The Cybersecurity Mistakes I See in Almost Every Small Business

I have spent a lot of time over the last few years opening up small business networks for the first time. New client, free assessment, log into the firewall, look around. Walk the office. Pull up the email tenant. Check the backup vendor.

The same five things show up over and over. None of them are exotic. None of them require a six-figure security budget. All of them are the reason a 12-person business in Salinas or Monterey or anywhere else in California gets to spend a Tuesday afternoon talking to a ransomware negotiator instead of doing actual work. The point of a practical cybersecurity program is to make those basics visible, owned, and repeatable.

Here they are, in the order I usually find them.

1. Email accounts without MFA

Multi-factor authentication on Microsoft 365 or Google Workspace is the single highest-leverage security control a small business can turn on. It costs nothing. It takes about five minutes per user. And the vast majority of small business breaches I have ever seen would have been stopped cold by it.

And yet I still walk into networks where the owner's email, the bookkeeper's email, and the shared "info@" mailbox are all sitting there with a single password protecting them. Sometimes the password is on a sticky note. Sometimes it is the company name plus the year.

The fix is not complicated. Turn on MFA for every account. Use the Microsoft Authenticator or Google Authenticator app, not SMS (SMS gets sim-swapped). Make it required, not optional. Yes, your bookkeeper will complain for two days. They will get over it. Your business will not get over a $40,000 wire fraud because someone was too lazy to add a second step.

2. Backups that have never been tested

Here is the conversation I have had a dozen times: "Yes, we have backups." Great. When was the last time someone tried to restore from one? Silence.

A backup that has never been restored is not a backup. It is a hope. Half the small business backup setups I see are quietly broken: the agent stopped running on the file server six months ago, the cloud sync hit a quota, the external drive plugged into the receptionist's machine has been disconnected since the office moved.

And even when backups do work, most of them are sitting on the same network as the production data. That means when a ransomware attack hits, it encrypts the backups too. Job done.

The fix has three parts. One: backups need to be tested, on a schedule, with a real restore. Two: backups need to be immutable (cannot be deleted or encrypted by the same attacker who got onto the network). Three: keep an offline or off-account copy. If you want the service version of that checklist, start with backup and disaster recovery. The 3-2-1 rule is older than I am and it still works.

3. Shared passwords and password reuse

Almost every small business I see has a shared spreadsheet, a shared Google Doc, or a shared Notes file with the company passwords in it. The vendor portal, the bookkeeping login, the wifi password, the FedEx account. All sitting in plain text, shared with everyone who has ever worked there.

And the passwords themselves are usually variations of the same theme. CompanyName2023!. CompanyName2024!. CompanyName2025!. The bookkeeper uses the same password for the QuickBooks login and her personal email, which got breached in some other company's data dump three years ago and is sitting on a list right now.

Use a real password manager. Bitwarden has a free tier that works for most small businesses. 1Password is fine. Password managers, MFA, and access reviews should also be part of how you manage email and files in cloud services like Microsoft 365. Whatever you pick, the goal is the same: every login has a unique, long password, nobody knows what those passwords are, and access is granted and revoked through the manager (not by sharing a doc).

4. Computers older than the warranty on your truck

Walk into any small business and there is a Dell from 2014 sitting in a corner running something nobody wants to touch. It runs Windows 10. Microsoft stopped supporting Windows 10 in October. That machine has not received a security patch in months.

Now multiply that by however many devices are on your network. The warehouse PC running the inventory software. The point-of-sale terminal. The receptionist's laptop. Every one of those is a door, and every old one is a door without a working lock.

You do not need to replace every machine tomorrow. But you do need to know which ones are still on a supported operating system, which ones are getting patches, and which ones are just sitting there waiting to be the entry point for the next attack. That inventory-and-patching rhythm is basic managed IT services work. A simple inventory ($25 in licensing per machine) tells you. Most small businesses do not have one.

5. No plan for the day something goes wrong

If your email got locked out tomorrow morning, who would you call? If your file server stopped responding, what is the first thing you would do? If your bookkeeper got a call from "the IRS" demanding a wire transfer, what is the script she follows?

Most small businesses cannot answer these questions. They are running on the assumption that nothing will go wrong, and when it does they will figure it out. That is a fine plan right up until 8:30am on a Monday when the lights are off and you are trying to find the phone number of the IT guy who left two years ago.

An incident response plan does not have to be a 50-page document. It can be one printed sheet of paper taped to the back of the office door. Who do we call. What is the order of operations. What do we tell employees. What do we tell customers. Where are the offline backups. Where are the credentials. Practice it once a year. That is it.

What this actually looks like fixed

None of these are revolutionary. None of them require expensive software. The hardest part is sitting down for an afternoon and actually doing them. Most small businesses skip that afternoon for years and then spend a much worse week fixing the consequences.

If you want a second pair of eyes on which of these (or other things) are most important for your specific setup, that is what our free IT assessment is for. Thirty minutes, no sales pitch, no obligation. You walk away with a written list of what to fix, in order, with the why on each one.

If you would rather just talk through it, the number is (831) 204-0501. We pick up.