Curated from CISA. Some commentary added by our team.
If you only do five things this year on cyber security, do these. They're not flashy. They're the ones that keep coming up on every breach we work, every cyber-insurance application, and every framework — CIS, NIST, CMMC, PCI, HIPAA — small business has to navigate.
1. Multi-factor authentication on every account
Yes, including the boss. Especially the boss. Microsoft has reported that MFA blocks more than 99% of automated identity attacks. Use an authenticator app or a hardware key — SMS is better than nothing but worse than the alternatives.
2. Endpoint detection and response on every laptop and server
Plain antivirus is a 2010s solution. EDR watches behavior, isolates compromised machines, and gives a real human a chance to investigate before damage spreads. It's now table stakes for cyber-insurance.
3. Backups that are tested
Not "we have a backup service." Not "we pay a vendor." But: when did you last restore a real file from your backups? An untested backup is a guess. Test quarterly at minimum. Keep an offline or air-gapped copy.
4. Security awareness training
Your people are not a vulnerability — they're the perimeter. Short monthly videos plus realistic phishing simulations move per-user risk scores in measurable ways within a few months.
5. A patching schedule you actually follow
The biggest breaches of the last decade exploited vulnerabilities that had patches available, sometimes for years. Operating systems, third-party apps (Chrome, Adobe, Java), and firmware — all of it needs a schedule, owner, and proof.
What about everything else?
Conditional access, DLP, vault password managers, vulnerability scanning, encrypted laptops, mobile device management — they all matter. But if the five above aren't done yet, those are the wrong place to start.
If you'd like an honest read on how your business stacks up against this list, reach out — we run a short assessment that produces a concrete to-do list, no sales pitch attached.
