Cybersecurity for Small Business
Small businesses (under 500 employees, under $50 million in revenue) face the same cyber threats as large enterprises but with a fraction of the resources to defend against them.
Continue your mission
Small businesses (under 500 employees, under $50 million in revenue) face the same cyber threats as large enterprises but with a fraction of the resources to defend against them.
# Cybersecurity for Small Business
Small businesses (under 500 employees, under $50 million in revenue) face the same cyber threats as large enterprises but with a fraction of the resources to defend against them. Ransomware does not check the victim's revenue before encrypting. Phishing campaigns do not skip inboxes based on company size. State-sponsored actors target small businesses in the supply chain to reach larger targets. The threat is enterprise-grade. The budget and staffing are not.
The cybersecurity industry's default advice to small businesses is "follow best practices," which in practice means "do everything a Fortune 500 company does, but without the budget, staff, or expertise." This advice is useless. A 50-person company with no security team and a $30,000 annual security budget cannot deploy a SIEM, hire a SOC analyst, and conduct quarterly penetration tests. The advice must be prioritized: what produces the most security per dollar at the smallest organizational scale?
The answer is the CIS Controls Implementation Group 1 (IG1). CIS IG1 defines 56 safeguards (out of 153 total CIS Controls) that represent the minimum standard of information security for all organizations. IG1 is explicitly designed for organizations with limited cybersecurity expertise and limited resources. Implementing IG1 provides baseline defense against the most common attack vectors and satisfies the "reasonable security measures" standard that regulators, insurers, and courts reference.
CIS Controls v8 organizes 153 safeguards into three Implementation Groups:
IG1 (Essential Cyber Hygiene): 56 safeguards. For organizations with limited resources and expertise. Focused on the controls that address the most common attack vectors with the least operational complexity. IG1 is the starting line.
IG2: 74 additional safeguards (130 total). For organizations with moderate resources and some security expertise. Adds controls for environments with greater complexity and risk.
IG3: 23 additional safeguards (153 total). For organizations with significant resources, dedicated security teams, and high-risk environments. The full CIS Controls set.
A small business that implements IG1 is not "fully secure." No organization at any maturity level is. But IG1 addresses the 56 controls that provide the most protection against the most common threats, which is dramatically more effective than the typical small business approach of deploying antivirus and hoping for the best.
The IG1 safeguards map directly to the six PDM domains. The following are the highest-priority controls for small businesses, grouped by domain:
IAT: Identity and Access (the single most impactful domain for small businesses).
Deploy MFA on everything. Email, cloud applications, VPN, administrative interfaces, and any system accessible from the internet. MFA is the single most effective control a small business can implement. Credential theft through phishing is the most common attack vector against small businesses. MFA makes stolen passwords useless without the second factor.
Use a password manager. Every employee uses a password manager (Bitwarden, 1Password, Keeper) to generate and store unique, strong passwords for every account. Shared passwords, reused passwords, and passwords on sticky notes are eliminated.
Disable unused accounts. When an employee leaves, their accounts are disabled the same day. A former employee's active account is an open door.
Restrict administrative access. Only IT staff (or the owner, in the smallest businesses) have administrative access. Every other user operates with standard user accounts. An employee who accidentally runs malware with administrative privileges gives the malware administrative access.
SPH: Security Posture and Hygiene.
Enable automatic updates. Every endpoint (Windows, macOS, Linux, mobile) automatically installs security updates. Automatic updates eliminate the most common vulnerability: unpatched software. If the operating system and applications are current, the attacker cannot exploit the known vulnerabilities that most attacks depend on.
Deploy endpoint protection. Every endpoint runs a modern endpoint protection platform (Microsoft Defender for Business, SentinelOne, CrowdStrike Falcon Go, Huntress). Endpoint protection provides antimalware, EDR-like detection, and basic threat response. For small businesses, Microsoft Defender for Business (included with Microsoft 365 Business Premium) provides good protection at no incremental cost.
Enable full-disk encryption. Every laptop has BitLocker (Windows) or FileVault (macOS) enabled. A stolen laptop with full-disk encryption yields unreadable data. Without encryption, a stolen laptop is a data breach.
Use a firewall. The business network should be behind a firewall (even a consumer-grade router/firewall is better than nothing; a business-grade firewall like FortiGate, Ubiquiti, or Meraki is better). The firewall should have default-deny inbound rules and allow only the traffic required for business operations.
DPS: Data Protection and Sovereignty.
Back up everything. Implement the 3-2-1 rule at minimum: 3 copies of data, 2 different media types, 1 offsite. For small businesses, cloud backup (Microsoft 365 backup, Google Workspace backup, Veeam, Datto, Acronis) provides offsite backup with minimal operational overhead. Test the backup quarterly by restoring a file and verifying it works. An untested backup is a hope, not a plan.
Encrypt sensitive data. Beyond full-disk encryption, sensitive files (financial records, customer data, employee records) should be encrypted in storage and transmitted only through encrypted channels (HTTPS, encrypted email, not unencrypted FTP or email attachments).
Know what data you have. Even without a formal data classification program, the business owner should know where customer data, financial data, and employee data reside. This knowledge is required for breach notification if an incident occurs.
VSD: Vulnerability and Surface Defense.
Minimize the internet-facing surface. Disable remote desktop (RDP) unless absolutely necessary (and if necessary, protect it with MFA and restrict source IPs). Do not expose internal services to the internet. Use VPN or ZTNA for remote access.
Keep software current. Beyond OS updates, third-party applications (Adobe, Java, browsers, Zoom, Slack) should be updated automatically or on a weekly cadence.
TID: Threat Intelligence and Defense.
Enable logging. Turn on audit logging for email (Microsoft 365, Google Workspace), cloud storage, and the firewall. Logs do not need to be ingested into a SIEM (small businesses do not have SIEMs). They need to exist so that if an incident occurs, an investigator can determine what happened.
Monitor email security. Configure DMARC, SPF, and DKIM for the business email domain. Use the email provider's built-in security features (Microsoft Defender for Office 365, Google Workspace security). These controls prevent domain spoofing and filter inbound phishing.
RGA: Risk Governance and Assurance.
Get cyber insurance. Cyber insurance is affordable for small businesses ($1,000 to $5,000 annually for $1 million in coverage) and provides incident response resources (forensics, legal, notification) that the business cannot maintain internally.
Have an incident response contact. The business does not need a formal IR plan (though having one is better). It needs to know who to call when something goes wrong: the IT provider, the insurance carrier's IR hotline, and local FBI field office. Three phone numbers on a laminated card near the owner's desk is better than no plan at all.
Do not buy enterprise tools. A 50-person company does not need a $100,000 SIEM, a $50,000 PAM platform, or a $30,000 GRC tool. These tools are designed for organizations with dedicated security teams. Without the team to operate them, the tools produce no value.
Do not try to do everything at once. Implementing all 56 IG1 safeguards simultaneously is overwhelming. Prioritize: MFA first (week 1), automatic updates and endpoint protection (week 2), backup verification (week 3), email security (week 4). Build from there.
Do not ignore it. The most common small business cybersecurity strategy is "we are too small to be targeted." This is factually wrong. The Verizon DBIR reports that 43% of cyberattacks target small businesses. Ransomware groups target small businesses specifically because they are more likely to pay (they cannot afford the downtime) and less likely to have the controls to prevent or recover from the attack.
Do not rely on a single IT person without security expertise. The business's IT provider (internal or MSP) manages the infrastructure. Security requires specific expertise that general IT support may not have. An MSP that manages the network but does not enforce MFA, deploy EDR, or test backups is managing infrastructure, not security.
43% of cyberattacks target small businesses (Verizon DBIR). 60% of small businesses that suffer a significant cyberattack go out of business within six months (National Cyber Security Alliance). The average cost of a data breach for organizations under 500 employees is $2.98 million (IBM Cost of a Data Breach Report). These are not abstract statistics. They are the operational reality for businesses that do not implement basic controls.
Small businesses are targeted not just for their own data but as entry points to larger organizations. A small accounting firm that serves a mid-market client has access to that client's financial data. A small IT provider that manages a healthcare organization's network has access to ePHI. Attackers compromise the small business (which has weaker defenses) to reach the larger target (which has stronger defenses but trusts the small business's access).
Small businesses are not exempt from cybersecurity regulations. HIPAA applies to every healthcare provider regardless of size (including solo practitioners). PCI DSS applies to every business that accepts credit cards regardless of size. State breach notification laws apply to every business that holds residents' personal information. CCPA/CPRA applies to businesses meeting revenue or data volume thresholds that many small businesses exceed. "We are small" is not a compliance exemption.
Small business cybersecurity maps to the full six-domain PDM at a scaled-down implementation level. The domains do not change. The implementation depth changes. A 50-person company needs IAT (MFA, password management, access control), but it does not need an IGA platform. It needs DPS (backup, encryption), but it does not need a full data classification program. It needs SPH (endpoint protection, patching), but it does not need CIS Benchmark Level 2 hardening across 5,000 endpoints.
CDA's Confidential engagement tier ($5,000/month) is designed for this market. It provides operational security capability covering 1 to 3 PDM domains, scaled to the organization's size and risk profile. A small business at the Confidential tier receives the security operations, compliance management, and strategic guidance that would cost $100,000+ to build internally, at a price point that the business can budget.
The FRM (Foundational Recon Mission) is free for all organizations, including small businesses. The FRM assesses posture across all six domains and produces a Posture Score that identifies the most critical gaps. For a small business, the FRM typically reveals: no MFA (IAT critical), no tested backup (DPS critical), no email authentication (SPH critical), and no cyber insurance (RGA critical). Four findings. Four actions. The business can address them in priority order over 30 to 90 days.
CDA's CDArmy model provides an alternative to traditional MSP security. CDArmy operators deployed on missions provide the specific security expertise that generic IT providers lack. A small business does not need a full-time security team. It needs an operator who deploys MFA, configures email security, verifies backups, and monitors the environment, then moves on to the next mission. Mission-based security at the scale the business needs.
Word count: 1,976
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.