The five security controls that actually move the risk needle for SMBs
Most security spending in the SMB segment goes to controls that don’t move the actual risk. Here are the five that do.
Lacy MooreMay 6, 20261 min read
Part 1 of 2 · The SMB Security Baseline
Cybersecurity has been sold badly to small and mid-sized businesses for years. You have been pitched antivirus as protection. You have been sold a firewall and told you were covered.
Enforced MFA everywhere identity matters
The single highest-leverage control. Modern attacks start with valid logins more often than with malware, and MFA — applied to every account that can reach company data — is what closes that door.
Endpoint detection and response, with real response
Antivirus catches yesterday’s malware. EDR catches behavior — and escalates to humans who can act on it. The "response" half is where most implementations fall down.
Immutable, tested backup
Backups that ransomware can’t reach, and that someone has actually restored from in the last six months. The second half is the hard part.
Email security beyond the default filter
M365 and Google Workspace have baseline protection. It is not enough. Layered email security catches the modern phishing that default filters miss.
A real incident response plan, written down
Not "we’ll call our MSP." A document that says who decides, who communicates, who restores, and in what order — tested through at least one tabletop exercise.
Related service