I work with small businesses every day through BlackSight, and the pattern is always the same. They know cybersecurity matters. They have read the headlines about ransomware and data breaches. But they feel overwhelmed, under-resourced, and unsure where to start. So they do nothing, or they buy an expensive tool they never configure properly.

Here is the truth: you do not need a six-figure security budget to protect a small business. You need to do ten things well. Not twenty. Not fifty. Ten. These are the ten steps that actually move the needle, based on what I see when scanning thousands of small business websites and what I know from investigating real breaches.

1. Enable Multi-Factor Authentication Everywhere

Why it matters: Over 80% of breaches involve stolen or weak credentials. MFA stops the vast majority of these attacks dead. Even if an attacker has your password — from a phishing email, a data breach, or a brute force attack — they cannot log in without the second factor.

How to do it: Enable MFA on every service that supports it. Start with email, banking, and your website admin panel. Use an authenticator app like Authy or Google Authenticator rather than SMS codes, because SMS can be intercepted via SIM swapping. For your team, enforce MFA at the identity provider level so individuals cannot opt out.

The common excuse: "It slows people down." It adds five seconds to each login. A breach will slow your business down for weeks or months. The math is not complicated.

2. Keep All Software Updated

Why it matters: The majority of successful attacks exploit known vulnerabilities that already have patches available. Attackers do not need zero-days when your WordPress installation is three versions behind and has a public exploit on GitHub.

How to do it: Enable automatic updates for your operating systems, browsers, and CMS platforms. For WordPress, enable auto-updates for core, themes, and plugins. For your server software, set up unattended-upgrades on Ubuntu or the equivalent on your OS. Check for updates weekly at minimum.

The common excuse: "Updates might break something." Yes, they might. But a breach will definitely break something. Test updates in a staging environment if you have one, but do not let the pursuit of perfect testing prevent you from patching critical vulnerabilities.

3. Use a Password Manager

Why it matters: People reuse passwords. They use their dog's name plus a number. They write them on sticky notes. A password manager eliminates all of these problems by generating unique, complex passwords for every account and storing them securely.

How to do it: Choose a reputable password manager — 1Password, Bitwarden, or Dashlane are all solid options. Bitwarden has a free tier that works well for small teams. Roll it out to your entire team, migrate all shared credentials into it, and delete any passwords stored in spreadsheets, documents, or browser autofill.

The common excuse: "What if the password manager gets hacked?" Password managers encrypt your vault with a master password that they never store. Even if their servers are breached, your data is encrypted. This is orders of magnitude more secure than reusing "Company2025!" across forty services.

4. Secure Your Email with SPF, DKIM, and DMARC

Why it matters: Without email authentication, anyone can send emails that appear to come from your domain. Attackers use this to phish your customers, your employees, and your vendors. It erodes trust and can directly lead to financial fraud.

How to do it: Configure three DNS records. SPF defines which mail servers are authorized to send email for your domain. DKIM adds a cryptographic signature to outgoing messages. DMARC tells receiving servers what to do when SPF or DKIM fails — and sends you reports about it. Start with a DMARC policy of p=none to monitor, then move to p=quarantine and eventually p=reject.

The common excuse: "We do not send many emails." It does not matter. Attackers will send emails pretending to be you regardless of your sending volume. DMARC protects your domain's reputation whether you send ten emails a day or ten thousand.

5. Enable HTTPS and Proper SSL Configuration

Why it matters: Without HTTPS, every piece of data between your visitors and your server travels in plain text. Passwords, form submissions, session cookies — all visible to anyone on the same network. Beyond security, Google penalizes HTTP sites in search rankings and browsers display scary "Not Secure" warnings.

How to do it: Get a free SSL certificate from Let's Encrypt. Most hosting providers offer one-click SSL now. Once installed, force all traffic to HTTPS via redirects and set the HSTS header so browsers remember to always use HTTPS. Check your configuration with BlackSight's SSL scanner to make sure you are not using deprecated TLS versions or weak ciphers.

The common excuse: "Our site does not handle sensitive data." Every site handles session cookies and user interactions. HTTPS is table stakes in 2025. There are zero valid reasons to run an HTTP-only website.

6. Implement Regular Backups with the 3-2-1 Rule

Why it matters: Ransomware is the number one threat to small businesses. If your data is encrypted and you have no backup, your options are pay the ransom (with no guarantee of recovery) or rebuild from scratch. Good backups make ransomware a nuisance instead of a catastrophe.

How to do it: Follow the 3-2-1 rule: keep 3 copies of your data, on 2 different types of media, with 1 copy offsite. For a small business, this means your production data, a local backup (external drive or NAS), and a cloud backup (AWS S3, Backblaze B2, or similar). Automate your backups so they run without human intervention. Most importantly — test your restores regularly. A backup you have never restored is a backup that might not work.

The common excuse: "We back up to the same server." That is not a backup. If ransomware hits your server, it encrypts your backups too. Offsite, offline, or immutable backups are the only ones that survive a targeted attack.

7. Invest in Employee Security Training

Why it matters: Your employees are both your greatest vulnerability and your strongest defense. Phishing emails, social engineering calls, and malicious links all target humans, not systems. No firewall protects against an employee who willingly enters their credentials on a fake login page.

How to do it: Run short, practical training sessions quarterly — not annual death-by-PowerPoint compliance training. Cover how to spot phishing emails (hover over links, check sender addresses, be suspicious of urgency), what to do when they suspect an attack (report it, do not click, do not forward), and basic password hygiene. Send simulated phishing emails monthly to keep awareness high. Celebrate people who report suspicious emails instead of shaming those who click.

The common excuse: "Our team is too small for formal training." Small teams are actually easier to train. A 30-minute session over lunch costs nothing and can prevent a six-figure breach.

8. Scan Your Website for Vulnerabilities Regularly

Why it matters: You cannot fix what you do not know about. Vulnerability scanning identifies misconfigurations, outdated software, missing security headers, exposed services, and known CVEs before attackers find them. Most small business websites I scan through BlackSight have at least three issues they had no idea existed.

How to do it: Start with a free scan at scanner.blacksight.io to get a baseline. Review the findings — focus on critical and high severity items first. Set up recurring scans (weekly or monthly) to catch new vulnerabilities as they appear. Your website changes over time — plugins get updated, configurations drift, new services get exposed. Regular scanning catches these changes.

The common excuse: "We hired a developer, so our site is secure." Developers build features. Security is a separate discipline. Even excellent developers miss security configurations because it is not their primary focus. Scan anyway.

9. Create an Incident Response Plan

Why it matters: When a breach happens — and statistically, it will — the first 24 hours determine whether it is a contained incident or a full-blown disaster. Without a plan, people panic, make bad decisions, and waste critical time figuring out who does what.

How to do it: Write a simple one-page plan that answers four questions. Who do we call first? (IT lead, legal counsel, insurance provider.) How do we contain the damage? (Isolate affected systems, reset compromised credentials, block malicious IPs.) Who do we need to notify? (Customers, regulators, partners — know your legal obligations before the breach.) How do we recover? (Restore from backups, rebuild compromised systems, conduct a post-mortem.)

The common excuse: "We will figure it out if it happens." No, you will not. During a breach, stress is high, time pressure is extreme, and clear thinking is scarce. A written plan removes the need to make decisions under duress. Write it now while you are calm.

10. Review Access Permissions Regularly

Why it matters: Over time, access accumulates. The contractor who built your site two years ago still has admin access. The employee who left six months ago still has their email account active. Former interns can still access your cloud storage. Every unnecessary account is an attack surface.

How to do it: Conduct a quarterly access review. List every person who has access to your critical systems — website admin, hosting panel, email accounts, payment processor, cloud services, code repositories. Remove anyone who no longer needs access. Downgrade permissions where possible — not everyone needs admin. When someone leaves the company, revoke all access the same day, not "when we get around to it."

The common excuse: "We trust our former employees." Trust is not a security control. People's circumstances change, accounts get compromised, and credentials get reused. The principle of least privilege is not about trust — it is about reducing the blast radius when something goes wrong.

These ten steps are not exotic or expensive. Most cost nothing but time. Yet implementing all ten puts a small business ahead of the vast majority of organizations its size. Start with step one today and work through the list over the next month. Your future self — the one who does not have to deal with a preventable breach — will thank you.