Use a password manager — no excuses
Reused passwords are how one leaked account becomes ten compromised ones. A password manager gives every account its own strong password while your team only remembers one. It's the highest-impact, lowest-cost security upgrade a small business can make.
Enable multi-factor authentication on email and banking — always
MFA means a stolen password alone isn't enough to get in. Email and banking come first because email resets every other password you have. This one setting stops the majority of account-takeover attacks cold.
Keep software and operating systems updated automatically
Most successful attacks exploit holes that were patched months earlier — they work because nobody installed the update. Turn on automatic updates everywhere and the problem largely solves itself.
Train employees to recognize phishing
Phishing emails are the #1 way businesses get breached, and the fake invoices and password-reset emails are getting genuinely convincing. A short training session — and a culture where it's safe to ask 'is this email real?' — is worth more than expensive software.
Have a backup strategy before you need it
Ransomware works by making your files the hostage. A tested, automatic, offsite backup means there's nothing to ransom — you wipe, restore, and get back to work. After the attack is the wrong time to find out your backups weren't running.
I do cybersecurity assessments for small businesses — a plain-language review of where you're exposed and what to fix first, quoted up front.