Nobody breaks into a small business through a zero-day exploit. They log in, because someone shared a password in a WhatsApp group two years ago and nobody ever changed it. Cybersecurity basics small business owners skip aren't exotic, they're boring, which is exactly why they get skipped.

I've done technical reviews for retail chains and finance companies where the security conversation immediately jumps to firewalls and penetration testing, while the actual open door is a shared admin login that six ex-employees still know. The realistic threat model for most SMEs isn't a nation-state actor. It's phishing, account takeover, and a disgruntled former staff member who still has access.

You don't need an enterprise security budget to close most of this gap. You need one week and a checklist.

The realistic threat model, not the enterprise one

Enterprise security vendors sell you on advanced persistent threats and sophisticated attackers. For a business with 10-200 employees, that's not your risk. Your risk is:

  • A staff member clicking a phishing link that looks like an invoice or a delivery notification.
  • A password reused across your accounting system, email, and a random app that got breached elsewhere.
  • An employee who left six months ago and still has access to shared drives or admin panels.
  • A laptop with no encryption, lost in a taxi, with your customer database cached locally.

None of these require sophistication to exploit. They require someone to notice the door was left open. That's the 80% of risk you can close without hiring a security team.

The one-week hardening checklist

Day 1-2: Password manager, company-wide. Every shared login (social media, hosting panels, vendor portals) moves into a password manager with unique, generated passwords. If a password is currently shared verbally or over chat, that's your first fix. This alone eliminates the most common breach vector: reused, weak, or leaked passwords.

Day 2-3: Two-factor authentication on everything that touches money or customer data. Email, accounting software, banking portals, cloud storage, your CMS or e-commerce admin. If a vendor doesn't support 2FA, that's a mark against keeping them. Account takeover via a leaked password becomes far harder once a second factor is required.

Day 4: Access review. Pull a list of everyone with access to shared systems, cross-reference against current staff. Revoke everything tied to anyone who left. This sounds obvious until you actually run the list and find three names that shouldn't be there.

Day 5: Patch and update. Check that operating systems, POS software, and any customer-facing web systems are on current versions. Unpatched software is the second most common entry point after credential issues, and it's usually a five-minute fix per machine.

Day 6: Backup verification. Not "we have backups," but "we restored a file from backup last week and it worked." A backup nobody has tested is a hope, not a plan.

Day 7: A written incident plan, one page. Who gets called first if an account is compromised, who has authority to lock systems, and where the emergency contacts list lives. One page. Not a compliance document nobody reads.

Table: risk vs. effort

Fix Effort Risk it closes
Password manager rollout Low Reused/weak passwords
2FA on financial/data systems Low Account takeover
Ex-employee access revocation Low Insider access, forgotten accounts
Software patching Low-medium Known exploit vectors
Backup restore test Medium Data loss, ransomware impact
Written incident plan Low Slow, chaotic response

Every item here is low effort relative to the exposure it removes. None require a security consultant, though a technical partner can help you audit access lists faster than doing it manually across a dozen systems.

Why this matters more as you digitize

As more of your operations move online, the attack surface grows quietly. A business that digitized its inventory, sales, and customer records over the past two years has a much larger footprint than it did before, often without anyone updating the access list or security posture to match. If you're mid-transition, it's worth reading Digital Transformation for Small Business: Where to Start alongside this, because security should be part of the same rollout plan, not an afterthought once something goes wrong.

The takeaway

Skip the enterprise theater. You don't need advanced threat detection before you've closed the basics. Spend one week on passwords, 2FA, access review, patching, backup testing, and a one-page incident plan. That's the 80% of real-world risk for a small business, and it costs almost nothing to fix compared to what a single account takeover costs you in recovery time, customer trust, and cleanup.