Small business security basics that actually work
Forget the enterprise playbook. Here's what actually protects a 20-person company.
Every security vendor will sell you a stack of tools: EDR, SIEM, zero trust, identity governance. For a 20-person company with one office and a few remote workers, most of that is overkill. CISA publishes simple baselines that match what we deploy via IT services.
Here's what actually moves the needle. MFA on everything — email, VPN, admin panels. Not SMS-based, use an authenticator app. This alone blocks the majority of credential attacks. It's free and takes an afternoon to roll out.
Next: patch your stuff. Not eventually, not quarterly. Weekly for workstations, monthly for servers, immediately for anything internet-facing with a known exploit. Automate it. If you're patching manually, you're not patching.
Third: backups that you've actually tested. Having a backup is not the same as having a working backup. We test restores quarterly for every client. About once a year we catch one that would have failed when it mattered.
That's it. MFA, patching, tested backups. It's not glamorous, but it covers 80% of what actually takes small businesses down.
What to do next
- Audit your current workflow and list the top three blockers.
- Set a clear owner for rollout, support, and user training.
- Start with one room/site/team, then standardize across locations.
Related service: Digital signage service →
Need help implementing this?
We can scope and deploy the right setup for your Michigan team.