Small Business Cybersecurity Course

Learn to Secure Your Small Business!

How to Use This Course

This course is designed to be flexible and action-oriented. You’ll find two types of articles:

• Informational Articles — Our informational articles provide a solid understanding of small business cybersecurity concepts, helping you learn the “why” behind the associated Tasks. Compared with Task articles, they are more theoretical – although they contain as much practical information as possible to help you improve your security posture.
• Task Articles — Task articles are designed to be hands-on practical, step-by-step guides that walk you through essential actions to improve your security.

Feel free to approach this course in the way that works best for you. We’ve designed it with two key goals in mind:

1. To provide a logical flow from beginning to end—giving you the context and understanding needed to steadily strengthen your security posture.
2. To align with common security compliance frameworks as much as possible.

Why the focus on compliance frameworks? Because countless cybersecurity and IT professionals have spent many years refining these standards to help businesses deploy effective security practices. Rather than reinventing the wheel, we’ve built on this collective expertise—adapting it for small businesses in a practical, actionable way.

It’s important to remember that cybersecurity is about doing, not just reading. You don’t need to master every detail before you start. The important thing is to begin taking steps in right direction—the course will help guide you along the way. And if you ever need help, don’t hesitate to reach out. We’re here to support you.

Learn More About How We Tackle Small Business Cybersecurity <

When it comes to small business cybersecurity, we want to enable small businesses to dramatically improve their security posture using a value-based approach. We’ve structured this course to reflect our philosophy.

We start with the most important things (which happen to be 100% free), like: using strong passwords, a password manager, and multi-factor authentication (MFA); adopting the principle of least privilege; managing patches and updates; and segmenting the business network.

One of the first things that we strongly encourage is for our customers to utilize cybersecurity frameworks that have been designed for small businesses – such as the Center for Internet Security (CIS) 18 Critical Security Controls. Implementation Group 1 (IG1) is well suited as a starting point for many small businesses.

Note: When we work with customers, our approach is to often to identify the right framework to use as a reference- with business-specific adjustments – which ensures excellent adherence to security standards and helps prepare the business for future growth. For small businesses with increased security compliance requirements—such as HIPAA or GDPR—we emphasize NIST frameworks to support their certification readiness.

Once we’ve thoroughly covered the basics, we look at the cybersecurity technology and services that are the most important for small businesses, including antivirus (AV), firewalls, endpoint/managed detection and response (EDR/MDR), and backups.

Finally, we’ll look at more advanced topics like active defense and offensive cybersecurity. While most small businesses don’t require every advanced security service to bolster their defenses, strategic use of targeted offerings—such as penetration testing—can verify that your program truly works and is ready to protect critical assets. By scoping these engagements thoughtfully, small businesses can achieve an exceptional return on investment.

Section 1: Introduction to Small Business Cybersecurity

This section provides an introduction to small business cybersecurity
and lays a foundation for the course contents that follow.

• What is Cybersecurity? A Gentle Introduction for Small Businesses
• The Top Cybersecurity Threats Facing Small Businesses Today
• The Small Business Cybersecurity Advantage
• What Small Businesses Can Learn From How Big Business Does Cybersecurity
• How Attackers ‘Get In‘ – Critical Lessons for Securing Your Small Business

Section 2: Performing An Asset Inventory

There’s an adage in security: “You can’t protect what you don’t know“.

Before you can build a strong cybersecurity foundation, you need a good idea of what you’re protecting. That starts with taking inventory of your hardware and software.

Most small businesses skip this step—but it’s one of the most important. Without an inventory, it’s easy to overlook outdated devices, insecure apps, or systems you didn’t even realize were connected to your network. Inventory is also the first control in the CIS 18 Critical Security Controls.

• What Is an Asset Inventory — And Why Does It Matter for IT and Cybersecurity?
• Task 1: Build a Hardware Inventory
• Task 2: Build a Software Inventory

Section 3: Behavioral and Configurational Security

In this section, we’ll get hands-on and explore practical, high-impact steps small businesses can take to strengthen their security posture—without wasting time or money. Our goal is to help you focus on actions that deliver real value and that have the highest return on investment (ROI).

A common misconception among small business owners is that cybersecurity starts with buying expensive tools. We want to challenge that idea.

Yes, having the right products in place is important. But no technology—no matter how advanced—can make up for weak fundamentals. Strong security starts with good habits and smart configurations.

We’d love to be able to sell you a tool that makes you secure no matter what—but the truth is, that product doesn’t exist. And pretending it does would go against everything we stand for.

Instead, we’re here to guide you through simple, foundational practices that are easy to implement and actually work— and that put you in a position to make smart decisions about tools when the time is right.

• Introduction to Behavioral and Configurational Security
• Using Secure Authentication: Creating and Managing Secure Passwords and MFA
• Task 3: Set Up and Learn to Use a Password Manager
• Task 4: Use Your Password Manager to Generate & Store Strong Passwords
• Task 5: Set Up Multi-Factor Authentication
  • Optional – Task 5a: Set up MFA for Operating System (OS) Logins
• The Principle of Least Privilege (PoLP) and Least Privilege Access
• Task 6: Use The Principle of Least Privilege
• Task 7: Patch and Update Management
• Improve Your Operational Security (OPSEC): Separating Personal and Professional Use of Tech

Section 4: Defense-in-Depth

There’s a bewildering amount of cybersecurity tech and services out there.

What does it all mean? Which technologies are the most important with the highest value for small businesses?

In this section, we cover common cybersecurity technologies and services and specifically look at those that are the most important to small businesses.

• Introduction to Defensive Technologies
• Antivirus (AV) – The Foundation of Endpoint Security
• Task 8: Ensure Antivirus is Set Up and Configured On All Computers
• Firewalls For Small Businesses
• Task 9: Secure Critical Devices with Host-Based Firewalls
• DNS-Based Security
  • Free DNS Security for Small Businesses: The Pros and Cons of Quad9
• Task 10: Set Up DNS-Based Security on All Devices
• Endpoint Protection: A Deep Dive Into EDR And MDR
• Task 11: Deploy MDR on Critical Computers
• Backups For Small Business
• Task 12: Assess if Backups Are Required and Deploy As Needed
• Task 13: Segment Your Small Business Network

Website Security For Small Businesses

• Securing Your Small Business Website
• Securing a WordPress Website

Email Security For Small Businesses

• Email Security Basics
• Using DKIM and DMARC to help secure email

Advanced Topics in Small Business Cybersecurity

These topics are important in the field of small business cybersecurity but are a bit more specialized or complex.

• SIEM – Security Information and Event Management – For Small Businesses
• SOC – Security Operations Center
• XDR – Extended Detection and Response
• Active Defense and Honeypots
• Offensive Cybersecurity For Small Businesses

Legacy (Retired) Lessons That May Still Be Useful

5 Steps to A Strong Defensive Posture: Mastering Small Business Cybersecurity
Defensive Cybersecurity Technologies for Small Businesses

TL;DR: Cybersecurity for Small Businesses On One Page

Before we dive into the details of how to secure our systems, let’s start by briefly defining what we mean by the term cybersecurity.

What is Cybersecurity?

Cybersecurity is the practice of protecting our computer systems.

When it comes to cybersecurity, everything that you do should be with the goal of improving your business’ security posture. For example, the work that you’re doing in reading this right now is essential cybersecurity awareness training, which is incredibly important for helping to secure your business.

Cybersecurity is also about managing risk. Your business has assets, both tangible and and intangible. Tangible assets include things like your physical devices, data, and even money. Intangible assets include things like your business reputation, and the trust that you build with individual customers.

Many business assets are at risk of being attacked, due to the digital, interconnected nature of the modern world. If you use a computer, phone, or other internet-connected device to manage that part of your business, then it’s inherently at risk of being attacked.

That doesn’t mean that you should treat all devices or all data equally. Because our goal is to manage risk, you need to protect your most sensitive data and most important devices more carefully.

Another important point is that there is no single app, product, tool, or service that will make you 100% secure. We want to be clear – tools are important. Very important. Antivirus is important. Firewalls are important. Endpoint detection and response, or managed detection and response, is super important – especially for critical assets. (It’s probably the most underused cybersecurity tool when it comes to small businesses.)

But these tools and services won’t protect you if you’re using weak passwords, if you’re using weak configurations, and if you’re clicking all of the links sent to you by Nigerian princes. The plus side? Most small businesses can dramatically improve their security posture without spending a dollar. Let us show you how!

Main Article: What is Cybersecurity? A Gentle Introduction for Small Businesses

The Top Threats Facing Small Businesses Today

In order to understand the threats facing small businesses in today’s digital world, first we need to look at why they are targeted to begin with. We’ve already seen that small businesses have assets – both tangible and intangible, and that there are various ways for bad actors to monetize those assets. For example, if an attacker is able to install malware that provides remote access to a company’s computers, they can then leverage this position in a variety of ways. They may try to exfiltrate (steal) data, encrypt and ransom it, or try to leverage their access to gain greater control over the company’s assets.

Our Approach to Small Business Cybersecurity

We use a five-step approach to help small businesses achieve enterprise-grade security:

1. Optimize behavioral and configurational security.
2. Assess and securely redesign the company’s network(s).
3. Research and deploy defensive technologies like firewalls, AV, and EDR.
4. Use active defensive tactics to maximize ROI and achieve enterprise-grade security.
5. Deploy the use of targeted offensive cybersecurity services to test and harden the company’s networks and devices.

These five steps are designed to provide the highest ROI upfront. In general, each step is more important than the steps that follow.

The first three steps provide a solid foundation for cybersecurity at an organization. They involve a wide range of activities that help to strengthen security, from using strong passwords to deploying antivirus (AV), firewalls, and endpoint protection (EDR / MDR) to actively protect the network.

The last two steps – active defense and offensive security – use advanced tactics to help us fortify our networks and achieve true enterprise-grade security.

Authentication, Authentication – Wait For It – AUTHENTICATION

The very first thing that we recommend all small businesses start to address is – you guessed it – authentication.

What’s authentication? Put simply, authentication is the process of ensuring that a user is who they claim to be. The most common way to authenticate is by using a username and password combination. We do this for our operating systems and applications.

When it comes to improving small business cybersecurity, there are three primary activities that we recommend:

1. Using strong, unique passwords. Length is the most important factor, followed by complexity. Every password needs to be strong as well as unique – meaning that each password is only used once.
2. Using a password manager. It’s really tough to use strong, unique passwords without a password manager. They’re easier to use than you think! We really like Bitwarden and Keeper.
3. Using multi-factor authentication (MFA). Strong passwords aren’t enough anymore. You also need to be using multi-factor authentication wherever possible; almost all popular applications support it. In terms of MFA method, text-based MFA is considered more secure than email-based MFA and authenticator apps are considered the most secure (outside of using a physical key).

When it comes to passwords that need to often be recalled from memory, we recommend using a long passphrase that can be easily remembered while still providing excellent protection.

You can learn more about authentication and get lots of helpful tips, in our article Securing Your Small Business Starts With Authentication: Using Strong Passwords, Password Managers, and MFA.

The Principle of Least Privilege

After implementing strong authentication practices across the organization, we recommend that small businesses next begin to leverage the principle of least privilege.

This principle –also known as “least privilege access” –is the idea that users in the IT environment should only have access to what they need in order to perform their responsibilities, and nothing more. This maxim arises from the fact that the more resources a user has access to, the greater the potential danger if their account is compromised or if they become an insider threat.

For example, a member of the organization may need access to the company website hosted on company servers because they’re part of the web design team. While it’s true they need access to the site’s file system, they do not need the ability to configure the server or to access other data stored within. Any access they have beyond what is needed to complete their job puts additional resources at risk.

When it comes to implementing the principle of least privilege, how an organization does so will depend heavily on the organization’s structure. For businesses with a single owner-operator, it could simply mean creating user accounts for everything and using them for daily activities. The owner will only using administrator accounts when admin privileges are needed.

As an organization grows, it will become increasingly difficult and costly to deploy the principle of least privilege if a foundation wasn’t laid while the company was small. At the same time, the risks presented by not leveraging it will grow. This is why we want small business owners to learn about this principle early on, even if it doesn’t mean a dramatic change in how the business operates.

You can learn more about the Principle of Least Privilege here.