Introduction to Small Business Cybersecurity
Imagine your business is a storefront on a busy street. You wouldn’t leave the door unlocked or skip installing an alarm system — and the same principle applies to your digital assets. Your computers, mobile devices, customer data, financial records, and proprietary information all need protection.
This is especially critical today, as attacks on small businesses are becoming more frequent.
In military terms, the cybersecurity “battlefield” is asymmetrical: attackers can strike at any time, but businesses can’t strike back (and legally, we aren’t allowed to). Our role isn’t to go on the offensive, but to defend what matters most. That means protecting our digital assets, hardening our systems to make them more difficult to attack, monitoring for threats so that we can actually detect an attack when it occurs, and learning from attack patterns so that we become stronger and more resilient over time.
Because many attackers operate overseas — often in countries that turn a blind eye to their activities — prosecution is rarely possible. But we do have powerful techniques and tools to minimize the likelihood of a successful attack, reduce the damage if one occurs, and strengthen our ability to detect and respond in real time. Collectively, this is known as improving our security posture.
Before diving into the specifics, let’s step back and take a high-level look at what cybersecurity actually means.
So…What is cybersecurity, Exactly?
Cybersecurity is the practice of protecting computer systems from digital attacks. The word practice matters — because cybersecurity isn’t passive. It requires ongoing action.
So, what exactly are we protecting? Let’s start with the devices we rely on every day. Later in Task 1: Build a Hardware Inventory, you’ll officially list everything out, but for now just think about the tech that supports your business: phones, tablets, laptops, desktops, and printers. Add to that your networking gear — routers, modems, wireless access points, switches, firewalls, and hubs. Many businesses also run servers, which often hold critical data and applications.
And it doesn’t stop there. These days, just about anything can be internet-connected: smart watches, TVs, VOIP phones, voice assistants like Amazon Echo, even refrigerators and dishwashers. Every device that touches your network is a potential entry point for attackers.
The more devices you have, the bigger your attack surface — a term used to describe everything that could be targeted by an attacker. Your attack surface isn’t just hardware, though. It includes the software installed on your systems and the data those systems and apps store. That’s why Task 2 in this course focuses on creating a software inventory, so you can see the full picture.
Dispelling Common Cybersecurity Myths
Let’s get a clearer picture of what cybersecurity really is — and what it isn’t.
First, cybersecurity isn’t about buying the most expensive tools. You’ve probably seen products or services that claim they can make you 100% secure — “just buy this $15,000 next-gen firewall.” The truth? You can dramatically improve your security posture with little to no money. What it does take is committing to simple habits that may feel inconvenient at first: using strong passwords, adopting a password manager, and enabling multi-factor authentication. Don’t worry — we’ll cover each of these step by step in this course.
Second, cybersecurity isn’t a one-time project. It’s an ongoing process. Attackers are always experimenting with new techniques, and defenders must adapt. Tools and services also change constantly — vendors may disappear, or be replaced by providers offering cheaper or better solutions. What works today may not be enough a few years from now.
Third, cybersecurity isn’t just about technology. It’s not a switch you flip, and it’s not just an “IT problem.” The real goal is to strengthen your security posture — your ability to prevent, detect, and respond to attacks. And that takes the whole team. In fact, attackers often target the least tech-savvy people in an organization because they know those employees can be the easiest entry point.
Finally, some of the most effective steps are also the least glamorous. For example, the first two Tasks in this course are creating hardware and software inventories. Many business owners groan at the idea — but here’s the reality: taking a couple of hours to accurately track your systems is far more effective than spending $15,000 on a fancy firewall. Once you realize the cost savings, those “boring” steps start to look pretty smart.
Cybersecurity Is About Managing Risk
Another key concept to understand is that cybersecurity is about managing risk. Think of it like running a business in the real world — you lock your doors, install alarms, and get insurance. You can’t eliminate risk entirely, but you can manage it to a level that keeps your business safe and resilient.
The challenge is that many small businesses underestimate their exposure. Attacks like ransomware now routinely cripple companies of all sizes, and the impact can be devastating. Why? Because every business — including yours — has valuable assets, including both tangible and intangible assets.
- Tangible assets include: computers, servers, databases, customer records, employee data, and of course, money.
- Intangible assets include: your reputation, customer trust, and ability to operate smoothly day to day.
Here’s the problem: attackers often understand the value of these things far better than business owners do. Thanks to cryptocurrency and the dark web, there’s now an anonymous global market for nearly everything malicious. To be more technical, this market existed before cryptocurrency, but it has exploded as a result of being to transact anonymously. Today, criminals can easily and without risk:
- Sell your data to the highest bidder.
- Sell access to your computers and networks.
- Sell employee identities or financial information.
- Or, of course, hold everything for ransom and demand payment directly.
The takeaway: you don’t need to panic, but you do need to act. The goal of this course is to help you minimize those risks by strengthening your security posture — making your business a much harder target and dramatically reducing the chance of a successful attack.
What Happens After An Attacker Gains Access?
Technical Jargon Warning: This section is a bit lengthy and includes a lot of technical terms that are helpful but aren’t really needed for you to know in order to secure your business. Feel free to skim or skip this section. The gist is that, once an attacker gains access to even a single device (like a cell phone), they will use that access in every way possible to gain greater and greater control over your whole network. Our defenses need to take this into account and stop the attackers at every stage – not just preventing access.
Once an attacker manages to gain access to just one of your devices or accounts, they will try to use it to their advantage as much as possible. For example, they will look at everything stored on it, to see if there are any useful files containing credentials – this is often called pilfering.
They will look at what browsers and other apps are installed and see if there are any users/passwords stored in them. Windows computers store passwords for logged-in users in memory, so they’ll try to gain access to those. They’ll also look at every application and piece of software installed and see if there are any vulnerabilities in them that could allow them to expand what they can do (called privilege escalation) and gain more control over the system.
Next, they will try to start working their way through your network (this is called pivoting) and compromise your other devices. As they gain more information about your network, the devices on your network, users, groups, applications, etc – they gain an increasing amount of knowledge that allows them to gain more and more control over everything. As they go along, they will also be establishing methods of persistence, allowing to keep control even after you shut everything down.
What they do and how they do it depends on their goals. Most attackers targeting small businesses will be trying to achieve a financial goal. They may try to download or encrypt your data and then ransom it. They may try and gain access to sensitive information and then blackmail or extort the business. Increasingly, they may just sell access and information to someone else. There’s a huge market for hacked computers and networks on the dark web, and it’s becoming increasingly common for the bad guys to specialize. The guy who specializes in phishing or gaining access to your system may not be the guy actually doing the encrypting and blackmailing. Bad actors have discovered over time that it can far more effective to specialize in one thing and then provide that as a service to other bad actors. And, thanks to cryptocurrency, money can be exchanged between bad actors instantly across the globe, without risk.
Ultimately, an individual attacker’s ability to gain initial access and further their goals depends on how skilled they are, how much time they have, and what other assets they are able to wield to perform their attack (for example, do they have access to advanced software like Cobalt Strike). One important consequence of this is that attackers can often tell – pretty quickly – how well a system is defended. Then they can weigh the pro’s and con’s of continuing their attack.
Small businesses will typically have a lower payday than large ones, and well defended businesses take a lot longer to attack than poorly defended ones. The ideal cash cow for a malicious attacker is a large, poorly defended business. A small, well-defended business makes a poor target.
In most cases, when an attacker sees that a small business has invested in its’ own defense, it isn’t going to be worth it to continue to attack. Additionally, those attackers who are targeting small businesses typically aren’t as skilled as those who target larger businesses. Only a very small percentage of attackers have the ability to, for example, evade endpoint protection – which is exactly why we include it in our Security EssentialsTM bundle – even though it lowers our own margins considerably.
protecting our Digital Assets
The question of ‘How can we protect our digital assets?’ is simultaneously easy and difficult to answer.
It’s ‘easy’ because you can get all of the knowledge and tools needed to achieve world-class security. That’s what this course is all about.
However, it’s also ‘difficult’ because nothing we do can 100% guarantee the security of our systems and data. We know this to be true because ethical hackers (the good guys) are very successful. They are often able to gain administrative control of the entire system, network or domain during a penetration test. And, their clients are some of the biggest companies in the world.
We shouldn’t think of good security as a switch that can be turned ‘on’ or ‘off’.
Instead, it’s better to think about it in terms of the sophistication and time investment of the attacker(s).
The more secure your systems are, the more difficult they are to successfully attack.
Attacking a computer system takes a lot of time and energy. It is only done when the perceived rewards are greater than the risks, time, and energy required.
Poorly defended systems can often be successfully targeted by less-skilled attackers. In contrast, well-defended systems might require a team of world-class hackers working together.
There are great historical examples of this; back in the 1990’s it was fairly common to hear of governments or big businesses getting hacked. It seemed like every other week, someone gained access to a critical server that – one would think – would have ironclad security. But back then, security was often really weak. In many of those cases, nothing was actually ‘attacked’. So-called hackers were often just logging into servers and computers using default or incredibly weak credentials like username: administrator; password: administrator.
Pro Tip: If you’ve never logged into your router before, there’s a good chance it’s still using default credentials. Since the router is essentially the doorway to your whole network, it’s a good idea to check this out.
The goal of defensive cybersecurity is to make it as difficult as possible to successfully attack.
To use more technical terms, we are trying to harden our IT systems and improve our security posture.
A penetration test, or pentest, is a great way to gain a very useful, in-depth assessment of your security posture and how you can improve it. However, it only provides a snapshot of the network as it exists at the time of testing. New vulnerabilities are found all the time and company networks, people and assets change too. One year later, the ethical hackers are again able to gain control of the same networks, this time using a different methodology.
Protecting A Home – An Analogy
When learning about cybersecurity, it can be useful to think about how we secure our locations physically. A lot of the same principles in physical security also apply to cybersecurity.
Let’s consider a typical home. It has at least one entrance with a locking door to prevent anyone outside from coming inside without permission. Most homes also have windows. We don’t typically use windows for ingress and egress, so most windows only lock from the inside.
It’s difficult for an attacker to break through a wall, so we usually consider walls to be secure.
The attack surface of the house is therefore comprised of the doors and the windows. But even with locks on the doors and windows, the house isn’t 100% secure.
The windows might be locked, but they can be broken by an attacker to gain access.
The doors have locks, but most locks can be picked by a skilled lockpicker. And doors can also be breached using physical force. But we still consider the doors and windows to be relatively secure as long as they are locked.
In the real world, this might not be enough to protect our home or allow us to feel secure at night.
We might buy upgraded locks, which is in cybersecurity can be compared with using strong passwords or multi-factor authentication (MFA).
We may invest in a security system, cameras, lights, and sensors to detect and alert us of anything strange. These types of security systems are similar to technologies like antivirus (AV), and endpoint detection and response (EDR).
Depending on your neighborhood, you might install a fence around the perimeter of your property. The fence is similar to a network firewall. Like a fence, the firewall is installed at the perimeter of the network. Also like a fence, firewalls control not just who can access the inside (of the network) but also what people can see from the outside.
We will learn more about these technologies in a later lesson. But as we can see, the security measures that we often use in our daily lives often have analogs in the digital world.
Common Cybersecurity Challenges
Before we conclude this lesson, let’s look at some of the challenges in implementing cybersecurity measures at many organizations. We can have our computers and networks set up as securely as possible, but these challenges will remain.
Challenge # 1: User Behavior
User behavior is one of the most important factors in cybersecurity.
Using more secure behaviors way doesn’t cost money, but is commonly seen as a hindrance. For example, using unique, secure passwords and multi-factor authentication (MFA) are two of the most important things we can do to improve our security posture. Most of our apps support these security measures, but we often don’t use them.
Another issue is that a full compromise only takes one accidental click or slip-up. The more educated people are, the better they are able to protect themselves online. But it’s impossible to prevent things like phishing 100% of the time because it only takes one click.
When it comes to improving user behavior across an organization, we need to blend education with rule-based enforcement.
We recommend enforcing the use of strong, effective policies across the organization. For example, users on company devices shouldn’t be able to install any application they want or browse the web without controls. We also recommend the use of managed endpoint protection like MDR (more on this below).
Challenge # 2: Social Engineering
Some things are impossible to get right 100% of the time. For example, in an ideal world, we wouldn’t click any link that we hadn’t fully validated to make sure it wasn’t malicious. Similarly, we wouldn’t download a document, application or an update until it was thoroughly checked for malicious content or vulnerabilities.
These sound great on paper but are hard to get right 100% of the time. For example, in a business email compromise (BEC) or phishing attack, you might get an urgent email from your direct superior about a topic that is highly related to your job. There’s a good chance that you wouldn’t think about security before downloading an attachment or clicking a link. This is an example of the attacker using social engineering, deceiving their target to achieve a goal.
For better or worse, some people are really good at socially engineering others.
Protection against this type of attack often falls to software-based detection measures such as endpoint detection and response (EDR). Firewalls are also critical to defending against these attacks, but there are tradeoffs. That’s why we recommend using a layered approach to cyber defense, which we cover in our educational content and support with our services.
Challenge # 3: Keeping Everything Patched and Updated
Another challenge for small businesses is keeping systems fully patched and updated. This might sound like a trivial thing; doesn’t Windows update itself?
Unfortunately, the reality is that many systems and applications go without updates, often for years at a time. Many of our systems have a lot of applications installed on them, and we don’t typically go through every single one on a regular basis.
This might be acceptable on personal devices, but anything used for work, or connecting to the work network, needs to be as well-protected as possible.
Just one out-of-date application, system, or service can mean the difference between a successful attack or not.
Another reason that updates need to be managed is that many updates occur in order to patch security issues. When an update is released, the developer will often announce the bugs that are being patched with it. Once this knowledge is publicly released, attackers will try to make use of it as soon as possible. For more serious vulnerabilities, this means that the entire network might be at serious risk as long as the system remains unpatched. So there’s a race between attackers trying to exploit the vulnerability as quickly as possible and defenders trying to patch it. And over time, that race has gotten closer and closer.
Small businesses are often at greater risk than large enterprises because they often don’t have a dedicated IT person on staff to track and perform necessary updates in a timely manner. This includes updating all software on every device, and we estimate that it takes about 15-30 minutes per device per month to perform. Ensure that whomever is tasked with IT functions at your organization is allotted sufficient time to do this right.