Managed IT · Published July 5, 2026 · 6 min read
Small businesses aren't too small to be targeted — they're targeted because they're small, on the bet that the basics were never set up. The good news: most breaches exploit a short list of well-known gaps, and closing them doesn't require an enterprise budget. Here's a checklist you can actually work through.
Start with the basics that stop most attacks
These three cover a huge share of real-world incidents:
- Turn on multi-factor authentication (MFA) everywhere. Email, banking, remote access, and any cloud app. A stolen password is far less dangerous when a second factor is required.
- Keep everything updated. Automatic updates for operating systems, browsers, and business software. Unpatched software is the door attackers walk through most often.
- Use a password manager. One strong, unique password per account — no sticky notes, no reused logins.
Protect your network
Your network is the perimeter, and consumer gear rarely holds it:
- A real business firewall, configured and maintained — not the box your ISP dropped off.
- Separate your networks. Guest Wi-Fi, business systems, cameras, and point-of-sale should live on their own segments so a problem in one doesn't reach the others.
- Secure your Wi-Fi with current encryption and a private business network distinct from the guest one.
Physical and digital security overlap more than people think: an unsecured network jack in a public area or an exposed server room is a cybersecurity problem too. If one company handles both, nothing falls between the cracks.
Back up like you'll actually need it
Ransomware makes backups your last line of defense — if they work:
- Follow 3-2-1: three copies of your data, on two types of media, one of them off-site.
- Automate it so it never depends on someone remembering.
- Test a restore. A backup you've never restored from is a guess, not a safety net.
Train your people
Most breaches start with a click, not a hack:
- Teach phishing awareness — how to spot a suspicious email, link, or payment-change request.
- Verify money movement out of band (a quick phone call) before changing bank details or paying an unexpected invoice.
- Limit access to only what each role needs, and remove access the day someone leaves.
Have a plan before you need one
- Write down who to call and what to do if a device is compromised or data is locked.
- Keep offline contact info for your IT provider and key vendors.
- Know your obligations — New York's SHIELD Act requires reasonable safeguards for private information and breach notification.
Where RCR fits
We provide managed IT and network security alongside physical security, so the same accountable team handles your firewalls, backups, and monitoring and your cameras and access control. If you'd like a second set of eyes, a free site assessment includes a look at the network your security runs on.