Top 10 Security Risks
Small Businesses Ignore (And Pay For)
A plain-English guide to the security and compliance gaps that catch small businesses off guard — and what you can do about each one.
1
No Multi-Factor Authentication on Email
The Risk
Business email is the #1 target for attackers. Without MFA, a stolen or guessed password gives an attacker full access to your inbox, your contacts, your cloud files, and — in most cases — a master key to every other account that uses that email for password resets.
Real-World Example
A 12-person accounting firm lost access to their entire Microsoft 365 environment after an employee's password was phished. The attacker forwarded all incoming email to an external address for six weeks undetected — accessing client financial data the entire time.
What to Do
Enable MFA on every email account and cloud service — today, not next quarter. If you use Microsoft 365 or Google Workspace, it takes under 30 minutes to enforce org-wide. Use an authenticator app (not just SMS). This is the single highest-ROI security action available.
CRITICAL
2
Backups That Have Never Been Tested
The Risk
Having a backup is not the same as having recovery. Most small businesses discover their backups are incomplete, corrupted, or misconfigured only when they desperately need them — after ransomware, hardware failure, or accidental deletion.
Real-World Example
A dental practice paid $35,000 to a ransomware group because their cloud backup had been failing silently for four months. Their IT provider had set it up correctly at first, but a software update broke the backup job and no one noticed.
What to Do
Test your backups now. Pick 3 random files — restore them. Then schedule a full system restore test annually. Ensure backups are: (1) automated, (2) off-site or cloud, (3) encrypted, and (4) include all critical data including email.
CRITICAL
3
Former Employee Accounts Left Active
The Risk
When someone leaves — voluntarily or not — their login credentials don't automatically disappear. Without a formal offboarding process, ex-employees can retain access to email, CRM, project tools, file storage, and financial systems for months or years.
Real-World Example
A marketing agency discovered that a former account manager terminated 14 months earlier still had active access to their HubSpot and Google Drive. He had downloaded the client list and taken it to a competing firm.
What to Do
Build an offboarding checklist tied to HR. On the last day: disable email, revoke cloud access, change shared passwords. Quarterly: run an access review for all active accounts and verify each one maps to a current employee.
HIGH
4
No Written Incident Response Plan
The Risk
When a breach, ransomware attack, or data incident happens — and for most businesses it's when, not if — you will have minutes to hours to respond correctly. Every delay costs money. Every wrong decision (like paying ransom before checking backups) costs more. Without a plan, you're improvising in a crisis.
Real-World Example
A law firm that suffered ransomware wasted 48 hours trying to reach their IT vendor, unsure who was responsible for the decision to restore vs. pay. By the time they engaged incident response professionals, the attacker had already exfiltrated several years of case files.
What to Do
Write a one-page plan: who do you call first (IT, legal, cyber insurance, law enforcement)? What do you isolate and how? Where are your backups and how do you restore? Run a tabletop exercise with your team once a year. Keep a printed copy off-site.
HIGH
5
Employees Using Personal Email for Business
The Risk
When employees use Gmail, Yahoo, or personal accounts for client communications, contracts, or sensitive data — even occasionally — that data immediately falls outside your security controls, retention policy, legal hold capability, and potentially your compliance obligations.
Real-World Example
A financial advisor used his personal Gmail to send a client's tax documents "just this once." Two years later, during a regulatory audit, he couldn't produce that record. The fine for the missing client communication record exceeded $15,000.
What to Do
Publish a clear policy: no client data or business communications via personal accounts. Make your business email easy enough to use that there's no reason not to. Consider MDM for company phones to enforce this on mobile.
MEDIUM
6
Vendors with Access and No Security Review
The Risk
Most small businesses have 10–30 vendors with some form of access to their systems or data — IT support, bookkeeping software, payroll, CRM, cloud storage. Each vendor is a potential entry point. Vendors get breached too — and their breach becomes your breach.
Real-World Example
The 2013 Target breach started with an HVAC vendor's compromised credentials. The same pattern plays out for small businesses every week: a shared IT support login, an unsecured API key in accounting software, a payroll vendor's compromised database.
What to Do
List all vendors with access to your data or systems. For each: (1) confirm they use MFA, (2) limit access to only what they need, (3) ensure your contract requires breach notification. Ask critical vendors for their SOC 2 report.
HIGH
7
Unpatched Software and Devices
The Risk
Every unpatched vulnerability is an open window. Attackers actively scan for systems running known-vulnerable software. Many of the most devastating ransomware attacks — WannaCry, NotPetya — exploited vulnerabilities that had been patched months before. The victims just hadn't updated.
Real-World Example
A healthcare clinic's Windows 7 workstation — used only to run a specialty medical device — was compromised through a known vulnerability. Because it was on the same network as their main systems, the attacker pivoted to the EHR and encrypted patient records.
What to Do
Enable automatic updates for all operating systems and major applications. Build a quarterly review of anything that can't auto-update (medical devices, industrial equipment, legacy systems). Replace or isolate systems that no longer receive security patches.
HIGH
8
No Cybersecurity Awareness Training
The Risk
Your employees are your biggest attack surface — not because they're careless, but because attackers specifically target them. Phishing, business email compromise, and social engineering attacks are constantly evolving. A single click can give an attacker a persistent foothold in your network.
Real-World Example
An accounting firm's bookkeeper received a convincing email appearing to come from the owner, requesting an urgent wire transfer for a client matter. Without training to spot the red flags, she processed $47,000 to a fraudulent account.
What to Do
Provide security awareness training at onboarding and at least annually. Run quarterly phishing simulations — they're inexpensive and the data on your click rates is invaluable. Train specifically on wire fraud and business email compromise, not just malware.
HIGH
9
Data You Didn't Know You Were Responsible For
The Risk
Many small businesses handle regulated data without realizing it: health information (HIPAA), payment card data (PCI DSS), financial records (GLBA), or children's data (COPPA). Ignorance is not a defense. Regulators and plaintiffs don't credit businesses for not knowing the rules applied to them.
Real-World Example
A yoga studio that stored client credit card numbers in a spreadsheet — because the owner didn't realize they were subject to PCI DSS — faced a $25,000 fine and mandatory forensic audit after a breach. They didn't process cards directly, but they stored the numbers.
What to Do
Take 30 minutes to map what data you collect: Do you hold health info? Card numbers? Data about children? Financial records? If yes — research the applicable regulation and seek advice. Two hours of consulting is a fraction of the cost of non-compliance.
MEDIUM
10
No Cyber Liability Insurance — Or the Wrong Kind
The Risk
A standard general liability or BOP policy typically does not cover cyber incidents. Many business owners assume they are covered until the moment they need to file a claim and learn otherwise. Cyber incidents — even small ones — can cost tens of thousands in incident response, legal fees, and notification costs.
Real-World Example
A professional services firm spent $68,000 on forensic investigation, legal counsel, client notification letters, and credit monitoring after a modest breach. Their insurer denied the claim because the incident fell under their data breach exclusion. They had not purchased a standalone cyber policy.
What to Do
Review your current insurance policies — specifically ask your broker: does this cover cyber incidents, ransomware, and data breach notification costs? If not, get a standalone cyber liability policy. Premiums for small businesses typically run $1,500–$5,000/year depending on size and industry.
MEDIUM
Know Your Gaps — Before an Attacker Does.
IronRoot Risk Consultants helps small businesses build practical, affordable security and compliance programs. No enterprise jargon. No unnecessary complexity.
Schedule a free 30-minute discovery call:
chris@ironrootrisk.com |
ironrootrisk.com