Skip to main content

What Every Small Business Should Know About Cybersecurity in 2025

Small business cybersecurity 2025 with shields, locks, and data protection

Figure 0: Cybersecurity protection for small businesses in 2025.

What Every Small Business Should Know About Cybersecurity in 2025

Keywords: small business cybersecurity 2025, cyber insurance, ransomware, phishing, MFA, backups, zero trust

TL;DR: Focus on people, passwords (passkeys/MFA), patching, backups, and a simple incident plan. Start small, automate, and improve monthly.

Introduction: Security That Fits Your Size

You don’t need a Fortune-500 budget to defend your business. Most cyber incidents hit small teams because of simple issues: weak passwords, missed updates, and rushed clicks on phishing emails. In 2025, practical cybersecurity means basic controls done consistently — plus a clear plan if something goes wrong.

2025 Threat Landscape (Plain English)

  • Phishing & business email compromise (BEC): Impersonation emails/texts voice-cloned or well-crafted to trick staff into sending money or credentials.
  • Ransomware: Encrypted files + extortion. Attackers also threaten to leak data. Backups and quick response matter.
  • Account takeover: Weak/reused passwords get cracked; MFA/passkeys block most of this.
  • Unpatched software & devices: Old firmware, plugins, and OS versions are easy targets.
  • Vendor & app sprawl: A weak third-party or a risky browser extension can become the entry point.

10 Security Essentials for Small Businesses

  1. Adopt Passkeys/MFA Everywhere: Enable multi-factor on email, payroll, accounting, CRM, and cloud storage. Prefer passkeys or app-based codes over SMS.
  2. Use a Business Password Manager: Shared vaults for teams, role-based access, and off-boarding in one click.
  3. Keep Devices Updated: Turn on automatic OS/browser/firmware updates. Retire end-of-life hardware/software.
  4. Least Privilege & Role-Based Access: Staff get the minimum access needed. Review admin accounts monthly.
  5. Email Security & Filtering: Turn on advanced phishing/malware scanning and external sender warnings.
  6. Endpoint Protection: Modern AV/EDR on laptops/desktops; require disk encryption (BitLocker/FileVault).
  7. Secure Wi-Fi & Networks: Use separate staff/guest networks; change default router creds; disable unused ports/services.
  8. Backups with 3-2-1 Rule: 3 copies, 2 media types, 1 off-site/offline. Test restores quarterly.
  9. Vendor/App Review: Inventory cloud apps and browser extensions. Remove unused; restrict risky ones.
  10. Logging & Alerts (Basic): Turn on sign-in alerts, impossible travel alerts, and file-sharing notifications.

People & Training (Your Human Firewall)

  • Onboarding checklist: MFA, password manager, security brief, acceptable use policy.
  • Monthly 10-minute refreshers: Spotting phishing, verifying money/wire requests, handling unknown USBs.
  • Dual control for payments: Any bank/wire changes require a second approver and an out-of-band phone call.
  • Off-boarding: Disable accounts immediately; reclaim devices; rotate any shared secrets.
Employees receiving cybersecurity and phishing awareness training at computers

Figure 1: Cybersecurity awareness training strengthens your human firewall.

Backups & Ransomware Readiness (3-2-1)

Backups turn a disaster into an inconvenience. Follow the 3-2-1 method and do a quarterly restore test. Keep a copy that can’t be modified from your main login (immutable/offline).

Ransomware recovery and data backup concept with cloud storage and shield icons

Figure 2: 3-2-1 backups and ransomware recovery practices for 2025.

  • Scope: Files, email, CRM/accounting exports, key cloud data.
  • Testing: Restore a random file each month; a full folder quarterly.
  • Documentation: Keep backup locations and contacts in your incident runbook.

Vendors, Cloud, & Email Security

  • Contracts: Include breach notice timelines and data handling details.
  • Admin boundaries: Use separate admin accounts; avoid sharing owner logins with vendors.
  • DNS & Email Auth: Ensure SPF, DKIM, and DMARC are correctly configured to reduce spoofing.
  • Shared inboxes: Use group mailboxes with individual accounts (not shared passwords).

Cyber Insurance: What Underwriters Expect

Carriers increasingly require proof of basic controls. You’ll typically be asked about:

  • MFA on email, VPN, admin accounts, and remote access
  • Endpoint protection and encryption
  • Backups (frequency, isolation, and testing)
  • Phishing training and payment approval policies
  • Incident response plan and vendor management

Tip: Document your controls and keep screenshots/policies handy to speed up underwriting and claims.

Simple Incident Response Playbook

  1. Stop the bleeding: Disconnect affected devices; change passwords; revoke tokens/sessions.
  2. Triage & record: Note who/what/when; capture screenshots; save suspicious emails/files.
  3. Notify: Inform your internal lead, IT partner, and (if insured) your carrier’s breach hotline.
  4. Recover: Restore from clean backups; rotate keys; patch the entry point.
  5. Improve: Update training, rules, and approvals based on lessons learned.

Budget Tiers & a 30/60/90-Day Plan

Starter (free/low-cost): Turn on MFA, use a password manager, enable auto-updates, phishing training video, and basic email filters.

Core (most SMBs): Add endpoint protection, DNS/email security, 3-2-1 backups with quarterly tests, and written policies (onboarding/off-boarding, payments).

Enhanced: Add device management (MDM), conditional access/zero trust rules, SIEM/log alerts, and vendor risk reviews.

30/60/90-Day Quick Plan
  • Days 1–30: MFA everywhere, password manager rollout, inventory apps/devices, enable auto-updates.
  • Days 31–60: Backup 3-2-1 setup + restore test, email/DNS auth (SPF/DKIM/DMARC), payment dual-control.
  • Days 61–90: Write a 1-page IR playbook, review admin access, remove unused apps/extensions, schedule quarterly drills.

FAQ: Small Business Cybersecurity (2025)

What’s the #1 thing we should do first?

Turn on MFA for email and critical apps. It blocks most account-takeover attempts.

Are passkeys worth it?

Yes. Passkeys remove passwords and resist phishing. Use them where supported and keep MFA as backup.

How often should we back up?

Daily for active files; weekly full backups; keep an offline/immutable copy. Test restores quarterly.

Do we really need a password manager?

If you share logins or can’t track who has access, yes. It saves time and reduces risky reuse.

We’re tiny. Do we need cyber insurance?

If a breach would disrupt operations or require customer notifications, insurance can cushion costs and provide expert responders.

💡 This article is part of our Small Business Security Series — originally published on tech.saqr.org and shared on saqr.org to reach a wider audience.

Location: Houston, TX, USA

Comments

Post a Comment

Popular posts from this blog

EXTERNAL domain warning for zimbra

With the phishing attempts that consonantly target users your company can get exposed to a possible infiltration because a user thought a representative of the company sent them an email asking to change the password or to cleanup a full inbox, etc. In the email they will have a link and a login page that is used to collect the users login name and password. Many companies are starting to implement some kind of indication to the user that the email originated outside the company. Some will add a tag to the subject like [EXTERNAL] if the mail system has capabilities for using transport rules, spamassasin header, postfix header_checks. Other phishing attempts would use CEO names in the name field with a different return email address. The way users fall for this is they do not look at the originating email address. It also does not help that most mail clients will only show display name when provided instead of the email. Currently zimbra does not have a way to creat...
4 comments
Read more

Remove EXTERNAL from subject on exim for email leaving your domain

In an earlier post I mentioned how to tag/add EXTERNAL to the subject header on exim.  I made the changes on our Sophos UTM which may require re-applying the configuration files after Sophos UTM update. I ended up adding and elif block to act on outgoing emails in the exim.system_filter file this is the block I added.  Change your domain as appropriate and add additional lines if you need to. elif  $header_from: contains "@yourdomain.com>"  and $header_to: does not contain "@yourdomain.com>"  and $header_subject: contains "[EXTERNAL]" then  headers add "Old-Subject: $h_subject:"  headers remove "Subject"  headers add "Subject: ${sg{$h_old-subject:}{[[]EXTERNAL[]]}{}}"  headers remove "Old-Subject" endif This is the full exim.system_filter file To have the $h_from or $header_from act on the domain part and not the display name part if someone was trying to spoof the from name I added the > at the ...
1 comment
Read more

zimbra change domain ham spam galsync and virus accounts

Do the domain that was created by default is not the domain that you intended.  Or when you setup zimbra you were not paying attention and server name got added in front of the domain ie mail.domain.com instead of just domain.com. Now you need to setup the ham, spam, galsync, and virus-quarantine accounts to your new domain. Lets start with ham and spam. From zimbra webadmin find the spam and ham accounts under manage and then search individually for ham and spam.  They will have random characters after the name.  We will need the full name of both accounts.  Right click to edit the account and under account name change the domain to your newly created domain and save.  Do this for both accounts.  Also get the names of both accounts.  You can copy and paste them to use in the following command line. As zimbra user on the mail server run these commands. You can also check the current spam accounts with zmprov gcf zimbraSpamIsSpamAccount zimb...
Post a Comment
Read more