I’m often asked: What are the most important Cyber Security protections a small business should have? While it may vary from business to business, there are some typical protections we recommend. So below is my list of the top 10 cyber security protections a small business should implement. It’s by no means an exhaustive list – we implement almost 2 dozen different cyber security products – but some are only applicable to very high security clients, or those with specific needs.
But these are the top 10, ranked in order of importance:
#1: Updates & Patches:
Probably 99.9% of technical vulnerability exploits are perpetrated on equipment running known vulnerabilities that have been patched by the manufacture but just haven’t been applied. So, when you get update notifications on your computer or phone, apply those updates as soon as practicable. But you also need to run updates on your firewall, switches, APs, televisions, printers, etc. – anything that has a Wi-Fi or network connection or broadband. You might want to schedule your peripherals on a quarterly basis, but if you hear of a major exploit that might affect your equipment, update applicable devices as soon as practicable. But some small devices may not have updates and still have vulnerabilities. For those, you need to look to #4 to protect these devices.
#2: Endpoint protection:
For computers, this is the most important front-line defense against malware. Since the release of Windows Defender with Microsoft Windows, there is much less need to add this unless you want additional features and capabilities that come with 3rd party software. But this is still an essential component of your cyber security defense, so make sure it is running properly. If you have the feature, be sure to install the browser extension to make your web surfing safer.
#3. Multifactor Authentication (MFA):
According to a 2019 Microsoft study, 99.9% of credential attacks can be prevented if you have MFA enabled. Cybercriminals may have gotten a little better in the last 6 years, so that percentage may be slightly lower now. However, using MFA it is still vastly better than just username/password pairs. So use MFA (also called 2FA) wherever you can – certainly on your email account, but also on websites.
#4: Next Generation Firewall:
Most internet service providers (ISP) now supply a basic firewall with your internet subscription. (If they don’t, then you need a firewall just to get connected to the internet.) However, this basic firewall will not notify you of attempted attacks, allow you to monitor activity, and generally only allow basic configuration changes. A Next Generation Firewall, or NG Firewall, will allow you to do that and more, as well as implement edge-of-network security features such as malware interception/removal, content filtering, geo-filtering, application control, Intrusion detection/prevention, DNS filtering and other protections.
#5: Email Filtering:
This year, about 72% of all ransomware attacks started with a phishing email. Likewise, breaches and other social engineering attacks come through email. So having an email filtering solution that quarantines known bad or malware infected emails can save a company the grief of a successful email based cyber-attack – ransomware or otherwise.
#6: Critical System Backups:
Critical System Backups are more of restorative protection than a preventive protection, but still essential if you experience a ransomware attack. With good backups, restoring your business after a ransomware attack should take hours or days, rather than weeks or months. This will often make the difference between survival and bankruptcy. If you have servers, those will typically be critical systems, but they could also be important desktops that would be painful if you lost the data. To protect your backups from cyber criminals, you should also use distinct administrative credentials from your other administrative credentials and the backups should be immutable.
#7: SaaS backups:
For cloud only businesses, this may be more important than critical system backups, because this will backup your critical cloud data. For Microsoft, this includes Email, OneDrive, Teams and SharePoint data. For Google, it backs up Email, Goggle Drive, and shared drives. In the case of a cloud attack, this can be used to restore your data should it be ransomwared or deleted. This is especially true for Microsoft, who doesn’t guarantee backups.
#8: Extended Detection and Response (EDR):
EDR augments your endpoint protection to provided additional detection capabilities as well as more extensive logging to help you trace the source of an attack.
#9: Application Locking:
Application locking is one of the most effective ways to keep malware from running on your computers. It can stop ransomware in its tracks by preventing it from even running. But this protection is generally more expensive than the others, and can be more disruptive, especially in the first few months it is deployed, which is why this is #9 on our list.
#10 Password Management:
To be safe on the web, it is important that you use a different password for each site you visit. Moreover, those passwords should be 12+ characters and are optimally composed random characters. But no human can remember that many complex passwords. This is where a password manager comes in. They cannot only generate and record unique passwords for each site, they can also automatically fill in the credentials and log in for you. Of all the security tools we work with, this is the only one that both increases security and productivity.
In the honorable mention list is Security Information and Event Management (SIEM). This tool logs all the activity and notices from all your devices and computers on your network and in the cloud and saves them in an immutable repository. This allows you to look back and see how an attack happened, or how long a cybercriminal has been in your system (generally it’s months before they execute an attack). But this is a forensic tool, not a protection system, so we left it off the list.
Need Help Implementing any of these protections?
As a Managed Security Services Provider (MSSP), SpotLink has extensive experience in implementing, managing, monitoring and maintaining cyber security for businesses. To learn more or get help, contact us at:
📧 [email protected]
📞 +1-855-SpotLin
Robert Hood
CEO & Founder
SpotLink®
Author’s Note: I write my own blogs. That’s unusual. Blogs are often authored by a service and then reposted, especially in IT, or written by AI from a few key words. Instead, I choose the topics that might be of most interest to our clients and write to them – to you – directly. While it does take a little more time to write my own content, it does mean that we are well versed in the subjects I send to you. So, please always feel free to reach out to me if you have any questions or comments about anything I write, including any topics you’d like to learn more about. Thank you. – Robert Hood.
Copyright 2025 SpotLink®