The 5 Things Every Small Business Gets Wrong About Cybersecurity
You don't need a security team. You need to stop making these mistakes.
The 5 Things Every Small Business Gets Wrong About Cybersecurity
I've scanned dozens of small business websites over the past few months. HVAC companies, plumbers, auto shops, dental offices — the kind of businesses where the owner's focus is on running the operation, not managing IT infrastructure.
Almost all of them have the same blind spots. Not because they're careless, but because nobody told them what to look for. Their web developer built the site, their hosting provider set up the server, and nobody circled back to check whether any of it was actually secure.
Here are the five things I see wrong most often — and what to do about each one.
1. "We're too small to be a target"
This is the most expensive misconception in small business.
The Verizon Data Breach Investigations Report found that 46% of data breaches affect businesses with fewer than 1,000 employees. Not because small businesses have more valuable data — because they have weaker defenses.
Attackers don't target businesses by name. They scan the internet in bulk, looking for exposed ports, outdated software, and missing security configurations. Your plumbing company shows up in the same scan results as every other business on your hosting provider. Nobody decided to attack you specifically. Your server just had the door open.
The cost of a breach for a small business averages $120,000-$150,000 when you factor in remediation, legal notification requirements, and lost business. That's not an existential number for a $10M company. For a $1.5M service business, it can be fatal.
Fix it: Accept that your size doesn't protect you. Your infrastructure is scanned by automated tools regardless of your revenue. The question isn't whether attackers know about your vulnerabilities — it's whether you do.
2. "Our website is fine — we paid someone to build it"
The person who built your website probably did a great job making it look good and function well. What they probably didn't do is configure your server security, set up email authentication, close unnecessary ports, or establish a patching schedule.
Web developers build websites. Security configuration is a different skill set. Not better or worse — just different. And in the small business world, the handoff between "the site is built" and "the site is secured" almost never happens.
I scanned 21 local business websites recently. 76% had no email spoofing protection. 38% had database ports exposed to the internet. 43% had known, published vulnerabilities on their servers. All of them had websites that worked perfectly fine from the customer's perspective.
"The site works" and "the site is secure" are two completely different statements.
Fix it: Ask your web developer or hosting provider one question: "When was the last time someone reviewed our security configuration?" If the answer is "never" or "when we set it up," it's time for a check-up.
3. "We don't store credit cards, so we're safe"
If you use Square, Stripe, or any modern payment processor, you're right that credit card data is handled offsite. PCI compliance is their problem, not yours.
But credit cards aren't the only data that matters.
Your customer database has names, phone numbers, email addresses, and — for any service business that sends a tech to someone's location — home addresses. A plumber, HVAC tech, or electrician who's been in business for 5 years might have thousands of customer records with home addresses attached to service dates.
That data tells an attacker which homes exist, which ones have been serviced recently, and potentially when the homeowner was away (because someone was at their house doing a repair). That's not hypothetical risk — it's the kind of information that has real value on criminal marketplaces.
And there's a legal dimension. Most states have data breach notification laws that apply to personally identifiable information — names, addresses, email addresses. If your customer list gets exposed, you may be legally required to notify every affected customer. For a local business that runs on trust and referrals, that notification letter is more damaging than the breach itself.
Fix it: Know what data you actually store. Log into your CRM or POS system and look at what's in there. If it includes home addresses, lock down access. Use strong passwords. Enable two-factor authentication on any system that stores customer records.
4. "Our email is through Google/Microsoft, so it's secure"
Gmail and Outlook are secure email platforms. But email security isn't just about where your email lives — it's about how your domain is configured.
DMARC, SPF, and DKIM are three DNS records that together prevent people from sending emails that look like they come from your domain. Without them, anyone can send an email from billing@yourbusiness.com — not a phishing email that's obviously fake, but one that actually passes basic email client checks.
In my scan of 21 local businesses, 76% had no effective DMARC protection. Their email platforms were fine. Their domains were wide open.
The real-world attack looks like this: An attacker gets your customer list (from an exposed database, a compromised CRM, or a data broker). They send invoices from your domain to your customers for services that were actually performed. The invoice looks real because it references real work. The payment link goes to the attacker.
Your customers don't call you to verify because the email looks legitimate. You don't find out until customers start calling about double charges or the wrong payment method.
Fix it: Check your DMARC record right now. Go to MXToolbox, enter your domain. If it says "No DMARC record found" or shows p=none, you need enforcement. Your IT person or hosting provider can set this up in under an hour. There's no cost — it's a DNS record.
5. "Cybersecurity is too expensive for a business our size"
Enterprise cybersecurity is expensive. The kind of security small businesses actually need costs almost nothing.
Here's a realistic security baseline for a small service business:
| What | Cost | Time |
|---|---|---|
| DMARC/SPF/DKIM setup | Free (DNS records) | 1 hour |
| Close exposed database ports | Free (hosting config) | 30 minutes |
| WordPress + plugin updates | Free | 20 minutes/month |
| SSL auto-renewal | Free (most hosts include it) | 10 minutes |
| Two-factor auth on email + CRM | Free | 15 minutes |
| Hide WordPress admin login | Free (plugin) | 5 minutes |
| Strong unique passwords + manager | $36/year (Bitwarden) | 1 hour initial setup |
Total cost: $36/year and one afternoon.
That's it. That covers the vulnerabilities I find in the vast majority of small business scans. No $50,000 security audit. No dedicated CISO. No enterprise firewall.
The reason most small businesses haven't done this isn't cost — it's awareness. They don't know these problems exist because nobody ever told them.
What To Do Right Now
Pick one thing from this list and do it today. Seriously — just one.
If I had to pick the single highest-impact action, it's checking your DMARC record. It takes 30 seconds to check and an hour to fix, and it's the difference between your customers being protected from invoice fraud or being wide open to it.
If you want to know exactly where your business stands, I run free passive security scans. Same methodology I used in my 21-business audit — no exploitation, just looking at what's already publicly visible about your infrastructure. I'll send you a report with exactly what to fix and how.
Software engineer. Former Spotify. Building AI agent security tools at Haun Lab.
More from the blog
Is your OpenClaw instance exposed?
Get a free exposure report. We'll scan public databases for your instance and tell you exactly what's visible from the outside.
Get your free audit