Cybersecurity basics for small offices (practical, not scary)

Passwords and MFA

Reuse is the silent breach multiplier. A password manager generates unique secrets per service, and multi-factor authentication on email, banking, cloud storage, and remote access closes the largest gaps cheaply.

Admin accounts deserve hardware keys or app-based MFA where available. SMS-based MFA is better than nothing but weaker against SIM swap risk for high-value targets.

Devices and updates

Encrypt laptops, enable screen locks, and allow automatic OS updates during off-hours. Lost hardware should not mean lost data if backups and encryption are in place.

Separate work and personal profiles where possible. Personal extensions and downloads are a common malware path into business systems.

Phishing and payment fraud

Train staff to verify unexpected wire or gift-card requests through a second channel. Urgency language is a red flag. For Illinois teams handling customer data, document who can approve financial changes and keep audit trails.

Vendors and access

Grant least privilege: contractors get project-based access that expires. Remove old accounts when people leave. Quarterly review of admin users prevents zombie logins.

When to call for help

Persistent pop-ups, unexplained outbound email, or ransomware notes require incident response—not a DIY afternoon. Having a contact who knows your stack speeds containment and recovery.

Insurance and compliance awareness

Many cyber policies now expect baseline controls—MFA, backups, and documented access reviews. Even if you are not regulated like healthcare or finance, your clients may ask how you protect their data. A short written policy beats improvised answers when prospects compare vendors.