Cybersecurity basics for a business with no IT department

When a small business owner asks me about cybersecurity, they usually expect me to recommend software — some product they can buy that makes them "secure." I almost never do, because that is not how small businesses actually get attacked. Nobody is writing custom code to break into a hardware shop in Magomeni. What happens instead is mundane: a guessed password, a convincing fake message, a phone left in a taxi. The breaches come through ordinary doors, and you lock ordinary doors with habits, not products.

This is the security briefing I give to a business with no IT department and no budget for one. There is nothing here you cannot do this week, and it will protect you from the overwhelming majority of what actually goes wrong.

The mental model: you are not a target, you are a door

First, drop the idea that you are too small to be attacked. You are right that no skilled hacker is personally interested in your business. But that is not how small businesses get hit. They get hit by automated attacks that try millions of doors to see which are unlocked, and by opportunists who find a way in and only then decide what to do with it.

You are not a target. You are a door in a street of doors, and the attacker is walking down the street turning every handle. Security, for you, is simply being one of the locked doors. You do not have to be impregnable. You have to be more locked than the business next to you, and almost everyone next to you is unlocked.

Door one: passwords (this is most of it)

The single most common way small businesses get breached is a weak or reused password. Someone uses the same password everywhere, it leaks from one careless website, and now the attacker has the key to everything — email, banking, your business accounts.

Two habits close this door almost completely:

• A different password for every important account. You cannot remember these, and you should not try. Use a password manager — there are good free ones — which remembers them for you. You memorise one strong password; it handles the rest.
• Turn on two-step verification (also called 2FA) everywhere it is offered. This is the single highest-value security action available to you. It means that even if someone steals your password, they still cannot get in without the code sent to your phone. Turn it on for your email first, because your email is the master key — whoever controls it can reset every other account.

If you do nothing else in this entire essay, do these two. They close the door most attackers walk through.

Door two: the convincing message (the human attack)

The second most common breach is not technical at all. It is a message — an email, an SMS, a WhatsApp — that looks legitimate and tricks a person into handing over a password, clicking a bad link, or paying a fake invoice. This is called phishing, and it works because it targets people, not computers.

No software fully protects against this, because the vulnerability is human trust. The defence is a habit and a rule:

• Slow down on anything urgent and money-related. Urgency is the attacker's main tool — "your account will be closed today," "pay this invoice now." Real businesses rarely demand instant action. Fake ones always do. When a message makes you feel rushed about money, that feeling is itself the warning.
• Verify through a second channel. If "your supplier" emails new bank details for a payment, call them on the number you already have — not the number in the email — and confirm. This one habit defeats the most expensive single attack on small businesses: the redirected payment.

Door three: the lost or shared device

Your business lives on phones and laptops, and those get lost, stolen, and shared. A phone with no lock screen, left in a taxi, is a full breach of everything that phone can reach.

The fixes are quick:

• Lock every device with a PIN, password, or fingerprint — phones and computers both. An unlocked device is an unlocked door to everything on it.
• Do not share logins by writing them on a note or sending them in chat. Where staff need access, give each person their own, so that when someone leaves, you close one door without disrupting everyone else.
• Keep devices updated. Those update prompts you keep dismissing are mostly security fixes. Letting them install is one of the easiest protections you have, and you are already being offered it for free.

Door four: no backup (the disaster that is your own fault)

Finally, the one that is not about attackers at all. The most certain data disaster for a small business is not a hacker — it is a dead laptop, a corrupted phone, or ransomware locking your files, with no copy anywhere.

The rule is simple: anything that would hurt to lose exists in at least two places, one of them not in your office. For most businesses this means your important files live in a reputable cloud service that keeps copies automatically. Test occasionally that you can actually retrieve a file. A backup you have never restored from is a hope, not a backup.

The honest summary

You do not need an IT department, a security product, or a budget. Almost every real breach of a small business comes through four ordinary doors: weak passwords, convincing messages, lost devices, and no backups. Lock those four with the habits above — strong unique passwords and two-step verification, a slow-down rule on urgent money requests, locked and updated devices, and a real backup — and you have done more for your security than most businesses ten times your size.

Security at your scale is not a product you buy. It is a small set of boring habits you keep. The boring is the point. Boring is what locked doors look like.