Hackers see small and medium-sized businesses (SMBs) as easy targets. Why? Because many operate with limited budgets, fewer resources, and a false sense of security—thinking, “That won’t happen to us.” Here are 6 key tips to operate more safely.
1. A Culture of Security and Robust Employee Training
A key topic we discuss at panels, events, and more is the importance of having a culture of security.
For example, Jenny Radcliffe said, “I don’t need to hack the lock, I just need to hack the person.”
All of this points to the importance of empowering your team.
More than 90% of data breaches begin with phishing emails, according to CISA. These emails are designed to mimic trusted sources—banks, retailers, or even coworkers—and trick employees into clicking malicious links or giving up sensitive info. With AI making phishing messages even more convincing, employee mistakes have become a top cybersecurity risk.
Empowering your employees with ongoing training is one of the best defenses. According to KnowBe4, consistent training can reduce phishing-related risks from 32.5% to just 5% in under a year.
Stephen Nichols of Acronis said, “I would highly recommend security awareness training and creating a security first culture within your organization. Security awareness training is a really easy way to do that, particularly when the content is compelling and is actually useful.”
The most effective programs include real-world scenarios, simulated attacks, and regular, short training sessions that keep awareness fresh.
2. Two-Factor Authentication
The most common way hackers access business accounts is through stolen login credentials. Two-factor authentication (2FA), also known as multifactor authentication (MFA), adds an extra layer of security by requiring two things to sign in—your password and a secondary factor like a code sent to your phone. Even if a hacker steals your password, they can’t get in without that second piece.
2FA has been around since the mid-2000s and is still one of the best defenses available. Platforms like Google Workspace and Microsoft 365 offer it for free. Despite that, many SMBs don’t take advantage—JumpCloud’s 2024 IT Trends Report shows MFA usage is below 34% among small businesses, compared to 87% among large ones. 2FA is low-effort and high-impact—don’t skip it.
3. Updates
Cybercriminals love outdated systems because they’re packed with security holes. Ransomware often targets known flaws in software that remain unpatched, sometimes for months. To avoid this, set up automatic updates for your systems, apps, and tools. Make sure employees do the same on their devices.
Sending regular reminders, offering training, or even blocking access until updates are completed can help reinforce the habit.
4. Data Encryption
In today’s world, data is everything—and encryption helps keep it safe. Encryption turns data into unreadable code that only authorized users can unlock. If a hacker manages to steal files or emails, encryption makes that data useless to them.
Many cybersecurity insurance policies now require encryption. And while SMBs may worry about cost or complexity, tools like Microsoft 365 and make encryption accessible and easy to manage.
5. Limit Employee Access
When employees have unrestricted access to files and systems, the risk of errors—or intentional misuse—goes way up. While setting restrictions may seem inconvenient at first, it doesn’t have to interfere with daily work.
With proper setup, employees still have access to everything they need—just not to things they don’t. For instance, a marketing intern doesn’t need access to payroll files or network settings. You can also set up temporary access for specific tasks, then remove it when no longer needed.
6. Data Backups
When it comes to today’s threat landscape, it’s not a matter of if, it’s a matter of when you’ll be attacked, and how quickly you’ll be able to bounce back. Ransomware is one of the top threats SMBs face today—OpenText Cybersecurity reports that 46% have already experienced attacks. These attacks lock up your data and demand a ransom to release it—but paying up doesn’t guarantee you’ll get your files back.
“So it’s one of the most important products that we partner with Acronis is to be able to have replicas of critical infrastructure that we can spin up in the event of major disasters,” our CEO and Founder Vince Fung highlighted at a February 2025 partnership event.
Common question: if my data is stored in the cloud, is that enough? Do I need other data backups?
Answer: At the February event, Vince also highlighted that simply having your info stored in the cloud isn’t enough. One reason for this is because in some cases, your account or your organization’s tenant could be compromised by a cybercriminal. He provided the example of a case where one of a firm’s employees, who had global admin rights to their Microsoft tenant, was phished by a bad actor. The bad actor then took control of the account, changing data and locking the legitimate owners of the account out.
“It took them all seven weeks going back and forth those legal documents to get Microsoft to unlock the tenant for them and during the seven week period, and they couldn’t access any of the data, but had they had proper backups in place, even in a situation like that (…) they would have at least be able to access some of the files [and serve their customers].”
“We try to educate people’s for this is that they’re telling us all of my data sitting in Microsoft 365 or all of it’s sitting in Google. (…) If you actually read the Microsoft terms and conditions, it actually instructs you as a customer: their job to keep the servers up, the the actual data, you own it and you are responsible for making sure it’s backed up.”
And don’t just back up—test your backups regularly. Otherwise, you may discover after an incident that your backups are incomplete or corrupted.
Get Started
To learn more, watch our panel or get in touch with our expert team!
