Reporting & Operations10 min read

Cybersecurity Basics for Business Leaders

By Ashley Hall||
Quick take

The five things every CEO needs to know about protecting their company. Use this to reduce bottlenecks, waste, and founder dependency.

For most owner-led small businesses, "cybersecurity" is not a data center problem. It is your website, your contact forms, your email, and the handful of cloud accounts your business actually runs on. That is your whole attack surface — and it is usually the least attended-to part of the business, because nobody is formally responsible for it.

A ransomware attack costs a small business an average of $200,000. Not including the lost revenue while your systems are down. Not including the customers who leave because they no longer trust you with their data. Not including the three to six months of cleanup work afterward. If you are a CEO or founder running a company with 5 to 50 employees, cybersecurity probably ranks somewhere between "important" and "I know I should do something about it" on your priority list. It sits there alongside getting a flu shot and updating your estate plan — things you know matter but keep putting off because nothing bad has happened yet.

Here is the thing: the companies that get hit almost never saw it coming. They were not being reckless. They just did not think they were a target.

You are a target. Not because hackers have a personal vendetta against your company, but because small and mid-size businesses are the softest targets on the internet. You have valuable data, weak defenses, and limited ability to fight back. Attackers know this.

This post covers the five things every business leader needs to understand about protecting their company. No technical jargon. No scare tactics. Just the practical stuff that actually reduces your risk.

Thing 1: Your People Are Your Biggest Vulnerability

Ninety percent of successful cyberattacks start with a person clicking something they should not have clicked. Phishing emails — the ones designed to look like they are from your bank, your vendor, or your CEO — are the number one attack vector for businesses your size.

And they have gotten very good. The phishing email of 2015 had obvious spelling errors and came from suspicious addresses. The phishing email of today is nearly indistinguishable from a legitimate message. It uses your company's actual branding, references real projects, and sometimes even mimics the writing style of people you know.

What to do about it:

Train your team — but train them correctly.

The annual "click through this boring presentation about cybersecurity" training does almost nothing. People forget it within a week. What actually works:

  • Monthly phishing simulations: Services like KnowBe4 or Proofpoint send fake phishing emails to your team and track who clicks. People who click get immediate, brief training. This creates ongoing awareness instead of a once-a-year event.
  • The three-second rule: Train your team to pause for three seconds before clicking any link or opening any attachment. In those three seconds, they should ask: Did I expect this? Does the sender's address look right? Does this feel unusual?
  • Make reporting easy and safe: Your team should be able to report suspicious emails with one click, and they should never be punished for reporting something that turns out to be legitimate. You want a culture where people flag everything questionable.

Implement a verification process for financial requests.

One of the most common attacks against small businesses is business email compromise (BEC). An attacker gets access to your email (or spoofs it convincingly) and sends a message to your bookkeeper or controller: "Please wire $35,000 to this new vendor account." The email looks exactly like it came from you.

The fix is simple and free: Any financial transaction above a certain threshold (you decide — $1,000, $5,000, whatever fits your business) requires verbal confirmation. A phone call. Not a text. Not a reply email. A phone call to a known number. This one policy eliminates the most damaging form of email-based attack.

Thing 2: Multi-Factor Authentication Is Non-Negotiable

If your business email, your banking, your CRM, your accounting software, or any other critical system is protected only by a username and password, you are one stolen password away from a breach.

Passwords get stolen constantly. Data breaches at other companies expose them. Employees reuse them across personal and work accounts. They get guessed by automated tools that try millions of combinations per hour.

Multi-factor authentication (MFA) means that even if someone steals a password, they still cannot get in. They need a second factor — typically a code from an authenticator app on a phone or a physical security key.

Implementation priority:

  1. Business email — this is the master key to everything else. If an attacker owns your email, they can reset passwords to every other system.
  2. Banking and financial systems — direct access to your money
  3. Cloud storage (Google Drive, Dropbox, OneDrive) — where your sensitive documents live
  4. CRM and customer database — your customer data
  5. Everything else — every system that supports MFA should have it turned on

This costs nothing for most services (MFA is a built-in feature) and takes about 10 minutes per system to set up. If you do nothing else after reading this post, turn on MFA for your business email this week.

Thing 3: Backups Are Your Safety Net (If They Actually Work)

When ransomware hits, it encrypts your files and demands payment for the decryption key. If you have good backups, you can restore your systems without paying the ransom. If you do not, you are either paying criminals or starting your business over from scratch.

But here is what most people get wrong about backups: they assume their backups work because they set them up once and never checked again.

The 3-2-1 backup rule:

  • 3 copies of your important data (the original plus two backups)
  • 2 different types of storage (for example, a cloud backup and an external drive)
  • 1 copy stored off-site (physically separate from your primary location — cloud backups satisfy this)

Critical: At least one backup must be disconnected from your network. If your backup drive is always plugged in or always connected to the internet, ransomware will encrypt it along with everything else. The technical term is "air-gapped" but the concept is simple: keep one backup that an attacker cannot reach.

Test your backups quarterly. Pick a random file. Try to restore it from your backup. Time how long it takes. If you have never tested a restore, you do not actually have backups. You have a false sense of security.

We had a client discover during a backup test that their backup system had been failing silently for four months. No error messages. No alerts. Just quiet failure. If they had been hit with ransomware during those four months, they would have lost everything. A 30-minute quarterly test would have caught this immediately.

Need one view of what is working?

Build a practical reporting rhythm around qualified leads, source quality, follow-up, and revenue.

Explore Dashboard Reporting

Thing 4: Keep Your Software Updated

This sounds too simple to be important. It is not simple and it is critically important.

Every piece of software has security flaws. When those flaws are discovered, the software company releases an update (a patch) that fixes them. If you do not install the patch, the flaw stays open — and attackers know exactly where to look because the patch announcement tells them what the flaw was.

The most devastating cyberattacks in history have exploited known vulnerabilities that had patches available for months. Companies just had not installed them.

What to keep updated:

  • Operating systems (Windows, macOS): Enable automatic updates. Do not postpone them for weeks.
  • Web browsers (Chrome, Firefox, Edge): These update automatically in most cases. Make sure auto-update is not disabled.
  • Business applications: Your accounting software, CRM, project management tools, and any other software your team uses regularly.
  • Website and e-commerce platforms: If you run WordPress, Shopify, or any other web platform, keep it and all its plugins updated. This is the piece small businesses skip most often — our website maintenance checklist covers what needs attention and how often.
  • Network equipment: Your router, firewall, and wireless access points have firmware that needs updating. Most businesses never update these.

If you have an IT person or an IT provider, make software updates a specific, tracked responsibility. "Keep everything updated" is not an instruction. "Apply critical patches within 48 hours and all other patches within 14 days" is an instruction.

Thing 5: Have a Plan Before You Need One

When a security incident happens, the worst time to figure out what to do is while it is happening. Decisions made in panic are usually bad decisions.

You need an incident response plan. For a company your size, this does not need to be a 100-page document. It needs to answer these questions:

Who do you call first?

  • Your IT provider or internal IT person
  • Your insurance company (if you have cyber insurance, and you should)
  • Your attorney
  • Law enforcement (FBI's Internet Crime Complaint Center at ic3.gov)

Have these phone numbers written down somewhere that is not on the computer that might be compromised.

What do you do in the first hour?

  • Disconnect affected systems from the network (unplug the ethernet cable, turn off Wi-Fi)
  • Do NOT turn off the computers (forensic investigators may need the data in memory)
  • Document everything — what happened, what you observed, what time it was
  • Do NOT communicate with the attacker or pay any ransom without professional guidance

Who communicates what to whom?

  • Who tells employees what is happening and what to do?
  • Who notifies affected customers (if their data was involved)?
  • Who handles media inquiries if the breach becomes public?
  • Who deals with regulatory reporting requirements?

Most states have data breach notification laws. If customer personal information was compromised, you may be legally required to notify them within a specific timeframe (often 30 to 72 hours). Your attorney should know what applies to your business.

Run a tabletop exercise once per year. Gather your key people for an hour. Present a scenario: "It is Tuesday morning and we discover ransomware has encrypted all our files. Our backup system was last tested three months ago. Walk me through what we do." This exercise exposes gaps in your plan before they matter.

The Investment That Protects Everything Else

For a company with 10 to 50 employees, a reasonable cybersecurity investment looks like:

  • Phishing simulation and training: $3 to $6 per employee per month
  • Business-grade password manager: $4 to $8 per employee per month
  • Endpoint protection (antivirus that actually works): $5 to $10 per employee per month
  • Managed backup service: $200 to $800 per month depending on data volume
  • Cyber insurance: $1,500 to $5,000 per year depending on your industry and size

Total annual investment for a 20-person company: roughly $8,000 to $15,000.

Compare that to the average cost of a breach for a company your size: $200,000 to $500,000 including downtime, recovery, legal costs, and lost business.

You insure your office against fire. You insure your vehicles against accidents. You need to insure and protect your business against cyber threats with the same seriousness. The risk is real and the math is straightforward.


Want to know where your company's security gaps are? Most of what this post covers — software updates, backups that actually restore, MFA on the accounts your website and email run on — is routine maintenance work, which is exactly what the Systems Support plan on our pricing page handles month after month, so security stops depending on someone remembering. Start with a free Website + System Audit and we will flag the gaps visible from the outside, or Book a Free Call and let's figure out where you stand. No fear-mongering, just clear steps.

Ready to see which marketing is actually working?

Our dashboard and reporting service gives owners a cleaner view of leads, sales, operations, and follow-up.

Explore Dashboard Reporting

Get field notes like this in your inbox

Practical notes on website clarity, lead follow-up, SEO visibility, and reporting for small businesses. Every two weeks.

Related Articles