The Five Things Every Business Should Do Before Anything Else

43% of cyberattacks target small businesses. That number comes from Accenture's Cost of Cybercrime study, and it surprises most people because the headlines only cover the big breaches — the hospital systems, the pipelines, the banks. But attackers don't start with the hardest target. They start with the easiest one. And for the majority of small and mid-sized businesses, "easy" means no multi-factor authentication, no password manager, no update policy, no backups, and no employee training.

60% of small businesses that experience a significant cyberattack shut down within six months. Not because the attack itself is always catastrophic, but because recovery without preparation is slow, expensive, and sometimes impossible. The data is gone. The customers lose trust. The insurance doesn't cover what you thought it covered.

This article covers five things. They are not advanced. They are not expensive. Most of them take less than a day to implement. And together, they eliminate the vast majority of risk that actually affects businesses your size.

1. Turn on multi-factor authentication everywhere

Multi-factor authentication — MFA — means that logging into an account requires two things instead of one. Your password is the first thing. The second is usually a code sent to your phone, generated by an app, or confirmed by tapping a notification. Even if someone steals your password, they can't get in without that second factor.

Microsoft's security research shows that MFA prevents 99.9% of automated account attacks. That number is not a typo. The overwhelming majority of account compromises happen because someone obtained a password — through a data breach, phishing, or guessing — and there was nothing else standing in the way.

Where to enable it: your email provider, your bank, your accounting software, your cloud storage, your CRM, your social media accounts, any tool where client data lives. If a service offers MFA and you haven't turned it on, that is the single highest-return security action you can take today.

Cost: Free. Every major platform supports MFA at no additional charge.

Setup time: 10–15 minutes per account. A full afternoon for an entire team's accounts.

Recommended app: Use an authenticator app (like Microsoft Authenticator, Google Authenticator, or Authy) rather than SMS codes. SIM-swapping attacks can intercept text messages. Authenticator apps can't be intercepted the same way.

2. Use a password manager

The average business employee manages over 100 passwords. Nobody memorizes 100 unique, complex passwords. So people reuse them. They use the company name plus the year. They write them on sticky notes. They store them in a shared spreadsheet called "passwords.xlsx" — yes, this is real, and it is far more common than anyone wants to admit.

A password manager stores all of your passwords in one encrypted vault. You remember one strong master password. The manager generates, stores, and auto-fills everything else. Each password is unique, long, and random — the kind no human would create or remember.

This solves the reuse problem entirely. When a breach exposes your password for one service, attackers try that same password on every other service you use. It's called credential stuffing, and it works because people reuse passwords. With a password manager generating unique passwords for each account, a breach at one service doesn't cascade into breaches at ten others.

Cost: $3–$8 per user per month for business plans. Under $100/year per person.

Setup time: 1–2 hours to set up the team vault and migrate existing passwords. Ongoing habit-building takes a few weeks.

Options: 1Password, Bitwarden, or Dashlane all offer solid business plans. Bitwarden has a free tier for individuals.

3. Keep your software updated

The 2025 Verizon Data Breach Investigations Report found that 20% of confirmed breaches involved exploitation of unpatched vulnerabilities. That means one in five breaches happened because someone didn't install an available update.

Software updates aren't just about new features. They patch security holes that researchers and attackers have already discovered. When a vulnerability is published, attackers build automated tools to scan the internet for systems that haven't been patched yet. The window between "patch available" and "attack in the wild" is shrinking — sometimes it's days, sometimes hours.

This applies to everything: your operating system, your web browser, your WordPress installation, your router firmware, your point-of-sale system, your accounting software, your phone. If it connects to a network and it has an update available, install it.

Cost: Free. Updates are included with the software you've already purchased.

Setup time: 30 minutes to enable automatic updates on all devices. Schedule a monthly check for anything that doesn't auto-update (routers, firmware, specialized industry software).

The rule: Turn on automatic updates wherever possible. For critical business systems that need testing before updates, designate one person to apply and verify updates weekly.

4. Back up your data — and test your backups

Backups are the difference between "we had an incident and recovered" and "we had an incident and lost everything." Ransomware encrypts your files and demands payment for the decryption key. If you have clean backups stored separately from your main systems, you don't need to pay. You restore. You move on.

The key phrase is "stored separately." A backup on the same computer isn't a backup — it's a second copy that gets encrypted right alongside the original. A backup on a connected network drive can also be reached by ransomware that spreads through your network. Effective backups follow the 3-2-1 rule:

• 3 copies of your data
• 2 different storage types (for example, local drive and cloud)
• 1 copy stored offsite or in the cloud, disconnected from your main network

And then — this is the part almost everyone skips — test your backups. Once a quarter, pick a file or a folder and actually restore it. Verify that the data is intact and usable. A backup you've never tested is a backup you're hoping works. Hope is not a recovery plan.

Cost: $5–$50/month depending on data volume and provider. Cloud backup services like Backblaze, Wasabi, or your existing cloud provider all offer business plans.

Setup time: 2–4 hours for initial configuration. Quarterly test restores take 30 minutes.

5. Train your employees — even if your only employee is you

Every security measure in this article can be defeated by one person clicking the wrong link, opening the wrong attachment, or entering their credentials on a fake login page. That's not a criticism of people — it's a recognition that attackers specifically design their attacks to exploit how human brains work. Urgency, authority, fear, curiosity. These are psychological levers, and phishing is the craft of pulling them.

Effective security training doesn't mean annual compliance videos that everyone clicks through while checking their phone. It means short, specific, repeated exposure to realistic scenarios. What does a phishing email actually look like? What do you do when you get a suspicious text from someone claiming to be your CEO? Who do you call when something feels wrong?

The goal isn't to make people paranoid. It's to make "pause and verify" an automatic response. That takes repetition over time, not a single training session.

Cost: Free to $500/year. Platforms like KnowBe4 offer small business plans. For very small teams, regular 15-minute discussions about recent phishing examples cost nothing and build awareness effectively.

Setup time: 1 hour for initial setup. 15–30 minutes per month for ongoing reinforcement.

Before AI / Now with AI

Every one of these five steps became more urgent in the last two years, and AI is the reason.

Phishing before AI: Template-based. Obvious grammar mistakes. Mismatched sender addresses. Logos that looked slightly wrong. A reasonably attentive person could spot most of them. Now: 82.6% of phishing emails contain AI-generated content. The grammar is flawless. The tone matches genuine corporate communication. The emails reference real details scraped from LinkedIn, company websites, and public filings. The old advice to "look for typos" no longer works.

Credential attacks before AI: Brute force took time. Attackers ran dictionaries of common passwords against login pages, and rate limiting slowed them down. Now: AI-accelerated credential stuffing combines leaked databases with pattern-matching algorithms that predict password variations. If your password for one service was "Company2024!" there's an AI model predicting that your password for another service is "Company2025!" or "C0mpany2024!". Unique passwords — generated by a password manager — are the only reliable counter.

Vulnerability exploitation before AI: Finding and exploiting unpatched systems required manual scanning and custom exploit development. Now: AI tools can scan, identify, and exploit known vulnerabilities faster than most IT teams can patch them. The window of safety after a patch is released has shrunk from weeks to hours.

None of this changes what you need to do. The five steps are the same. AI just removed the margin for procrastination. The attacks are faster, more convincing, and more automated. The defenses — MFA, password managers, updates, backups, training — still work. They just matter more now than they did two years ago.

What this costs and what it prevents

Here's the total annual cost for a team of five:

• MFA: $0
• Password manager: ~$480/year (5 users × $8/month)
• Software updates: $0
• Cloud backups: ~$600/year
• Security training: ~$500/year
• Total: ~$1,580/year

The average cost of a data breach for a small business is $120,000–$200,000 when you include investigation, remediation, legal fees, lost business, and notification costs. The math is not complicated.

These five steps won't make you invulnerable. Nothing will. But they address the attack vectors responsible for the vast majority of incidents that actually hit businesses with fewer than 100 employees. You're not defending against a nation-state. You're making your business hard enough to breach that attackers move on to the next one that hasn't done the basics.

If you want to understand how supply chain risk extends beyond your own systems, read what supply chain attacks actually are. If your website is part of your business infrastructure — and it is — make sure your HTTP security headers are configured correctly. And when you're evaluating vendors who handle your data, here's what to ask them about security.

At Kief Studio, we build systems where security is a byproduct of good engineering — not an afterthought bolted on later. If you're past the basics and ready to think about how your technology stack holds together under real-world conditions, that's the conversation we have.

---

Related reading

• The Problem with Generic Tech Recommendations
• If the Recommendation Came Before the Questions, It's Not Advisory

FAQ

Do I really need all five, or can I just pick one or two?

They work together. MFA protects your accounts, but if your password is reused across ten services and one gets breached, MFA alone can't protect every account that doesn't have it enabled yet. Backups protect your data, but they don't prevent the breach that led to the data being stolen in the first place. Training protects your people, but trained people with weak passwords are still vulnerable to credential stuffing. Start with MFA because it has the highest single-step impact, but plan to implement all five within 90 days.

My business is too small to be a target. Isn't this overkill?

Attackers don't target businesses by name. They target vulnerabilities at scale. Automated scanning tools sweep millions of IP addresses, email domains, and login pages looking for known weaknesses — no MFA, unpatched software, default passwords. If your business has an internet connection and handles any customer data, you're in the scan. Size doesn't make you invisible. Lack of defenses makes you easy.

How do I get my team to actually use a password manager?

Set it up for them. Pre-configure the vault. Install the browser extensions on their machines. Show them the auto-fill feature once — most people are sold the moment they realize they'll never have to remember or type a password again. The resistance is almost always about perceived inconvenience, and it evaporates when people experience how much faster a password manager makes their daily logins. Give it three weeks before expecting full adoption.

What should I do after I've completed all five steps?

Review your vendor agreements and understand who has access to your data and what their security commitments are. Implement a basic incident response plan — even a one-page document that answers "who do we call and what do we do in the first hour." And consider whether your website, your customer portal, and your internal tools were built with security as a design constraint or bolted on after the fact. The five steps in this article are the foundation. What you build on top of them depends on your industry, your data, and your risk tolerance.