Module 08 of 08

Cybersecurity basics

Small businesses are targeted by cybercriminals more often than large ones — because they're seen as easier targets. The good news: the steps that protect most small businesses are not technical, don't require an IT person, and most take under 10 minutes to set up.

Why small businesses get targeted


Small businesses often have the same valuable data as larger ones — customer payment information, bank account access, employee records — but without the dedicated security staff. Attackers know this. The most common attacks on small businesses are not sophisticated hacks; they're phishing emails that trick an employee into handing over login credentials, and weak passwords that get guessed or found in data breach lists.

The good news: 90% of small business cybersecurity incidents are preventable with basic hygiene. You don't need specialized software or an IT department — you need consistent habits and a few settings enabled.

The most important thing you can do right now

Enable two-factor authentication (2FA) on your email, banking, and point-of-sale accounts. This single step blocks the vast majority of account takeover attempts — even if an attacker gets your password, they can't log in without the second factor from your phone.


In this Module

  • Why small businesses get targeted

  • Cybersecurity self-assessment

  • The four biggest risks

  • If something goes wrong

  • Real-world examples

Related Sections

  • Tech & Tools

  • Legal & Compliance

Cybersecurity self-assessment checklist


  • Two-factor authentication (2FA) is enabled on my business email

  • 2FA is enabled on my business bank account

  • I use a password manager (1Password, Bitwarden, or similar) — not the same password for multiple accounts

  • My business data (customer records, financial files) is backed up automatically to a cloud location

  • My computer's operating system and major software are set to update automatically

  • I know how to identify a phishing email (suspicious sender, urgent request, unexpected link)

  • Staff with access to business accounts know not to click unexpected links without verifying

  • My Wi-Fi network is password-protected and the default router password has been changed

  • Former employees' access to business accounts has been revoked when they left

  • I know who to call if my bank account, email, or POS system is compromised


The four biggest risks for small businesses


Phishing is the most common attack vector — an email that looks like it's from your bank, your POS provider, or a vendor asking you to log in to verify something. The link goes to a fake site that captures your credentials. Signs of phishing: unexpected urgency, requests to click a link to verify or update something, slight misspellings in the sender's email domain (paypa1.com vs paypal.com).

Weak and reused passwords are the second-most-common problem. When any website is breached, attacker's test those username/password combinations against banking, email, and POS systems. If your business email uses the same password as a forum account you signed up for in 2017, you're at risk. A password manager solves this permanently.

No backups mean a ransomware attack or hardware failure is potentially catastrophic. If your customer database or financial records exist only on one laptop, a spilled coffee is a business crisis. Google Workspace, iCloud, and Dropbox all provide automatic file backup for reasonable cost.

The most expensive mistake

Wiring money or making payments based on an email request without a phone call to verify. Business email compromise (BEC) attacks impersonate a vendor, partner, or even your own accountant to redirect a payment. If an email asks you to wire money or update banking details, always call the person directly using a number you know — not one in the email.


If something goes wrong: first steps


If you suspect an account has been compromised: change the password immediately from a different device, then revoke all active sessions (most platforms have a "log out all devices" option), then enable 2FA if it wasn't on, then check for any transactions or changes made without your authorization, then contact your bank if financial accounts are involved.

If ransomware locks your files: do not pay. Call your IT contact, your cyber insurance provider if you have one, or the FBI's IC3 reporting center (ic3.gov). Paying ransoms does not guarantee your files are restored and funds further attacks.

Cyber insurance

Small business cyber insurance typically costs $500–2,000/year and covers incident response costs, data recovery, and sometimes lost income during an outage. It’s worth evaluating if you store significant customer data or process payments. Ask your business insurance provider whether it's included or available as an add-on.


Real-world examples



Nina — yoga and wellness studio

Studio with online booking and membership billing

Nina's Mindbody account was compromised after she clicked a link in a convincing-looking email that claimed her account needed to be verified. The attacker accessed her client billing system. "The first thing I did wrong was click without verifying. The second thing was not having 2FA on. After it happened, I turned on 2FA everywhere in one afternoon. I lost two hours dealing with it. If I'd spent 10 minutes on 2FA beforehand, there wouldn't have been anything to deal with."


Ray — woodworking and custom furniture

Solo craftsperson, sells direct and online

Ray had his laptop stolen from his van. Because he used Google Drive for all his files and his accounting was in Wave (cloud-based), he lost nothing except the laptop itself. "My neighbor who runs a landscaping business had the same thing happen and lost five years of customer records because everything was on the laptop. Cloud backup is the single thing I tell every small business owner to do first."


Previous: AI tools
Next: Tech & Tools overview