When Every Click Is a Risk Cyberattacks no longer discriminate based on size. Today, attackers don’t go after what’s big – they go after what’s vulnerable. And small and medium-sized enterprises (SMEs) are often the easiest targets: under-protected, lacking dedicated IT staff, and overly confident in their supposed invisibility.
The reality? 60% of SMEs that suffer a serious cyber incident shut down within six months. Not because they were attacked – but because they weren’t prepared.
ENISA has published a set of recommendations that form a basic framework of digital self-defence for SMEs. These measures are not a luxury. They are the minimum required for survival.
12 Things Every Small Business Must Do – Immediately No technical jargon, no false sense of security. If you run a business, these 12 steps are your first line of defence.
- Access Control Not everyone should access everything. Set clear rules on who can access what, when, and how. Limit administrative privileges to only what’s absolutely necessary.
- Backups Back up regularly. Keep one copy offline. Test recovery procedures periodically. When an incident strike – time is a luxury, you don’t have.
- Updates & Patch Management Automate updates wherever possible. Decommission devices that can no longer be updated. Every outdated system is an open door.
- Antivirus and Anti-malware Protection Use reputable security software – on both computers and mobile devices. Don’t disable it to “speed up” the system. Nothing is slower than recovering from a breach.
- Multi-Factor Authentication (MFA) Passwords alone are not enough. Enable MFA on email, cloud services, and accounting software. If someone steals your login – this is your last line of defence.
- Device Security All company devices – from laptops to phones – should have basic protection (PIN, encryption, remote wipe capability). Personal devices? Only with a clear usage policy.
- Data Protection You know what your most valuable data is – business documents, client databases, finances. Encrypt them. Control who accesses them and when.
- Staff Training The weakest link is always human. Invest in basic training: recognizing phishing emails, safe internet use, responsible password management.
- Network Security Secure your network – activate the firewall on your router, change default passwords, segment guest Wi-Fi. Working from home? Know which devices are allowed to connect.
- Incident Response Plan When something happens – do you know what to do? Who’s responsible? How to contact technical support? Create a simple plan and train your team to follow it.
- Third-party Risk Management If you use external software, services, or suppliers – ensure they also have security controls in place. Your chain is only as strong as its weakest link.
- Password Management Forget “123456” or “company2024.” Use long, strong, unique passwords for every service. Ideally – use a password manager to handle them for you.
Small Businesses Are Not Small Targets Cybersecurity is not a technical issue – it’s a matter of survival. There’s no valid excuse for ignoring these recommendations. You don’t need to be an expert or invest in expensive tools – but you do need to take ownership.
These 12 measures are your foundation. Without them, you’re not managing risk – you’re hoping for the best. And hope is not a strategy. If you’re unsure where to start, talk to your trusted advisor – someone who understands your industry, your risk exposure, and your resources.
If you still treat IT as “someone else’s problem,” you’re already behind. It’s time for cybersecurity to become a core part of your business model. Start with these steps. Today.
