Published: November 5, 2025 | Last updated: November 5, 2025
Bottom Line: You don't need new tools to lower risk. Start with three moves—reduce what's exposed online, turn on stronger sign-in, and patch known problems first. This guide shows exactly what to do and who should do it. No jargon, just clear steps you can delegate to your IT provider or implement yourself.
Table of Contents
- 1 60-Second Business Health Check
- 2 Why This Matters for Your Business
- 3 The Three Big Moves That Cut Risk Fast
- 4 Protect Your Essential Business Functions
- 5 Work Safely With Vendors and Contractors
- 6 Your 90-Day Implementation Plan
- 7 Copy-and-Send Email Templates
- 8 Simple One-Page Incident Response Plan
- 9 Track What Matters: Simple Security Metrics
- 10 Common Pitfalls and How to Avoid Them
- 11 Real Examples: What Good Security Prevents
- 12 Frequently Asked Questions
- 12.0.1 Does implementing these controls replace our need for cyber insurance?
- 12.0.2 How much will this cost for a business with 10-25 employees?
- 12.0.3 What if my staff complain about MFA being inconvenient?
- 12.0.4 We're too small to be a target. Do we really need this?
- 12.0.5 Can we phase this in over 6-12 months instead of 90 days?
- 12.0.6 What role does employee training play?
- 12.0.7 How do I know if my IT provider is doing a good job with security?
- 12.0.8 What if we get breached even after implementing all of this?
- 13 Decision Framework: Good, Better, Best
- 14 When to Consider Professional Help
- 15 Conclusion: Start This Week
- 16 Additional Resources
60-Second Business Health Check
Answer yes or no to these five questions. If you answer “no” to any, the corresponding section below tells you exactly what to do next.
Quick Assessment:
- ☐ All staff use a second step to sign in (app prompt or security key)
- ☐ We can list every website, service, or system accessible from the internet
- ☐ We know who to call and what to do if an account is compromised
- ☐ Backups exist and we've successfully restored something in the last 6 months
- ☐ Vendors and contractors have their own logins that expire automatically
Most security incidents happen because basic protections are missing—not because of sophisticated attacks. The good news: fixing the fundamentals is straightforward, affordable, and dramatically reduces your risk.
Why This Matters for Your Business
Cybersecurity breaches cost small businesses an average of $200,000 per incident, and 60% of small businesses close within six months of a major breach. But here's what most business owners don't know: the vast majority of these incidents could have been prevented with basic controls.
Attackers don't usually hack in—they log in using stolen passwords, exploit unpatched software on internet-facing systems, or walk through misconfigured settings. This playbook addresses those exact vulnerabilities with practical steps anyone can follow.
The Three Big Moves That Cut Risk Fast
1. Reduce What's Exposed to the Internet
What It Is
Every service, website, or admin panel accessible from the internet is a potential entry point. Most businesses have forgotten test sites, old remote access portals, or admin consoles that shouldn't be publicly accessible.
Why It Matters
Fewer exposed services mean fewer targets. If attackers can't reach it, they can't exploit it. This is the single fastest way to reduce your attack surface.
Quick Action (30 minutes)
List every website, app, or service your business uses that can be accessed from outside your office. Include your website, email, file storage, accounting software, remote desktop, security cameras, and any admin panels.
Owner To-Dos
- Review the list with your team—does each service need to be accessible from anywhere?
- Decide what can be removed or restricted to office-only access
- Approve protecting essential services with single sign-on (SSO)
IT Provider To-Dos
- Create an inventory of all internet-facing services and subdomains
- Remove or disable anything nonessential
- Put the remaining services behind SSO and conditional access
- Provide a before/after list to the owner with justification for what stays exposed
For organizations with more complex infrastructure needs, understanding your complete network architecture helps identify potential exposure points.
2. Implement Stronger Sign-In for Everyone
What It Is
Multi-factor authentication (MFA) or passkeys add a second step to your login—usually an app prompt on your phone or a security key. Even if someone steals your password, they can't sign in without that second factor.
Why It Matters
Stolen credentials are the number-one way attackers get into business systems. MFA stops approximately 99% of automated credential-based attacks. It's the highest-return security investment you can make.
Quick Action (15 minutes)
Turn on MFA for your email and file storage accounts right now—these unlock everything else in your business. Most platforms have a security settings page where you can enable “two-factor authentication” or “multi-factor authentication.”
Owner To-Dos
- Announce company-wide MFA requirement with a 1-week deadline
- Set policy: No MFA = No access to work systems
- Ask the IT provider for the completion report and the list of any exceptions
IT Provider To-Dos
- Enable MFA/passkeys for all users across email, file storage, and admin accounts.
- Block legacy sign-in methods that bypass MFA
- Prioritize phishing-resistant options (passkeys, hardware keys) for admins
- Document any systems that don't support MFA and create a mitigation plan
Our comprehensive guide to implementing passkeys in small business provides detailed steps for modern authentication.
3. Patch What Criminals Are Actually Using
What It Is
Known-exploited vulnerabilities are software bugs that attackers are actively exploiting to break into systems. Government agencies maintain public lists of these high-priority issues.
Why It Matters
You can't patch everything instantly, but you must fix what attackers are exploiting—especially on systems exposed to the internet, such as VPNs, firewalls, and remote access tools. The difference between a vulnerability scan and an actual breach is often one unpatched edge device.
Quick Action (1 hour)
Ask your IT provider: “Do we have any known-exploited vulnerabilities on our internet-facing systems?” Set a 72-hour fix standard for anything on CISA's Known Exploited Vulnerabilities (KEV) list.
Owner To-Dos
- Set clear policy: Known-exploited issues on public-facing systems must be fixed within 72 hours
- Approve maintenance windows for urgent patches
- Request a monthly report showing patch status for critical systems
IT Provider To-Dos
- Monitor CISA KEV Catalog and vendor security advisories
- Prioritize patches for internet-facing systems (VPNs, firewalls, web servers)
- Add compensating controls (geofencing, WAF rules) when immediate patching isn't possible
- Track and report median time-to-patch for KEV items
Understanding your network security posture through regular audits helps identify which systems require priority patching attention.
Protect Your Essential Business Functions
Email and Domain Protection (20 minutes to start)
What It Is
Email authentication (SPF, DKIM, and DMARC) prevents criminals from sending emails that appear to come from your domain. It's like putting an official seal on your mail that recipients can verify.
Why It Matters
Invoice fraud, wire transfer scams, and phishing attacks often use spoofed emails that appear to be from your company or a trusted vendor. Email authentication blocks most of these attempts.
Quick Action
Check if your domain has DMARC protection using a free online checker. If not, ask your IT provider or email host to set it up.
Owner To-Dos
- Verify DMARC is enabled for your domain
- Request quarterly reports on blocked spoofing attempts
- Establish a clear process for staff to report suspicious emails
Our detailed DMARC implementation guide walks through the complete setup process for small businesses.
Backups That Actually Restore (Test quarterly)
What It Is
Backups are copies of your critical business data stored separately from your central systems. Immutable backups can't be encrypted or deleted by ransomware.
Why It Matters
Ransomware attacks lock up your files and demand payment to unlock them. If you have clean, tested backups, you can simply restore your data and avoid paying criminals. Without backups, many businesses face weeks of downtime or permanent data loss.
Quick Action
Identify your five most critical business systems or data sets. Schedule a restore test for one of them this month—actually pull the files back and verify they work.
Owner To-Dos
- Define what data is critical and cannot be lost
- Set quarterly restore test requirement
- Ask: “If we were hit by ransomware today, how long would it take to recover?”
IT Provider To-Dos
- Implement 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite)
- Enable immutable or offline backups for critical systems
- Test restores quarterly and document recovery time
- Protect backup admin consoles with MFA and network restrictions
For comprehensive data protection strategies, review our guide to business backup solutions and implementation options.
Endpoint Protection on Every Device (1 week rollout)
What It Is
Endpoint Detection and Response (EDR) is an advanced antivirus that watches for suspicious behavior on computers and servers, not just known viruses. It can detect and stop ransomware even when it's a brand-new variant.
Why It Matters
Traditional antivirus software only catches known threats. Modern EDR spots unusual patterns—like a program suddenly encrypting thousands of files—and stops the attack in real time.
Quick Action
Ask your IT provider: “Do we have EDR on all endpoints and servers?” If not, request implementation within 30 days.
Owner To-Dos
- Approve EDR deployment to 100% of devices
- Request a monthly coverage report
- Clarify who monitors alerts and responds to detections
Learn more about selecting the right cybersecurity tools for your business size and industry.
Work Safely With Vendors and Contractors
What It Is
Vendor access management means giving external partners their own temporary logins with only the permissions they need—never sharing your staff accounts or giving permanent, broad access.
Why It Matters
Third-party breaches are rising rapidly—approximately 30% of incidents now involve vendor access. When a contractor's account gets compromised, attackers use it to reach your systems.
Quick Action
Review current vendor access. Who has login credentials to your systems? Are any of those accounts shared or permanent?
Owner To-Dos
- Set policy: No shared accounts for vendors; all access expires at project end
- Require a quarterly review of active vendor accounts
- Ask for a list of vendors with privileged access and their expiration dates
IT Provider To-Dos
- Create a separate identity for each vendor with scoped permissions
- Set automatic expiration (30-90 days typical)
- Require MFA for all vendor accounts
- Log and review privileged vendor actions monthly
Your 90-Day Implementation Plan
Days 1-30: Close Obvious Gaps
Week 1:
- Complete 60-second health check
- Create an inventory of internet-facing services
- Enable MFA on email and file storage for all users
Week 2:
- Remove nonessential internet-facing services
- Request a KEV vulnerability scan on public-facing systems
- Verify DMARC protection is active
Week 3:
- Patch any KEV-listed vulnerabilities found
- Lock down exposed admin panels behind SSO
- Test one critical system backup restore
Week 4:
- Complete rollout of MFA to 100% of users
- Document what stays internet-accessible and why
- Review the month 1 progress with the IT provider
Days 31-60: Strengthen Identity and Logging
Week 5-6:
- Roll out single sign-on (SSO) for core business apps
- Implement least-privilege access controls
- Set up just-in-time admin elevation
Week 7-8:
- Centralize identity, endpoint, and cloud logs
- Configure high-priority alerts to reach the on-duty responder
- Review and retire duplicate or abandoned accounts
Days 61-90: Build Response and Resilience
Week 9-10:
- Deploy EDR to 100% of endpoints and servers
- Verify all backups are immutable or offline
- Create a vendor access workflow with auto-expiry
Week 11-12:
- Write a one-page incident response playbook
- Run a tabletop exercise with key staff
- Document improvements needed based on the exercise
- Conduct a 90-day security review and plan for the next quarter
Copy-and-Send Email Templates
Template 1: Initial Request to IT Provider
Subject: Security improvements—starting this week
Hi [Name],
I'd like to prioritize three security improvements this month:
- MFA everywhere: Please enable phishing-resistant MFA for all users and admins across email, file storage, and admin systems. Target: 100% coverage by [date]. Send me confirmation and note any exceptions.
- Internet exposure: Please provide a list of all our internet-facing services and systems. Include recommendations for what we can remove or restrict.
- Known vulnerabilities: Please check for any CISA KEV-listed vulnerabilities on our public-facing systems and patch within 72 hours. Going forward, this becomes our standard.
Let's schedule 30 minutes this week to review the plan.
Thanks,
[Your name]
Template 2: Monthly Security Check-In
Subject: Monthly security status—[Month]
Hi [Name],
Please provide brief updates on these items by [date]:
- MFA coverage: What % of users are now using MFA? Any holdouts or issues?
- Patching: Any KEV vulnerabilities outstanding on internet-facing systems? If yes, what's the plan?
- Backups: When was the last restore test? Results?
- Vendor access: How many active vendor accounts? Any that should expire?
- Incidents: Any security alerts or suspicious activity this month?
Thanks,
[Your name]
Template 3: Vendor Security Requirements
Subject: Access requirements for [Project name]
Hi [Vendor name],
For security and compliance, all vendor access must follow these requirements:
- Separate login credentials (not shared with our staff)
- Multi-factor authentication enabled
- Access is limited to systems needed for this project
- Automatic expiration on [project end date + 30 days]
Please coordinate with our IT team ([contact]) to set up your access. They'll provide credentials and confirm scope.
Thanks,
[Your name]
Simple One-Page Incident Response Plan
Print this and keep it accessible. Update contact information quarterly.
When Something Seems Wrong
Trigger events: Suspected account compromise, ransomware/malware detection, unusual admin activity, data exposure, wire transfer or payment fraud attempt
Step 1: Triage (First 15 minutes)
- What happened? When? Who discovered it?
- Which accounts or systems are affected?
- Is it still active or spreading?
Step 2: Contain (Immediate)
- Disable/reset compromised user accounts
- Isolate affected devices from the network
- Revoke access tokens and API keys if involved
- Block known malicious indicators (IPs, domains, file hashes)
Step 3: Investigate (First 24 hours)
- Establish a timeline of events
- Identify entry point and method
- Determine what privileges were used
- Identify what data was accessed or exfiltrated
Step 4: Eradicate (Once contained)
- Apply security patches to affected systems
- Reimage compromised devices from clean backups
- Remove malware persistence mechanisms
- Fix configuration issues that enabled entry
Step 5: Recover (When clear)
- Restore systems from verified clean backups
- Re-enable user access gradually with monitoring
- Verify systems are functioning normally
- Resume normal business operations
Step 6: Learn (Within 1 week)
- Document root cause and complete timeline
- Identify control gaps that allowed the incident
- Update processes and technical controls
- Notify affected parties if required by law
Key Contacts
IT Provider: [Name, phone, email]
Internal IT Lead: [Name, phone, email]
Business Decision Maker: [Name, phone, email]
Legal Counsel: [Name, phone, email]
Insurance Contact: [Cyber insurance provider, policy #, phone]
Law Enforcement: [Local FBI field office, non-emergency number]
Track What Matters: Simple Security Metrics
Review these monthly with your IT provider. Track trends, not just point-in-time snapshots.
| Metric | What to Track | Target |
|---|---|---|
| Internet Exposure | Count of internet-facing services | Declining or stable with justification |
| MFA Adoption | % of users with MFA enabled | 100% |
| Patching Speed | Days to fix KEV items on public systems | ≤3 days median |
| Endpoint Coverage | % of devices with EDR deployed | 100% |
| Backup Health | Days since last successful restore test | ≤90 days |
| Vendor Access | Count of active vendor accounts | All with expiration dates |
| Incident Response | Days from alert to containment | Track and improve |
Common Pitfalls and How to Avoid Them
Pitfall: Shadow IT and unmanaged SaaS apps
Prevention: Require all new apps to go through IT approval. Run quarterly SaaS discovery scans. Enforce SSO for all business tools—if an app can't integrate with SSO, it needs executive approval as an exception.
Pitfall: Permanent admin rights
Prevention: Replace standing admin access with just-in-time elevation. Admins request temporary elevated rights for specific tasks with automatic time limits and approval workflows.
Pitfall: Slow or incomplete patching
Prevention: Create a separate “security fast lane” for edge devices and KEV-listed issues. Non-critical patches can follow the standard monthly cycle, but known-exploited vulnerabilities on internet-facing systems get a 72-hour SLA.
Pitfall: Backups you can't actually restore
Prevention: Schedule restore tests quarterly. Actually pull files back, open them, and verify they work. Record how long it took and what problems you encountered. Fix those problems before you need the backup in a real emergency.
Pitfall: Vendor access that never expires
Prevention: Every vendor account gets an expiration date at creation. No exceptions. Set calendar reminders to review active vendor access quarterly. Auto-disable accounts that haven't been used in 60 days.
Real Examples: What Good Security Prevents
Invoice Fraud Stopped
A small architecture firm receives an email that appears to be from their regular steel supplier requesting updated payment details for an upcoming order. The email looks legitimate with correct logos and signature.
Without protections: The controller updates the payment information in their accounting system and processes the next invoice—$12,000 goes to criminals.
With DMARC + MFA: The email fails DMARC authentication because it's spoofed. Even if it got through, when the controller tries to update payment details, the accounting system requires MFA confirmation. The extra verification step prompts them to call the supplier directly, catching the fraud attempt.
Ransomware Recovery Without Paying
A medical practice gets hit with ransomware that encrypts patient files and billing records. The attackers demand $50,000 in Bitcoin to decrypt the files.
Without protections: The practice has no recent backups. Patient care is disrupted for weeks. Many businesses in this situation pay the ransom and still don't get their files back.
With tested backups: The IT team verifies the backup integrity, wipes compromised systems, and restores from last night's immutable backup. The practice is back to normal operations in 6 hours with zero data loss and no ransom payment.
Credential Stuffing Attack Fails
An employee's personal email and password were exposed in a data breach at a retail website. Attackers use automated tools to try that same email/password combination on thousands of business services.
Without protections: The employee reused their password across multiple accounts. Attackers successfully log into the company's project management tool and exfiltrate client contracts and financial projections.
With MFA + unique passwords: Even though the employee reused the password (against policy), the MFA requirement stops the automated login attempt. The employee receives an unexpected MFA prompt, realizes their credentials have been compromised, and immediately resets their password.
Frequently Asked Questions
Does implementing these controls replace our need for cyber insurance?
No. Good security controls reduce your risk and may lower your premiums, but insurance remains an essential backstop for residual risk. Many insurers now require MFA and EDR as baseline controls to qualify for coverage.
How much will this cost for a business with 10-25 employees?
Budget approximately $50-150 per user per month for security tools (MFA, EDR, backup, logging), plus implementation time. Many controls (reducing internet exposure, improving patching process) cost only time, not money. The investment is substantially less than the costs of breach recovery or ransom payments.
What if my staff complain about MFA being inconvenient?
Modern MFA (especially passkeys) adds only 2-3 seconds to sign-in. Frame it as protecting both company assets and employee personal liability. Make it clear: inconvenience is not optional—MFA is required for access. Most resistance fades within the first week.
We're too small to be a target. Do we really need this?
Small businesses are frequent targets precisely because attackers assume you have fewer protections. Automated attacks don't discriminate by company size—they scan for vulnerable systems and exploit whatever they find. Basic controls stop most computerized attacks.
Can we phase this in over 6-12 months instead of 90 days?
You can, but risk remains elevated during the delay. The 90-day plan prioritizes the highest-impact controls first. If you need to stretch the timeline, focus on the “Days 1-30” items (MFA, reduce exposure, patch KEV issues) immediately and phase in the rest.
What role does employee training play?
Training helps create security awareness, but technical controls prevent mistakes from becoming breaches. Start with strong technical controls (MFA, EDR, backups), then add training as a supplementary layer. Don't rely on training alone—it's the weakest control.
How do I know if my IT provider is doing a good job with security?
Ask specific questions from this guide: MFA coverage percentage, KEV patching timeline, backup restore test results, and vendor access expiration dates. If they can't answer or push back on implementing these basics, that's a red flag. Consider getting a second opinion through an independent security assessment.
What if we get breached even after implementing all of this?
No security is perfect. These controls dramatically reduce risk and limit damage if something does get through. Your incident response plan and tested backups ensure you can recover quickly. Document what happened, fix the gap, and improve—that's how mature organizations handle security.
Decision Framework: Good, Better, Best
Not every business needs the most advanced security controls. Use this framework to match your investment to your risk profile.
| Security Area | Good (Start Here) | Better (Next Step) | Best (Mature) |
|---|---|---|---|
| Authentication | App-based MFA for all | Passkeys for staff; hardware keys for admins | Passkeys + conditional access (device health checks) |
| Patching | Monthly cycle | KEV items on internet-facing systems within 1 week | 24-72h SLA for edge devices with compensating controls |
| Backups | Daily cloud backup | Quarterly restore tests documented | Immutable + offline copies; tested recovery procedures |
| Vendor Access | Named accounts + MFA | Auto-expiry + scoped roles | Just-in-time access + full audit trail |
| Endpoint Protection | Traditional antivirus | EDR on all endpoints | EDR + MDR with 24/7 monitoring |
| Monitoring | Basic logs collected | Centralized logging + high-priority alerts | SIEM with tuned detection rules and SOC response |
| Incident Response | Know who to call | One-page playbook documented | Quarterly tabletop exercises + retainer with IR firm |
Most small businesses should target the “Better” column for critical systems within 90 days, then work toward “Best” over the following year based on risk and budget.
When to Consider Professional Help
Some businesses can implement these controls with their existing IT provider. Others benefit from specialized security expertise. Consider bringing in a security professional or managed service provider when:
- Your IT provider pushes back on implementing basic controls or can't explain the current security posture
- You operate in a regulated industry (healthcare, finance, legal) with compliance requirements
- You've experienced a security incident and need an independent assessment
- You're planning significant infrastructure changes (cloud migration, office expansion, merger)
- Your business handles sensitive customer data or intellectual property
- You need 24/7 monitoring and response, but don't have in-house staff
For Miami-area businesses, our team has deployed enterprise-grade security solutions for over 100 organizations. We can conduct an independent security assessment, implement these controls, or provide ongoing managed security services.
Conclusion: Start This Week
Security incidents happen because basic controls are missing, not because of sophisticated attacks. The fundamentals—knowing what you expose, hardening identity, patching strategically, and preparing to respond—prevent the vast majority of breaches.
You don't need to implement everything at once. Start with the three big moves: reduce your internet exposure, enable MFA everywhere, and patch known-exploited vulnerabilities. These actions dramatically lower your risk in the first month.
Use the 90-day plan, email templates, and metrics framework to maintain momentum. Security improves when teams focus on a few fundamentals and make them routine. Print the one-page incident response plan, schedule your first tabletop exercise, and test a backup restore this quarter.
The difference between a secure business and a breached business is often just consistent execution of basics. Start this week.
Additional Resources
From iFeelTech
- Cybersecurity for SMBs: Understanding Risk & NIST CSF 2.0
- Small Business Cybersecurity Guide: Top Tools 2025
- Passkeys 2025: Secure Authentication Without Passwords
- VPN vs. Zero-Trust: Why SMBs Should Upgrade Before 2026
- Business Backup Solutions Guide 2025
- 5-Step Network Security Audit Every Small Business Should Do Quarterly
External References
- CISA Known Exploited Vulnerabilities (KEV) Catalog – Updated daily with vulnerabilities actively used by attackers
- Verizon Data Breach Investigations Report 2025 – Annual analysis of breach patterns and trends
- Microsoft Digital Defense Report 2025 – Identity-centric defense guidance and threat intelligence
- NIST Cybersecurity Framework 2.0 – Framework for managing cybersecurity risk
About iFeelTech: We're a Miami-based IT services company specializing in enterprise-grade network infrastructure and cybersecurity for small and medium businesses. Since 2015, we've deployed secure, scalable technology solutions for over 100 South Florida organizations. Our team holds CISSP, Security+, and vendor certifications from Ubiquiti, Dell, and HP.