The gaps that matter (and the ones that don't)
The SMB cybersecurity conversation is saturated with noise, vendors selling sophistication to companies that haven't yet closed the basic gaps. Our position after 500+ SMB engagements: for companies between 20 and 500 employees, foundational hygiene delivers 90% of the achievable risk reduction. Advanced capabilities, continuous attack simulation, AI-driven anomaly detection, purple-team exercises, are valuable, but they compound on a solid base. Layering them onto a porous foundation is how SMBs end up with expensive tooling and unchanged breach risk.
The twelve controls below are grouped into four workstreams: Identity, Endpoint, Network, and Recovery. Tackle them in parallel if you have the capacity; sequentially if you don't. Either way, target 30 days to full implementation.
Identity (4 controls)
1. MFA on every account that touches business data
Not just email. Not just admin accounts. Every account. Credential-based attacks account for roughly 80% of SMB breaches, and the overwhelming majority target accounts without MFA. Hardware keys (WebAuthn/FIDO2) for admin and finance roles; push-based authenticator for everyone else.
2. SSO for every SaaS application in the stack
Non-negotiable as the SaaS stack grows. By the time an SMB is operating 30+ applications, credential sprawl is a direct breach vector. If a SaaS vendor doesn't support SAML/SSO at the tier you need, it's a vendor problem, and often a tell about the vendor's security maturity.
3. Offboarding within 24 hours of termination
The single most common finding in our client engagements: departed employees with active access weeks or months later. Automate it if you can (IAM tooling tied to HR); document and audit it weekly if you can't.
4. Privileged access review quarterly
Who has admin on your identity provider? Your finance system? Your email security tooling? The answer should be short, current, and reviewed every quarter.
Endpoint (3 controls)
5. Managed EDR on every endpoint, no exceptions
The free antivirus that ships with the operating system is no longer a credible control. Managed endpoint detection and response (SentinelOne, CrowdStrike, Huntress, or equivalent) is the current SMB baseline. Managed matters, the "response" in EDR is where SMB teams fall short without external support.
6. Patch cycle no slower than 30 days for OS; 7 days for high-severity CVEs
Automated where possible. Reported monthly. If you don't know your current average patch latency, measure it, the number will usually be uncomfortable.
7. Admin rights removed from daily-use accounts
Developers and IT staff included. Local admin on daily accounts is how a phishing click becomes a ransomware event. Use privilege elevation tooling for the few cases that genuinely need it.
Network (3 controls)
8. Network segmentation: users, servers, guests, IoT
Flat networks are the default at SMB scale and the single largest lateral-movement enabler. Four VLANs with basic firewall rules between them is achievable in a weekend. IoT and guest separation especially, no printer, camera, or conference room device should sit on the same broadcast domain as user workstations.
9. DNS filtering at the edge
Cisco Umbrella, Cloudflare Gateway, or similar. Blocks known bad destinations before a click becomes a compromise. Low cost, high leverage, fast deploy.
10. Email security beyond the built-in filter
Microsoft 365 and Google Workspace filters are adequate for commodity spam; they under-perform against targeted phishing, impersonation, and BEC. A dedicated email security gateway (Abnormal, Proofpoint, Mimecast) catches 60-80% of what the native filters miss.
Recovery (2 controls)
11. Backups with a tested restore
Untested backups are a liability, not an asset. Test a full restore of your most critical system quarterly. If the last time you restored from backup was during an incident, you don't have a backup program, you have a hope.
12. Incident response runbook with named roles
Two pages. Who calls the insurer. Who calls legal. Who notifies customers and when. Who decides on ransom. Who talks to press. Tabletop-test every six months. The companies that handle incidents well in our client base all have a runbook; the ones that handle incidents badly almost never do.
