A Password Manager and Four Rules. That's the Whole Security Policy.

Most small business owners know their security is not great. Most of them also don't do anything about it because "getting serious about security" sounds like an expensive, complicated project that requires a consultant and a policy document and a training day.

It doesn't. For a business under 25 people, security is five boring decisions. If you make all five, you've solved 90 percent of the risk. Here they are.

One. Get a password manager and actually use it.

1Password, Bitwarden, Dashlane — any of them. The point is that every login your business uses has a unique, strong password that nobody has to remember, and that password is stored somewhere that isn't a Post-It or a spreadsheet named "passwords2024.xlsx."

This one fix eliminates the majority of breach risk. Most small business compromises happen because someone reused a password from a personal account that leaked years ago, or because the wifi password was "company1234" and a former employee knew it.

Cost: $3–5 per person per month. Time to set up: one afternoon.

The way I've seen this go wrong: people get the password manager and then keep using weak passwords "just for a few things." The whole point is that it has to be everything. One compromised account can be the door in.

Two. Turn on two-factor authentication on email.

Not on everything — on email first. Email is the recovery mechanism for almost every other account. If someone gets into your email, they can request password resets for your bank, your accounting software, your client files. Email is the master key.

Two-factor means that logging in from a new device requires a second confirmation — usually a code to your phone. It takes 30 seconds per login on a new device. It makes password-only access useless to an attacker.

The way I've seen this go wrong: setting up 2FA but using SMS codes instead of an authenticator app. SMS 2FA is better than nothing. An authenticator app (Google Authenticator, Authy) is meaningfully more secure because phone numbers can be hijacked in ways that authenticator codes can't.

Three. Review who has access to what, once a year.

Pull up your major business tools — email, file storage, accounting, your CRM — and look at the user list. Remove people who no longer work with you. Downgrade access for people whose roles changed.

This sounds obvious. It almost never happens without a scheduled trigger. I have audited businesses where former employees from two years ago still had active logins to the accounting software.

Cost: zero. Time: 30–60 minutes, once a year.

Four. Back up what matters, and test the backup.

What would you lose if your laptop was stolen tonight? What would you lose if someone accidentally deleted the shared folder? What would you lose if your accounting software went offline for a week?

Most small businesses have partial answers to this. Files are in Google Drive or Dropbox, so that's fine. Email is cloud-based, so that's fine. The accounting data is in the software's cloud, so that's fine. But nobody has checked whether those backups are actually complete, whether they cover the things that aren't in the cloud, or whether recovery would actually work under pressure.

The test is simple: pick one category of important data and verify that you could restore it from backup in under an hour without help. If you can't, you don't actually have a backup — you have a backup that might work, which is different.

Five. Have a simple plan for "we've been compromised."

Not a 40-page incident response plan. Just answers to: who calls who, what gets locked immediately, who is the first external person you call (your IT contact, your insurer, depending on what happened). The value of having thought about this before it happens is that you make better decisions under pressure.