If you run a small business and you keep getting cybersecurity proposals that sound expensive and contradictory, here is a cleaner way to think about it. You do not need every tool. You need the right ones, in the right order, configured properly. This is the baseline we recommend before anyone starts talking about advanced detection, threat hunting, or compliance frameworks.
The five things that move the needle
If you do nothing else, do these. In this order.
1. Multi-factor authentication on every account that matters
Email, payroll, banking, your IT admin accounts, your cloud accounts, your code repositories. Not just "MFA enabled" — MFA enforced, with phishing-resistant factors (hardware keys or platform passkeys) for admin accounts.
This single control blocks the majority of real-world business email compromise attacks. It is also free or close to it on every modern platform.
2. Endpoint protection on every device
Every laptop and server should have modern endpoint protection — not just an antivirus, but EDR (Endpoint Detection and Response). Microsoft Defender for Business, CrowdStrike, SentinelOne, and a handful of others are reasonable choices. The difference between "antivirus" and "EDR" is the same as the difference between a smoke alarm and a fire alarm wired to a monitoring service.
3. Backups you have actually tested
The phrase is "tested backups," not "configured backups." If you have never restored a real file from your backup system, you do not have backups. You have wishful thinking.
A good baseline:
- Daily automated backup of laptops, servers, and SaaS data (yes, your Microsoft 365 mailbox)
- At least one copy stored offline or immutable (so ransomware cannot encrypt it)
- A documented restore procedure
- An actual restore drill at least quarterly
4. Patching that actually happens
Most successful breaches use vulnerabilities that have had patches available for months. You need a system that:
- Applies operating system and browser patches automatically on every laptop
- Patches servers on a regular cadence (monthly at minimum)
- Tracks which devices are out of date and surfaces them
This is solved territory — Intune, Jamf, or a competent RMM tool will do it. The hard part is making sure the system actually covers every device.
5. A way to find out when something goes wrong
Detection. Without it, the average breach goes undetected for months. You do not need a full SOC on day one — but you do need:
- Centralized logging from your endpoints, identity provider, and firewall
- Some form of alerting on suspicious events (unusual logins, EDR detections, mass file changes)
- A documented "who do we call?" answer
For small businesses, this is often where outsourcing makes sense — either via a managed EDR vendor's MDR offering or via a SOC-as-a-Service partner.
Things to deprioritize (yes, really)
Vendors will try to sell you all of these on day one. They are not zero-value, but they are lower-priority than the five above:
- DLP (Data Loss Prevention). Hard to configure well, generates lots of noise. Worth it for highly regulated data, overkill for most.
- SIEM platforms you operate yourself. A self-managed SIEM without a real team behind it becomes a dashboard nobody looks at.
- Phishing simulations. Fine to add, but they are awareness, not protection. MFA does more.
- Vulnerability scanners run quarterly with no remediation process. A scan with no action behind it is just a long PDF.
A reasonable order of operations
For a typical 20–100 person business starting from "we have antivirus and a firewall":
Month 1: Enforce MFA everywhere with phishing-resistant factors for admins. Document who has admin rights and remove the ones that should not.
Month 2: Roll out modern EDR to every endpoint. Verify it is reporting on every device. Set basic isolation policies.
Month 3: Backup audit. Test restores. Fix gaps. Add SaaS backup if missing.
Month 4: Centralize patching and confirm coverage. Set thresholds for "must be patched within X days."
Month 5: Detection. Either turn on managed detection from your EDR vendor or evaluate SOC-as-a-Service partners.
Month 6+: Now you can have the conversations about compliance, advanced detection, security awareness training, and so on. They will mean something at this point.
What this costs
For a typical small business doing the above with a mix of free tier and paid tools, real-world all-in security spend tends to land somewhere between $25 and $80 per user per month. The wide range depends heavily on whether you are running detection in-house, outsourced, or not at all.
That number sounds like a lot until you compare it to the cost of a single incident — which for ransomware on an unprepared business often runs into six figures plus weeks of downtime.
How we help
F09 Tech works with small and growing businesses to put this baseline in place without selling you tools you do not need. If you are starting from scratch — or wondering whether the security stack you have actually covers the basics — reach out. We are happy to walk through it.