Small businesses tend to believe cybersecurity is someone else's problem. You are not a bank. You are not storing millions of credit cards. Who would bother with your email account?
Plenty of people, actually. Phishing attacks, payroll fraud, business email compromise, ransomware. The attackers are not personally targeting your business. They are running automated campaigns against everyone, and small businesses with thin defenses are often the easier score.
You do not need an IT department to handle this. You need a short list of habits, a few inexpensive tools, and a team that knows the most common scams.
One caveat up front. If you handle regulated data (health information under HIPAA, payment information under PCI, personal data under CCPA) talk to a cybersecurity professional or an attorney who handles compliance work. The generic advice below is a starting point, not the full picture for a regulated business.
The big risks, in plain language
Phishing. An email that looks like it is from a trusted source (your bank, your vendor, your employee, your landlord) tries to get you to click a link, enter credentials, or send money. These are increasingly convincing. The attacker often impersonates the owner asking the bookkeeper to wire money urgently.
Business email compromise. An attacker gets into someone's email and uses that access either to impersonate them or to watch for an opportunity to redirect a payment. Small businesses lose real money to this every week in the US. The access usually came from a reused or weak password, or from phishing.
Ransomware. Malware that encrypts your files and demands payment to unlock. You click a bad link or open a bad attachment, and suddenly your operation is frozen. Insurance sometimes helps. Backups definitely help. Not falling for the initial lure is best.
Account takeover. Attackers get your password for one service and try it on twenty others. Many people use the same password everywhere. The attacker hits the one service where you reused it and they are in.
Scam calls and social engineering. "Hi, this is your bank's fraud department, we need to verify your account." This is old school and it still works.
The basics that solve most of the risk
Strong, unique passwords, kept in a password manager. 1Password, Bitwarden, LastPass. Pick one. Move every business password into it. Never reuse a password across services. This alone closes the door on most automated attacks.
Two-factor authentication everywhere that offers it. Email, banking, payroll, cloud storage. Use an authenticator app or a hardware key, not SMS where you can avoid it. This is the single highest-value security upgrade available to a small business.
Regular backups, stored separately from your main systems. Cloud backups to a different provider. Or a rotating set of external drives. Backups mean a ransomware attack is expensive, not fatal.
Up-to-date software. Your operating system, your browser, your apps. Patches close known vulnerabilities. Attackers scan for unpatched systems.
Antivirus or endpoint protection on work machines. Even Mac and modern Windows defaults catch a lot. Basic commercial endpoint protection catches more. Budget-friendly products exist for small teams.
A separate work email domain. Use a proper email provider (Google Workspace, Microsoft 365) with your own domain. Personal Gmail for business creates problems for both security and professionalism.
Train your team on the common scams
Most breaches start with a person clicking something. A brief training twice a year, and a short reference sheet, covers most of the ground.
Things your team should recognize as suspicious. Any email asking for an urgent wire or gift card purchase. Any link in an email asking you to log in to a service. Any voice call asking for account information. Any text claiming to be from the CEO asking for a favor.
A specific habit worth teaching. Anyone asking for a money transfer or a change to payment details gets confirmed by a second channel before action. Your vendor emails you saying their bank info changed? Call the vendor on the phone number you already have to confirm. Do not reply to the email. This single habit blocks a huge share of the most expensive attacks.
Make it safe to flag weird emails. If someone thinks something might be a phishing attempt, they should forward it to someone who can look without fear of looking dumb. Most times it is nothing. Sometimes it is a real attack, and catching it early matters.
The boring but important tools
A password manager for the business with shared vaults for team credentials. Stops people from DMing passwords to each other. Stops shared accounts from spreading through Post-its.
Email filtering. Your email provider (Google, Microsoft) has built-in filtering. Tune it, keep it current, report phishing attempts so the filter learns.
Device encryption. Laptops, phones, tablets that are used for work should be encrypted. A stolen laptop with unencrypted business data is a breach. An encrypted one is inconvenient.
Access reviews. When an employee leaves, their accounts get shut down the same day. Same for vendors that stop working with you. Unused accounts are the ones attackers take over.
Payment and banking specifics
Separate business accounts from personal. Always. A separate bank relationship for the business, properly documented.
Dual approval on wires and larger transfers. If your bank offers it, turn it on. Two people confirm anything above a threshold. This stops the "boss told me to wire the money urgently" scam cold.
Review transactions weekly. Fraud caught early is reversible. Fraud caught in the quarterly reconciliation is usually not.
Use a credit card for recurring vendors where possible. Disputes work better on credit cards than on ACH.
If something goes wrong
Have a simple incident response plan. Who you call. What you shut down. What you preserve. A short doc with phone numbers is enough for most small businesses.
Consider cyber insurance. Talk to your business insurance broker. Premiums for small businesses are not ruinous and coverage can include incident response and recovery.
If you think you have been breached, shut down access fast, change passwords, notify your bank, and call a security professional. Do not pay a ransom without professional advice. Do not try to negotiate on your own.
The compliance layer
If you handle health data, payment data, or personal data from California residents, there are specific obligations beyond the basics above. I am not the person to tell you what they are. Your attorney and, for larger volumes, a compliance professional is. Related reading on the AI-and-data-privacy side, see data privacy and AI for local business.
What you do not need
You do not need enterprise firewalls. You do not need an in-house IT person. You do not need expensive consultants. For most small Santa Cruz businesses, 90 percent of the risk is handled by strong passwords, two-factor authentication, backups, updates, and team awareness. That is a few hundred dollars a year in tools and a couple of hours of training.
Monday action
Pick one. Just one.
Sign up for a password manager and start moving your business passwords into it.
Turn on two-factor authentication on your email and banking.
Verify you have a backup of your business files, stored somewhere besides the device they live on.
Send your team a two-paragraph note about the wire-transfer scam and the rule about verifying any payment change by phone.
Do the next one next week. Inside a month, your security posture is better than most of your peers, at negligible cost.
If you want help
If you want a cybersecurity professional's eyes on your setup, especially if you handle regulated data, find one. I can often refer. Operationally, the habits and the team training side of this are things I help with through a Flow Check or a short intro call. Deeper technical work goes to specialists.
For related reading, data privacy and AI and cannot find anything: files, inventory, information.