need help getting started?

Prometheus works with small and mid-sized businesses to implement foundational security controls, conduct risk assessments, and build practical security programs that fit real-world budgets and operational constraints.

Request a consultation