Small Business Cybersecurity: 6 Things to Do This Week

AI-narrated by Sarah · 3 parts, played seamlessly. Tap play to start.

Most business break‑ins start the same way: one unlocked window — a single email account or laptop that wasn’t locked down. You notice it when a vendor calls about a bounced payment or a client can’t log into their portal. Those scares are usually fixed with basics, not a million‑dollar program. If you'd rather have someone else do the heavy lifting, I cover this day‑one work in my IT Support in Connecticut service.

How do I turn on multi‑factor authentication (MFA) everywhere — quickly and sensibly?

MFA is the highest‑return control you can add: if a password is a key, MFA is the deadbolt. Start with a short inventory: company email accounts, payroll and banking logins, website admin panels, cloud storage, and any app that can move money or access customer records. If the list is longer than a lunch break, this is a good time to call in help from a technician who can coordinate the rollout. If you'd rather hand this off, that's exactly what we do at IT Support in Connecticut. If you want a second opinion on a suspicious message, the FTC's guide to recognizing phishing is the plain-English reference I send clients.

Practical steps you can finish in an afternoon:

• For Google accounts: open Security → 2‑Step Verification and follow the prompts to add an authenticator app. For Microsoft 365: use the admin center to require MFA for users. For banks and payroll vendors: open the account or security settings and enable two‑step sign‑in. Write down recovery codes and store them in your password manager or a locked safe.
• Prefer an authenticator app or a hardware security key for high‑risk accounts. Authenticator apps create time‑based codes; hardware keys add physical proof you have the device. Avoid SMS codes when you can — they’re better than nothing but vulnerable to SIM‑swap attacks.
• If you have multiple staff, schedule a two‑hour rollout session: inventory, enable MFA, and record recovery codes in a shared, encrypted business vault. Coordinating the change once prevents avoidable lockouts later.

If you want a plain‑English second opinion on suspicious messages, I point clients to the FTC's guide to recognizing phishing.

What's the easiest way to stop reusing weak passwords?

A password manager is the practical fix. It generates unique, strong passwords for every login and fills them so people don’t need to remember long strings. This removes the temptation to use the same password across email, payroll, and client portals.

Set one up in three concrete steps:

• Choose a reputable manager and create a strong master passphrase you can remember. Then enable MFA on the vault itself so the vault isn’t the single point of failure.
• Create a business vault with shared folders for vendor logins and payroll accounts, and add an emergency or administrator access path so accounts aren’t lost when someone leaves.
• On staff phones, set a short PIN or enable biometrics so people use the manager instead of writing passwords down. Offer a five‑minute demo — most folks will adopt the manager if it actually saves them time.

If you must put the master password on paper, lock that paper in a safe and keep the location documented in your business continuity notes.

How should I back up our files so a crash or ransomware doesn’t ruin us?

Backups have only two rules: automate them, and test that you can restore. A backup you can’t restore is just busywork.

A realistic small‑office setup:

• Use continuous cloud backup for laptops and workstations so deleted files can be recovered. Add a scheduled, versioned server backup for shared drives and databases.
• Keep a second, offline copy — for example an external drive stored offsite or a cold cloud bucket — for critical records like accounting, patient files, or contracts. That offline copy stops ransomware that spreads through live sync.
• Test restores monthly: pick a handful of files or a small folder, restore them to a spare machine, and open the files to confirm they’re usable.

Note about sync services: OneDrive, Dropbox, and similar tools mirror edits and deletions across devices. That’s great for access, but not a replacement for versioned backups. If you use a sync service, make sure you also have backup retention that can roll back to earlier versions. If you want a broader look at how this fits into managed help, see How Much Does Small Business IT Support Cost in Connecticut? Related reading: How Much Does Small Business IT Support Cost in Connecticut? covers a neighboring piece of the same problem.

How do I make sure software updates actually protect me?

Most attacks exploit vulnerabilities that had patches available — the problem is the patches weren't installed. Use automatic updates where possible, and keep a short checklist for the apps that won’t auto‑patch.

Where to click and what to check:

• Windows: keep Windows Update on and enable active hours so machines reboot at a convenient time. Check Settings → Update & Security → Windows Update.
• macOS: turn on Software Update and enable "Install system data files and security updates" so critical fixes arrive automatically.
• Browsers and plugins: rely on the browser’s built‑in updater, and check PDF readers, printer drivers, and any specialty bookkeeping or point‑of‑sale apps for their own update controls.

Make a weekly task for non‑standard software — legacy tools, custom printers, industry‑specific accounting packages. Those are the ones attackers love because they often get ignored.

What should I tell my team about phishing in a short, useful way?

You don’t need a full formal class. A 15‑minute huddle that covers the common traps will cut risk a lot. Focus on identifiable behaviors, not horror stories.

Quick cues staff can use immediately:

• Hover over links to see the real URL before clicking, and check the sender’s full email address, not just the display name.
• If an invoice or payment instruction changes, call the vendor using a number you already have on file — not the number in the email.
• Never enable macros in documents unless the sender is verified, and treat urgent language demanding immediate payment as a red flag.

If someone clicks a suspicious link: disconnect the device from the network, change passwords from a separate clean device, and notify your IT contact immediately. A calm, fast response reduces damage. For a short, trustworthy handout, I give people the FTC's guide to recognizing phishing as a clear reference.

Who should I call when something goes wrong — and what should I have ready?

Have an IT contact before you need one. During an incident is the worst time to start interviewing providers. A trusted technician who already knows your setup moves faster and asks fewer questions in the dark.

Document these items now and keep them in your password manager or a secure place:

• A list of critical systems and where the admin accounts live (email admin, website hosting, payroll vendor).
• Where backups live and the date of the last successful test restore.
• Your insurance policy contact and any cyber incident clauses.

If you don’t have an IT partner yet, a sensible first week is: inventory key accounts, enable MFA, put backups in place, and schedule a short consult so someone knows your setup ahead of time. If you want help getting that checklist done, book a call on my contact page and we’ll walk through the essentials together. Stuck on a specific situation? Ask Paul a quick question or book a call and we'll point you in the right direction.

Frequently Asked Questions

Do I really need MFA on everything?

Yes. MFA stops most account takeovers because it requires a second factor beyond a password. If someone steals a password, they still need the authenticator code or hardware key to get in.

Is a password manager safe for business use?

Yes — reputable password managers encrypt your vault so only authorized devices can decrypt it. Use a strong master passphrase, enable MFA on the vault, and set up an emergency access path for personnel changes.

What's the difference between cloud sync and a backup?

Sync services mirror files across devices, so deletions and encryptions propagate everywhere. Backups keep historical versions and separate copies you can restore from, which is essential after accidental deletion or ransomware.

Can my small business recover from ransomware without paying?

Sometimes — if you have recent, tested backups and a practiced incident plan. That’s why automated backups, tested restores, and a known IT contact are the most reliable recovery steps.

Need help with this in your business?

Paul Berg, The Tech Doctor — friendly, low-pressure technology help across Connecticut.

Talk to Paul