Guide to Cybersecurity for Small or New Businesses
A good cybersecurity approach for a small or new business should focus on a few high-impact basics: identify what you need to protect, lock down access, keep systems updated, back up data properly, train staff, and have a simple incident response plan. That matters because cyberattacks can cost a business time, money, reputation, and customer trust, and government guidance for small businesses consistently treats cyber risk as a core business risk.[1][2]
Why it matters
Small businesses are often targeted because they usually have valuable data but fewer specialist resources than larger firms. The FCC notes that theft of digital information has become one of the most commonly reported frauds, and that every business using the internet needs a security culture that protects both the business and its customers. The FTC similarly warns that small businesses cannot afford to lose time, information, or money to cyberattacks.[3][1]
Core controls
Start with identity and access control. Require strong passwords, use a password manager, and turn on multi-factor authentication for email, cloud apps, banking, and any remote access; NIST specifically recommends MFA, strong passwords, and changing default passwords. Use least-privilege access so staff only see the data they need, and give administrative rights to as few people as possible.[2][3]
Next, protect devices and software. Keep operating systems, browsers, and apps updated as soon as fixes are available, and maintain antivirus or endpoint protection on every device. For a small business, that usually means endpoint security, email filtering, firewall protection, and some form of managed patching if no internal IT team exists.[4][3][2]
Better-known software
For email and productivity, Microsoft 365 and Google Workspace are widely used because they combine identity controls, collaboration, and built-in security features such as MFA and admin policies. For endpoint protection, products such as Bitdefender GravityZone are commonly recommended in small-business roundups, while broader endpoint detection and response tools are often positioned as the next step up for growing firms. For password management and MFA, use a reputable password manager plus an authenticator app rather than relying only on SMS codes, since authenticator-based MFA is generally stronger.[5][6][7][2]
Backup regime
Backups are one of the most important defenses because they let a business recover from ransomware, accidental deletion, hardware failure, or theft. A practical approach is the 3-2-1 rule: keep three copies of critical data, on two different media, with one copy off-site or in the cloud. NIST also recommends regularly backing up data, protecting those backups, and testing them, because a backup that has never been restored is not a trustworthy recovery plan.[7][2]
A strong backup regime for a small business should include daily automated backups for active data, encrypted backup storage, and at least one offline or immutable copy so ransomware cannot reach everything. Test restores on a schedule, such as monthly for key files and quarterly for full-system recovery, and document who is responsible for checking that backups actually completed. Critical business data includes finance, customer records, HR files, contracts, and operational documents.[3][7][2]
What to do regularly
Security is not a one-time project. Every week, check that backups succeeded, review alerts from email and endpoint security, and install urgent patches. Every month, review user accounts, remove ex-employees, confirm MFA is still enabled everywhere, and check for devices that are missing updates or antivirus coverage.[7][2]
Training should also be routine. The FCC recommends training employees in security principles and rules for handling customer and company data, while NIST includes basic cybersecurity hygiene as a recurring need. A small business should run short phishing-awareness refreshers, remind staff how to report suspicious emails or lost devices, and keep a simple incident contact list with names, phone numbers, and escalation steps.[2][4][3]
A practical starter plan
For a brand-new business, a sensible first-month plan is: inventory devices and cloud services, turn on MFA everywhere, deploy endpoint protection, set automatic backups, and write a one-page incident response note. In the next phase, segment payment systems from general browsing, tighten admin access, and introduce security training for all staff. That gives you a realistic baseline without needing a large budget or specialist security team.[4][3]
The main idea is to build a simple, repeatable security routine rather than chase every advanced tool. If a small business gets identity protection, patching, backups, staff awareness, and recovery planning right, it has already reduced most of its everyday risk.[2][4]
References
- https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
- https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics
- https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses
- https://infinitynetworksupport.com/en/blog/nist-csf-smb-implementation-guide
- https://www.softbliq.com/best-cybersecurity-software-for-small-business/
- https://topelevens.com/cybersecurity-software-smb
- https://www.socinabox.co.uk/guides/backup-and-mfa
- https://ifeeltech.com/blog/best-cybersecurity-software-small-business
- https://www.papublishing.com/small-business-cybersecurity-basic-start/
- https://www.oxygenit.co.nz/data-backup-plan-small-business/
- https://www.kaspersky.com/resource-center/preemptive-safety/small-business-cyber-security
- https://www.nist.gov/itl/smallbusinesscyber
- https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.7621r2.ipd.pdf
- https://csrc.nist.rip/projects/small-business-cybersecurity-corner
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
- https://www.youtube.com/watch?v=smruYItCCPY
- https://content.govdelivery.com/accounts/USNIST/bulletins/3b6119b
- https://senscy.com/the-ultimate-small-business-cybersecurity-guide-protecting-your-smb-in-todays-landscape/
- https://csrc.nist.gov/files/pubs/shared/itlb/itlbul2009-11.pdf
