5 Cybersecurity Mistakes That Cost Small Businesses Thousands
The most common — and most expensive — security gaps we see when we onboard new clients. None of them are exotic.
Most small business breaches aren't sophisticated. They're boring, predictable, and completely preventable. After onboarding dozens of new clients, here are the five mistakes we find almost every time.
1. Reusing the admin password
The office Wi-Fi password is the same as the QuickBooks admin, which is the same as the shared Dropbox account. When anyone on the team leaves, the entire stack is exposed — and nobody rotates anything because nobody can remember which systems use which password.
Fix: A team password manager (1Password, Bitwarden) and a written off-boarding checklist. Cost: about $4 per user per month. Damage prevented: easily five figures.
2. MFA only on email
You've enabled multi-factor authentication on Office 365 or Google Workspace — great. But your accounting system? CRM? Bank portal? Your remote access? If those don't have MFA, the bad guys can still drain your accounts after a single phished email.
Fix: Enable MFA on every system that touches money, customer data, or production access. Make it a rule, not a recommendation.
3. Treating backups as "set and forget"
Two questions: When was your last backup successful? When was the last time someone restored from it to verify it actually works? If you can't answer both confidently, you don't have backups — you have hope.
Untested backups are the single most expensive lie in IT.
Fix: Monthly restore tests. Off-site, encrypted, immutable copies. Document who runs the test and where the report lives.
4. Letting personal devices into the work network
The owner's kid uses the laptop. The receptionist installs random apps. Someone plugs in a USB drive from a trade show. Every personal device on the office network is an attack surface — and your firewall can't help once the threat is already inside.
Fix: Guest Wi-Fi separate from the work network. Endpoint protection (EDR) on every machine that touches business data. Don't allow personal devices to access company servers.
5. No incident response plan
The first time you'll think about a ransomware response is the morning you discover ransomware. By then, you'll be paying lawyers, forensics firms, and possibly attackers — all at 3x the price because you're in panic mode.
Fix: A written, one-page plan with:
- Who to call first (your IT provider, your insurer).
- Where backups live and how to restore.
- Communication template for staff and customers.
- Off-site copy of the plan (because the network is likely down).
Spending two hours on this before you need it could be the most profitable two hours of your year.
If you'd like a free 30-minute review of your current security posture, book a call. We'll point out anything obvious and give you a prioritized fix list — whether or not you ever work with us.