▍ Pillar 02 — Security
You're not too small to be a target. You are the target.
Small businesses get hit harder than enterprises because they have the data without the defenses. Customer records, financial accounts, intellectual property — all of it accessible, most of it unprotected.
The security conversation for small businesses is broken. It's either enterprise advice that assumes you have a CISO and a SOC team, or it's fear-mongering that sells products rather than fixing problems. Neither helps a 12-person company that stores customer data in a shared Google Drive with no MFA on the admin account.
The sessions I run are different. We run live attack demonstrations — you watch credential stuffing happen in real time, you see what a phishing email looks like before and after an attacker has done their homework on your company, you see exactly how ransomware spreads through an unpatched network. The point isn't to scare you. It's to make the threat concrete so the defense feels worth doing.
Then we fix things. In the room. The one-week baseline I've developed for SMBs costs less than $200 in tools and eliminates the attack vectors that account for the vast majority of small business breaches. We walk through every step. You leave with a checklist and a policy.
The most dangerous thing in your business right now isn't a sophisticated nation-state attack. It's a reused password on your payroll system and a shared inbox with admin access that three former employees still have. We fix that first.
▍ The threat landscape
Six attack types. All of them targeting businesses exactly like yours.
Credential Stuffing
Critical
How it works
Attackers buy leaked username/password lists (billions exist) and run them against your accounts automatically. If you reuse passwords, you're already compromised somewhere.
The fix
Password manager + unique passwords on every account. Takes one hour to set up. We walk through it live.
Phishing & Spear Phishing
Critical
How it works
Targeted emails impersonating your bank, vendors, or even your own domain. Modern attacks are AI-generated and grammatically perfect. The old 'Nigerian prince' tells don't apply.
The fix
DMARC/DKIM/SPF on your domain, email security training, and a 30-second verification habit before any wire transfer or credential input.
Business Email Compromise
Critical
How it works
Attacker gains access to an executive's email account and requests fraudulent wire transfers or vendor payment changes. Average loss: $120,000. No malware involved.
The fix
Multi-factor authentication on all email accounts, out-of-band payment verification for any amount over a threshold your team agrees on.
Ransomware
High
How it works
Malware encrypts your files and demands payment to restore them. Delivery is usually via phishing email or unpatched software. SMBs are preferred targets because they pay and they don't have backups.
The fix
Offline backups (3-2-1 rule), endpoint protection, software update discipline. We review all three in session.
AI Data Leakage
High
How it works
Employees pasting customer PII, contract language, or financial data into public AI tools. That data can be logged, used for training, or exposed in a future breach of the AI provider.
The fix
An AI usage policy (one page) and private deployment options for sensitive workflows. We build this together.
Vendor/Supply Chain Compromise
Medium
How it works
Your vendor gets breached and the attacker pivots to you through the integration. This is how most SMBs get hit — through a trusted third party, not a direct attack.
The fix
Vendor security reviews (a simple questionnaire), least-privilege API access, and monitoring third-party access to your systems.
▍ The baseline
Seven days. Less than $200. A defensible business.
This isn't a 100-point security checklist. It's the 20% of work that eliminates 80% of the risk. Every step is something your team can execute without an IT department.
1Password, Bitwarden, or Dashlane for the whole team. Migrate all shared accounts. Audit for password reuse. This single step eliminates the most common breach vector.
Enable MFA on email, banking, payroll, and any SaaS tool that holds customer data or financial information. Use an authenticator app — not SMS, which can be SIM-swapped.
Set up DMARC, DKIM, and SPF records on your domain. This prevents attackers from sending email that appears to come from you. Takes 30 minutes with your domain registrar.
Full-disk encryption on all work devices. Auto-lock enabled. A policy that personal devices accessing company data must meet the same standard. Endpoint protection on every machine.
The 3-2-1 rule: three copies, two media types, one offsite. Most businesses have backups they've never tested. We test one live. If you can't restore, the backup doesn't exist.
Who has admin access to what? Former employees? Contractors? This is almost always a mess. Revoke everything that isn't actively needed. Document what remains.
A 45-minute session with your team covering the attack types above and the habits that stop them. Plus a one-page security policy they can reference. No jargon required.
▍ Next session
We run live attacks in every session. Come watch — then go fix it.
Free, in-person, monthly across Washington with an online option. Bring your IT situation, however messy. We've seen worse.