Small Business Cybersecurity Center

Who it affects

Every small business with email, a website, online payments, client records, or cloud accounts.

Why it matters

Most small-business incidents start with simple gaps like weak passwords, missing MFA, outdated software, or poor backup habits.

First actions to take

• Turn on multi-factor authentication for key accounts
• Update devices, browsers, plugins, and business software
• Back up important files and test recovery
• Limit admin access to only people who need it

Who it affects

Businesses that send email from their own domain or rely on Microsoft 365 / Google Workspace.

Why it matters

Weak email and domain settings can let attackers impersonate your business, steal invoices, or trick customers and staff.

First actions to take

• Check SPF, DKIM, and DMARC records
• Turn on MFA for mailbox/admin accounts
• Review forwarding rules and suspicious inbox filters
• Use a separate admin account where possible

Who it affects

Businesses with websites, contact forms, booking pages, payment links, or client intake forms.

Why it matters

Outdated plugins, weak hosting settings, broken SSL, exposed admin pages, and poor form handling can damage trust and create avoidable risk.

First actions to take

• Keep website software, plugins, and themes updated
• Use HTTPS everywhere
• Remove unused plugins, pages, and old admin users
• Review form notifications and where customer data goes

Who it affects

Businesses using Microsoft 365, Outlook, Gmail, Google Workspace, SharePoint, OneDrive, or Google Drive.

Why it matters

A compromised cloud account can expose client records, invoices, contracts, employee data, and internal files.

First actions to take

• Require MFA for all users
• Review admin users and shared mailboxes
• Disable unused accounts quickly
• Check external sharing settings

Who it affects

Businesses that use software vendors, payment processors, booking tools, IT providers, marketing agencies, payroll platforms, or outsourced staff.

Why it matters

Vendors can access sensitive business systems or customer data. Weak vendor controls can become your problem.

First actions to take

• Know which vendors access customer or business data
• Ask vendors how they protect accounts and data
• Remove access when vendors are no longer needed
• Avoid sharing owner/admin credentials casually

Who it affects

Owners, office managers, finance staff, receptionists, and anyone who handles email, invoices, texts, or calls.

Why it matters

Many attacks start with a fake invoice, fake login page, fake bank-change request, or fake urgent message.

First actions to take

• Verify payment and bank-change requests out of band
• Train staff to pause before opening links or attachments
• Report suspicious messages internally
• Use MFA so stolen passwords are less useful

Who it affects

Businesses that store documents, customer records, invoices, images, contracts, schedules, or operational files.

Why it matters

Backups are what protect you when ransomware, accidental deletion, device loss, or account compromise happens.

First actions to take

• Back up critical files automatically
• Keep at least one backup separate from everyday accounts
• Test restoring a file before you need it
• Document who to call if systems go down

Who it affects

Any business with employees, contractors, vendors, shared accounts, or former staff.

Why it matters

Old accounts, shared passwords, weak passwords, and unnecessary admin access create easy entry points.

First actions to take

• Use a password manager
• Avoid shared passwords where possible
• Remove access immediately when someone leaves
• Give admin access only when needed