The cybersecurity advice aimed at small businesses has been frozen in time since about 2014. Install antivirus. Use strong passwords. Maybe think about a firewall. That advice was always a little thin, and in 2026 it is borderline negligent. Attackers stopped caring whether you have ten employees or ten thousand a long time ago. They care whether your stack is soft, and most SMBs are very soft.
So here is a minimum standard that actually reflects how breaches happen now, not how they happened when on-prem Exchange was still a thing.
Identity is the new perimeter, so spend money there first
Roughly four out of five intrusions I see start with a stolen credential, not a clever exploit. Phishing-resistant MFA on every account that touches email, finance, or admin tooling is the single highest-leverage control you can buy. SMS codes do not count. Push fatigue prompts barely count. Passkeys, FIDO2 keys (a YubiKey 5 is around $50), or number-matching in Microsoft Authenticator are the bar.
If you are on Microsoft 365 Business Premium, you already have Entra Conditional Access. Use it. Block legacy auth, require compliant devices for admin roles, and turn on risk-based sign-in. If you are on Google Workspace, Context-Aware Access does the same job. Neither one is exotic anymore.
Endpoints: stop calling it antivirus
Signature-based AV has been losing to commodity malware for at least a decade. What you want is EDR or MDR, which is the same thing with a human SOC bolted on. For SMBs, Huntress (around $5 to $9 per endpoint per month) and SentinelOne are the obvious picks. CrowdStrike Falcon Go is fine if you can stomach the licensing dance. The point is that someone other than your office manager is watching alerts at 2 a.m.
Patch monthly at minimum. Browsers, OS, and any internet-facing app weekly. Microsoft Intune or a tool like Action1 will do this for you. The number of breaches I have watched start with a six-month-old Chrome version is genuinely depressing.
Backups that survive ransomware, not just hard drive failure
Your backup is only useful if the attacker cannot delete it. That means immutability, not just "we have backups." Wasabi with Object Lock, Backblaze B2 with Object Lock, or a Veeam Hardened Repository all work. Test a restore quarterly. The first time you find out your backup was silently failing should not be the day a Conti affiliate encrypts your file server.
Train people, but expect them to fail
Annual security awareness videos do not change behavior. They check a compliance box. KnowBe4 or Hook Security with monthly simulated phishing is more honest about how this works: people will keep clicking, your job is to detect and contain after they do. Treat humans as a noisy sensor, not a hardened control.
Network segmentation, but make it boring
You do not need a SASE platform. You need your guest Wi-Fi off your production VLAN, your printers off everything important, and admin interfaces unreachable from the internet. A Ubiquiti UniSub-$1k investment can do this. Cloudflare Access in front of any internal app you used to expose with port forwarding is a free or near-free upgrade.
Logging you will actually look at
Centralize sign-in logs from M365 or Workspace, your EDR, and your firewall into something searchable. Blumira or a managed SIEM service is the SMB-realistic answer. The fantasy of a self-hosted Wazuh stack run by your one-person IT team rarely survives contact with real life.
None of this is glamorous. None of it requires the word "zero trust" on a slide. But the businesses that get quietly destroyed by ransomware in 2026 are almost always the ones that skipped two or three of the items above. If working through this list internally feels like more than your team can absorb, Syncritech does this kind of baseline assessment for SMBs without trying to upsell you a SOC you do not need.
