Skip to content
Breachroad
Back to the blog
SMB

Small business cybersecurity: a 90-day plan

A small company doesn't need a security department to stop being an easy target. A 90-day plan: what to do in-house, what to buy, what to outsource.

KR
Karol Rapacz
16 April 2026 · 12 min read
Small business cybersecurity: a 90-day plan

“We’re too small for anyone to attack us” — we hear that sentence most often right before a story about encrypted files or a swapped invoice. Reality is the opposite: attacks are automated, so scanners don’t check company size — they check open ports, software versions and leaked passwords. A small company can be the easier target: the same money in the account, fewer defences around it. The good news: 80% of the protection can be built without a security hire and without an enterprise budget. Here’s the 90-day plan.

Before you start: the three realistic threat scenarios

Small companies lose money in three main ways — and we set priorities against them:

  1. Email takeover and invoice swap (BEC). The attacker gets into a mailbox (a leaked password, phishing), reads the correspondence and at the right moment sends a contractor “our new bank account number”. Losses: tens of thousands and up.
  2. Ransomware. Entry through unpatched remote services or a hijacked account, encryption of everything including the copies on the network drive, a ransom demand. Losses: ransom + downtime + recovery.
  3. “Employee” scams: fake phone calls, texts and “urgent transfers from the boss” — social engineering works best where decision paths are short.

Days 1–30: foundations (cost: mostly time)

Week 1 — identity.

  • Turn on MFA everywhere: email, bank, cloud, the company’s social media. In M365/Google the built-in security defaults are enough.
  • Install a business password manager; move passwords out of spreadsheets and notebooks, delete the spreadsheets.
  • Check on Have I Been Pwned which company addresses appear in leaks — change those passwords immediately.

Week 2 — the money.

  • Introduce the iron second-channel rule: every change of a contractor’s bank account and every unusual transfer = phone confirmation on a previously known number. Write it on one page, sign it with the team.
  • At the bank: transfer limits, dual authorisation above a threshold, operation notifications.

Week 3 — devices and updates.

  • Automatic OS and browser updates on all computers; remove unused software.
  • Disk encryption (BitLocker/FileVault) + screen lock; non-admin accounts for daily work.

Week 4 — backups.

  • Implement the 3-2-1 rule in its micro version: an automatic cloud backup with versioning + an offline copy (a disconnected drive) for critical data.
  • Test a restore of one folder and one mailbox — an untested backup doesn’t exist.

Days 31–60: closing the holes (cost: a few hundred to a few thousand PLN/month)

  • EDR instead of free antivirus on the computers — we explain the difference; for a dozen seats it costs a few hundred złoty monthly.
  • A review of exposed services: is RDP/VPN/NAS reachable from the internet? Close it, hide it behind a VPN with MFA, update it. It’s the most common ransomware route into small companies.
  • Email: configure SPF, DKIM and DMARC for your domain (it also protects your customers from “you” being spoofed), enable external mail tagging.
  • Office Wi-Fi: a guest network separated from the company one; router password changed, firmware updated.
  • Phones: screen lock, updates, a work profile for company email.

Days 61–90: processes and people

  • A 60-minute training for the whole team: what phishing, fake calls and invoice swaps look like — on real examples. A refresher every six months.
  • A one-page incident plan: whom we call (IT/external support, the bank, a lawyer), what we disconnect, where we report (the regulator within 72 h for personal data, the national CERT). Print it — during an incident the network may be down.
  • Off-boarding: a leaver checklist (accounts, equipment, shared passwords to rotate).
  • An access review: who can reach what — especially IT suppliers and service technicians; unused accounts get disabled.

What to outsource (and when)

In-house you deliver the hygiene; three things are worth buying in:

  1. A one-hour consultation at the start — instead of guessing priorities; it produces a list tailored to your company (free with us).
  2. An annual security review/audit — fresh eyes on configuration, exposed services and access; for small companies we run a condensed version — see the Start package.
  3. Monitoring/incident support — the number you’ll call at 10 p.m. on a Saturday before paying any ransom.

A full penetration test makes sense once you have your own application, an online shop, or clients asking for it.

Frequently asked questions (FAQ)

What does this plan really cost? Phase 1: practically zero (time + maybe a password manager at ~PLN 10–20/person/month). Phase 2: EDR ~PLN 20–40/seat/month, the rest is configuration. Phase 3: time + possibly an external training. For a 10–20 person company the total usually closes within a few hundred złoty monthly — less than one hour of accounting downtime.

We have no IT person. Who’s supposed to do this? Most of phase 1 can be done by the owner or a capable employee over a few evenings (it’s all settings, not programming). Phase 2 can be handed to external IT with this list as the specification — and that matters: you define the what, they define the how. Without a list you’ll get “everything works fine here”.

Where do we start if we have a week, not 90 days? Three things: MFA on email and the bank, the second-channel rule for transfers, and an offline copy of critical data with a restore attempt. Those three close the scenarios that most often end in real money being lost.

Does cyber insurance make sense for a small company? Increasingly yes — but read the requirements: policies demand MFA, backups, EDR (i.e. phases 1–2 of this plan). Insurance without the basics = payout refusal risk. Treat it as a complement to the plan, not a substitute.

When does a small company “outgrow” this level? The signals: your own application/shop, sensitive customer data, contractors asking about security in contracts, falling under NIS2 as a supplier. Then it’s time for regular testing and a formal programme — we’ll help you cross that threshold.

Summary

Small business security isn’t enterprise technology in miniature — it’s consistent hygiene: MFA + a password manager, the second-channel rule, updates, EDR, tested backups and an hour of training. That set takes you out of the “easy target” category — and easy targets are what feed automated crime. Want a shortcut? Book a free consultation — in an hour we’ll establish which points of the plan you’ve already closed and which are burning.

Share this article

Services Book a consultation