Small Business Cybersecurity Course

Learn to Secure Your Small Business!

Our approach to small business cybersecurity is simple:

By combining security-first behaviors and configurations with just a few carefully selected technologies and services, small businesses can achieve enterprise-grade security on par with the best-defended companies in the world.

Our goal is to educate and empower small business owners and decision makers, enabling them to achieve nothing less than a world-class security posture.

How to Use This Course

This course is designed to be flexible and action-oriented. You’ll find two types of articles:

• Informational Articles — Our informational articles provide a solid understanding of small business cybersecurity concepts, helping you learn the “why” behind the practices. Compared with Task articles, they are more theoretical – although they contain as much practical information as possible to help you improve your security posture.
• Task Articles — These are designed to be hands-on practical, step-by-step guides that walk you through essential actions to improve your security. They assume that you have enough knowledge to perform the Task, which you can get from reading the associated Informational Articles or a different source.

Feel free to approach this course in the way that works best for you. We’ve designed it with two key goals in mind:

1. To provide a logical flow from beginning to end—giving you the context and understanding needed to steadily strengthen your security posture.
2. To align with common security compliance frameworks as much as possible.

Why the focus on compliance frameworks? Because countless cybersecurity and IT professionals have spent many years refining these standards to help businesses deploy effective security practices. Rather than reinventing the wheel, we’ve built on this collective expertise—adapting it for small businesses in a practical, actionable way.

Where our course differs from typical frameworks is in how the content is structured and sequenced. Compliance checklists often jump between technical controls and policies, but we’ve designed this course to flow logically from one topic to the next—starting with foundational concepts and progressing to more complex (and sometimes more costly) tasks. This ensures the journey is manageable, maximizes ROI, and helps small businesses build strong defenses step-by-step.

Remember: Cybersecurity is about doing, not just reading. Don’t feel like you need to master every detail before you start. The important thing is to begin taking steps in right direction—the course will help guide you along the way. And if you ever need help, don’t hesitate to reach out. We’re here to support you.

Learn More About How We Tackle Small Business Cybersecurity <

When it comes to small business cybersecurity, we want to enable small businesses to dramatically improve their security posture using a value-based approach. We’ve structured this course to reflect our philosophy.

We start with the most important things (which happen to be 100% free), like: using strong passwords, a password manager, and multi-factor authentication (MFA); adopting the principle of least privilege; managing patches and updates; and segmenting the business network.

One of the first things that we strongly encourage is for our customers to utilize cybersecurity frameworks that have been designed for small businesses – such as the Center for Internet Security (CIS) 18 Critical Security Controls. Implementation Group 1 (IG1) is well suited as a starting point for many small businesses.

Note: When we work with customers, our approach is to often to identify the right framework to use as a reference- with business-specific adjustments – which ensures excellent adherence to security standards and helps prepare the business for future growth. For small businesses with increased security compliance requirements—such as HIPAA or GDPR—we emphasize NIST frameworks to support their certification readiness.

Once we’ve thoroughly covered the basics, we look at the cybersecurity technology and services that are the most important for small businesses, including antivirus (AV), firewalls, endpoint/managed detection and response (EDR/MDR), and backups.

Finally, we’ll look at more advanced topics like active defense and offensive cybersecurity. While most small businesses don’t require every advanced security service to bolster their defenses, strategic use of targeted offerings—such as penetration testing—can verify that your program truly works and is ready to protect critical assets. By scoping these engagements thoughtfully, small businesses can achieve an exceptional return on investment.

Section 1: Introduction to Small Business Cybersecurity

This section provides an introduction to small business cybersecurity
and lays a foundation for the course contents that follow.

• What is Cybersecurity? A Gentle Introduction for Small Businesses
• The Top Cybersecurity Threats Facing Small Businesses Today
• The Small Business Cybersecurity Advantage
• What Small Businesses Can Learn From How Big Business Does Cybersecurity
• How Attackers Get In – Critical Lessons for Cybersecurity

Section 2: Performing An Asset Inventory

There’s an adage in security: “You can’t protect what you don’t know“.

Before you can build a strong cybersecurity foundation, you need a good idea of what you’re protecting. That starts with taking inventory of your hardware and software.

Most small businesses skip this step—but it’s one of the most important. Without an inventory, it’s easy to overlook outdated devices, insecure apps, or systems you didn’t even realize were connected to your network. Inventory is also the first control in the CIS 18 Critical Security Controls. It’s first for a reason – we can’t effectively secure a business until we know what it is that we’re securing.

• What Is an Asset Inventory — And Why Does It Matter for IT and Cybersecurity?
• Task 1: Build a Hardware Inventory
• Task 2: Build a Software Inventory

Section 3: Behavioral and Configurational Security

In this section, we’ll get hands-on and explore practical, high-impact steps small businesses can take to strengthen their security posture—without wasting time or money. Our goal is to help you focus on actions that deliver real value and that have the highest return on investment (ROI).

A common misconception among small business owners is that cybersecurity starts with buying expensive tools. We want to challenge that idea.

Yes, having the right products in place is important. But no technology—no matter how advanced—can make up for weak fundamentals. Strong security starts with good habits and smart configurations.

We’d love to be able to sell you a tool that makes you secure no matter what—but the truth is, that product doesn’t exist. And pretending it does would go against everything we stand for.

Instead, we’re here to guide you through simple, foundational practices that are easy to implement and actually work— and that put you in a position to make smart decisions about tools when the time is right.

• Introduction to Behavioral and Configurational Security
• Using Secure Authentication: Creating and Managing Secure Passwords and MFA
• Task 3: Set Up and Learn to Use a Password Manager
• Task 4: Use Your Password Manager to Generate & Store Strong Passwords
• Task 5: Set Up Multi-Factor Authentication
  • Optional – Task 5a: Set up MFA for Operating System (OS) Logins
• The Principle of Least Privilege (PoLP) and Least Privilege Access
• Task 6: Use The Principle of Least Privilege
• Task 7: Patch and Update Management
• Improve Your Operational Security (OPSEC): Separating Personal and Professional Use of Tech

Section 4: Defense-in-Depth

There’s a bewildering amount of cybersecurity tech and services out there.

What does it all mean? Which technologies are the most important with the highest value for small businesses?

In this section, we cover common cybersecurity technologies and services and specifically look at those that are the most important to small businesses.

• Introduction to Defensive Technologies
• Antivirus (AV) – The Foundation of Endpoint Security
• Task 8: Ensure Antivirus is Set Up and Configured On All Computers
• Firewalls For Small Businesses
• Task 9: Secure Critical Devices with Host-Based Firewalls
• DNS-Based Security
  • Free DNS Security for Small Businesses: The Pros and Cons of Quad9
• Task 10: Set Up DNS-Based Security on All Devices
• Endpoint Protection: A Deep Dive Into EDR And MDR
• Task 11: Deploy MDR on Critical Computers
• Backups For Small Business
• Task 12: Assess if Backups Are Required and Deploy As Needed
• Small Business Network Segmentation
• Task 13: Segment Your Small Business Network

Website Security For Small Businesses

• Securing Your Small Business Website
• Securing a WordPress Website

Email Security For Small Businesses

• Email Security Basics
• Using DKIM and DMARC to help secure email

Advanced Topics in Small Business Cybersecurity

These topics are important in the field of small business cybersecurity but are a bit more specialized or complex.

• SIEM – Security Information and Event Management – For Small Businesses
• SOC – Security Operations Center
• XDR – Extended Detection and Response
• Active Defense and Honeypots
• Offensive Cybersecurity For Small Businesses

Legacy (Retired) Lessons That May Still Be Useful

5 Steps to A Strong Defensive Posture: Mastering Small Business Cybersecurity
Defensive Cybersecurity Technologies for Small Businesses

TL;DR: A Condensed Introduction to Cybersecurity for Small Businesses

Before we dive into the details of how to secure our systems, let’s start by briefly defining what we mean by the term cybersecurity.

What is Cybersecurity?

Cybersecurity is the practice of protecting our computer systems. We may initiate a cybersecurity program by starting to take inventory of the technology that we use. This includes hardware systems like laptops, desktops, and mobile phones along with printers. In today’s workplace, it may also include a smart refrigerator or other smart devices.

The goal of our defensive cybersecurity practice is to defend all of our devices, networks, applications, and data, as best as possible, given resource constraints like a budget.

Cybersecurity is similar to physical security. Instead of door locks, in the digital world we have passwords. As with locks, we can often choose how strong we want them to be. In place of an alarm system, in cybersecurity there are AV (antivirus) and EDR/MDR (endpoint / managed detection and response) as well as others. And a real-life fence corresponds with a network firewall.

Challenges in implementing cybersecurity include educating users, social engineering, and maintaining all systems so they are free of vulnerabilities.

Our Approach to Small Business Cybersecurity

We use a five-step approach to help small businesses achieve enterprise-grade security:

1. Optimize behavioral and configurational security.
2. Assess and securely redesign the company’s network(s).
3. Research and deploy defensive technologies like firewalls, AV, and EDR.
4. Use active defensive tactics to maximize ROI and achieve enterprise-grade security.
5. Deploy the use of targeted offensive cybersecurity services to test and harden the company’s networks and devices.

These five steps are designed to provide the highest ROI upfront. In general, each step is more important than the steps that follow.

The first three steps provide a solid foundation for cybersecurity at an organization. They involve a wide range of activities that help to strengthen security, from using strong passwords to deploying antivirus (AV), firewalls, and endpoint protection (EDR / MDR) to actively protect the network.

The last two steps – active defense and offensive security – use advanced tactics to help us fortify our networks and achieve true enterprise-grade security.

Authentication, Authentication – Wait For It – AUTHENTICATION

The very first thing that we recommend all small businesses start to address is – you guessed it – authentication.

What’s authentication? Put simply, authentication is the process of ensuring that a user is who they claim to be. The most common way to authenticate is by using a username and password combination. We do this for our operating systems and applications.

When it comes to improving small business cybersecurity, there are three primary activities that we recommend:

1. Using strong, unique passwords. Length is the most important factor, followed by complexity. Every password needs to be strong as well as unique – meaning that each password is only used once.
2. Using a password manager. It’s really tough to use strong, unique passwords without a password manager. They’re easier to use than you think! We really like Bitwarden and Keeper.
3. Using multi-factor authentication (MFA). Strong passwords aren’t enough anymore. You also need to be using multi-factor authentication wherever possible; almost all popular applications support it. In terms of MFA method, text-based MFA is considered more secure than email-based MFA and authenticator apps are considered the most secure (outside of using a physical key).

When it comes to passwords that need to often be recalled from memory, we recommend using a long passphrase that can be easily remembered while still providing excellent protection.

You can learn more about authentication and get lots of helpful tips, in our article Securing Your Small Business Starts With Authentication: Using Strong Passwords, Password Managers, and MFA.

The Principle of Least Privilege

After implementing strong authentication practices across the organization, we recommend that small businesses next begin to leverage the principle of least privilege.

This principle –also known as “least privilege access” –is the idea that users in the IT environment should only have access to what they need in order to perform their responsibilities, and nothing more. This maxim arises from the fact that the more resources a user has access to, the greater the potential danger if their account is compromised or if they become an insider threat.

For example, a member of the organization may need access to the company website hosted on company servers because they’re part of the web design team. While it’s true they need access to the site’s file system, they do not need the ability to configure the server or to access other data stored within. Any access they have beyond what is needed to complete their job puts additional resources at risk.

When it comes to implementing the principle of least privilege, how an organization does so will depend heavily on the organization’s structure. For businesses with a single owner-operator, it could simply mean creating user accounts for everything and using them for daily activities. The owner will only using administrator accounts when admin privileges are needed.

As an organization grows, it will become increasingly difficult and costly to deploy the principle of least privilege if a foundation wasn’t laid while the company was small. At the same time, the risks presented by not leveraging it will grow. This is why we want small business owners to learn about this principle early on, even if it doesn’t mean a dramatic change in how the business operates.

You can learn more about the Principle of Least Privilege here.

Guardian Angel IT Academy

As a company, our goal is protecting small businesses from threats by providing security-first IT. Everything we do is with small business security in mind.

But we want to go beyond providing helpful services. We also want to help educate and empower small business owners and decision makers.

That’s why we’ve put a lot of effort into developing the Guardian Angel IT (GAIT) Academy, offering high-quality, affordable courses with certificates of completion, as well as publishing free courses, articles, and tutorials on this website.