How I Would Secure a Small Business

Kortlen Fleischer

Kortlen Fleischer

3 min read

Most small businesses don’t get hacked because someone ran some crazy zero day.

They get hacked because of simple, avoidable stuff.

Weak passwords. No MFA. Everyone’s an admin. No backups.

So if I had to secure a company from 0 to ~50 employees, I wouldn’t overcomplicate it. No massive frameworks, no buying 10 tools just to feel secure.

I’d focus on what actually matters.

1. Identity Is Everything

At this size, your identity provider is your perimeter.

If that’s locked down, you’re already ahead of most companies.

What I’d do immediately:

  • MFA on everything. No exceptions.
  • Centralize identity (Entra ID / Google Workspace)
  • Eliminate legacy authentication methods
  • No one uses admin accounts for daily work
  • Strong passwords or just go passwordless

Why:
Most real world attacks = stolen creds. Fix that, you kill a huge chunk of risk.

2. Lock Down Endpoints (Your Biggest Weak Point)

Every laptop is a potential entry point. Treat it that way.

Baseline:

  • Intune / Jamf / whatever fits your stack
  • Full disk encryption (BitLocker / FileVault)
  • Auto patching (OS + apps)
  • EDR (Defender is fine, don’t overthink it)
  • Remove local admin from users

If someone’s device is compromised, I want:

  • Visibility
  • Control
  • The ability to kill access instantly

3. Email = Attack Vector #1

Still true. Still not going away.

Minimum setup:

  • Decent email filtering (M365 Defender is plenty)
  • SPF, DKIM, DMARC configured properly
  • Block auto-forwarding externally
  • Tag external emails

Also:

  • Add a “Report Phish” button
  • Do light training (don’t make it painful)

You’re not trying to make users security experts. You just want them to pause for 2 seconds before clicking.

4. Stop Giving Everyone Access to Everything

Small companies are guilty of this.

“Just give them access, it’s easier.”

But...... it’s not.

What I’d enforce:

  • No shared accounts
  • Role-based access
  • Quarterly access reviews (keep it simple)
  • Admin access is limited and temporary

Least privilege isn’t optional, it’s one of the easiest wins for both security and simplicity.

5. Get Control of Your SaaS Sprawl

You probably have way more apps than you think.

Do this:

  • Inventory everything
  • Force SSO on anything important
  • Disable direct logins where possible
  • Remove unused accounts immediately
  • Watch OAuth app permissions (super common blind spot)

SaaS is where a lot of quiet risk lives.

6. Backups (That Actually Work)

Everyone says they have backups.

Most people have never tested them.

  • Follow 3-2-1
  • Make backups immutable or offline
  • Test restores (this is the part people skip)
  • Separate backup access from normal accounts

If ransomware hits and your backups don’t work, that’s on you.

7. Network: Keep It Simple

You don’t need enterprise level network engineering here.

Just don’t do dumb stuff:

  • Use a decent firewall/router
  • Separate guest WiFi
  • Close anything you don’t need open
  • Use VPN or zero-trust for remote access

That’s enough at this stage.

8. Logging Without Going Overboard

You don’t need a full SIEM day one.

You do need visibility.

I’d focus on:

  • Identity logs
  • Endpoint alerts
  • Email events

And basic alerting for:

  • Login anomalies
  • MFA changes
  • Privilege escalation

"If you can’t see it, you can’t respond to it."

9. Policies (Keep Them Short)

No one in a 20-person company is reading a 40-page policy.

So don’t write one.

Just cover:

  • Acceptable use
  • MFA/password expectations
  • Device rules (BYOD vs managed)
  • Basic incident response steps

Clear > comprehensive.

10. Assume You’ll Get Hit

Because you might.

And small companies are usually less prepared.

Have a basic plan:

  • Who handles it
  • How you lock accounts/devices fast
  • Who you call if it’s bad
  • How you communicate internally

Run through it once. You’ll immediately find gaps.

11. Culture Matters More Than Tools

You can buy all the tools you want.

Doesn’t matter if your users just click everything.

What I’d do:

  • Make security part of onboarding
  • Keep training short and real
  • Encourage reporting (don’t punish mistakes)

If people are scared to report something, you’ve already lost.

If I Had to Prioritize (Realistically)

If I only had time to do a few things:

  1. MFA everywhere + lock down identity
  2. Endpoint management + EDR
  3. Email security (SPF/DKIM/DMARC + filtering)
  4. Backups (tested)
  5. Least privilege
  6. SaaS/SSO control

Everything else is secondary.

Final Thought

At this size, security isn’t about being advanced.

It’s about not being careless.

If you:

  • Lock down identity
  • Control devices
  • Secure email
  • Limit access
  • Have real backups

You’re already doing better than most companies your size.

And honestly, that’s the goal.

Need a Hand Securing Your Small Business?

If this feels like a lot, that’s normal. Most teams don’t have a dedicated security person, and many of these basics get ignored until something breaks. Think of it like a plunger; you don’t notice it until you really need it.

I can help you:

  • Walk through your current setup and spot obvious gaps
  • Prioritize what actually matters (without overcomplicating it)
  • Make sure you have real protections in place before trouble hits

Reach out on LinkedIn or follow this blog and I’ll keep breaking down practical ways to keep your company secure.