Skip to content
Intro
8 min

The SMB Security Baseline: 10 Controls That Actually Matter

You don't need to implement all 40 CISA controls. These 10 controls stop most attacks affecting Gulf Coast SMBs. Start here.

Last updated: March 20, 2026

A construction company in Gulf Shores had their estimating software held for ransom. The attacker got in through an employee's email — same password from a 2019 LinkedIn breach. Once in email, they found the vendor contact, sent a convincing message pretending to be the employee, and got the vendor to reset the estimating software password.

They paid $15,000 to recover their data.

This attack could have been stopped by MFA on email. One control.

This guide is about the 10 controls that matter most for Gulf Coast small businesses. Not the full CISA framework (40+ controls), not NIST guidelines (hundreds of requirements. These 10, implemented well, will stop most attacks affecting businesses like yours.

The 10 Controls

1. Multi-Factor Authentication (MFA)

What: Requires a second form of verification (phone app, security key) in addition to a password.

Why it matters: Passwords are compromised constantly. MFA blocks 99% of automated attacks even when passwords are known.

How to know if you're doing it: Check your Microsoft 365 or Google Workspace admin panel. Are all users required to use MFA? What about admin accounts specifically?

What "good" looks like: All users required to use an authenticator app. No SMS-only users. Admin accounts require MFA with no skip options.

2. Password Manager

What: Centralized storage for unique, complex passwords for every account.

Why it matters: Credential stuffing (using leaked passwords from one site on others) works because people reuse passwords. A password manager makes unique passwords easy.

How to know if you're doing it: Does your team use a shared password manager? Or scattered sticky notes and browser-saved passwords?

What "good" looks like: Team password manager (1Password, Bitwarden) with MFA required for all users. Unique passwords for every service.

3. Email Filtering and Anti-Phishing

What: Filters that catch phishing emails before they reach your team.

Why it matters: Most attacks start with email. Catching phishing at the gateway stops it before anyone clicks.

How to know if you're doing it: Check if your email service (Microsoft 365, Google Workspace) has built-in phishing protection enabled. Consider third-party tools like Abnormal Security or Proofpoint for higher protection.

What "good" looks like: Microsoft Defender for Office 365 or equivalent enabled. Suspicious emails automatically quarantined. Users report phishing rather than forwarding.

4. Endpoint Protection

What: Antivirus/antimalware software on laptops and desktops.

Why it matters: Catches malware that gets through other defenses.

How to know if you're doing it: Windows Defender (built into Windows 10/11) is actually decent. Check that real-time protection is enabled. For higher-risk businesses, EDR (endpoint detection and response) provides more coverage.

What "good" looks like: Real-time protection enabled. Definitions updated automatically. EDR deployed for businesses handling sensitive data.

5. Device Encryption

What: BitLocker (Windows) or FileVault (Mac) encrypts the hard drive so stolen devices don't become data breaches.

Why it matters: A stolen laptop is a hardware loss, not a data breach, if the drive is encrypted.

How to know if you're doing it: Check BitLocker status on Windows (manage-bde -status). Check FileVault status on Mac.

What "good" looks like: All company devices encrypted. Recovery keys stored securely (not on the device). Lock screens required after 5 minutes of inactivity.

6. Automated Backup

What: Regular, automated backups of critical data that are isolated from ransomware.

Why it matters: Ransomware wants to encrypt your backups too. Immutable/offline backups mean you can restore without paying.

How to know if you're doing it: Do you have backups? Are they tested? Are they connected to the network or isolated?

What "good" looks like: 3-2-1 rule: three copies of data, on two different media types, one offsite. At least one copy is immutable (cannot be encrypted or deleted by ransomware).

7. Patch Management

What: Keeping operating systems and software updated with security fixes.

Why it matters: Most attacks exploit known vulnerabilities with available patches. Patching is the most effective defense.

How to know if you're doing it: When were your devices last updated? Do you have any end-of-life software still running?

What "good" looks like: Automatic updates enabled. Critical patches deployed within 72 hours. No end-of-life operating systems or software in production.

8. DNS Filtering

What: Blocking access to malicious websites at the DNS level before your browser even loads them.

Why it matters: Stops drive-by downloads, phishing sites, and malicious links even if someone clicks.

How to know if you're doing it: Are your DNS settings pointing to a filtering service (Cloudflare, OpenDNS)?

What "good" looks like: DNS filtering enabled on all devices. Malicious domains blocked automatically. Configured at the router level so it covers all devices.

9. Least Privilege Access

What: Giving people only the access they need — nothing more.

Why it matters: Limits the blast radius of any single compromised account.

How to know if you're doing it: Does everyone have admin access? Do vendors have permanent admin rights? Are admin accounts separate from daily-use accounts?

What "good" looks like: Regular employees use standard accounts. Admin access is separate and limited. Vendor access is temporary with minimum necessary permissions.

10. Incident Response Plan

What: A documented, practiced plan for when something goes wrong.

Why it matters: When you're under attack is not the time to figure out who does what.

How to know if you're doing it: Do you have a documented plan? Has anyone reviewed it recently?

What "good" looks like: Written incident response plan with:

  • Who to call (internal contacts, external help)
  • How to contain (shut off affected systems, isolate networks)
  • How to communicate (who notifies customers, insurance, authorities)
  • How to recover (restore from backups, reset credentials)

What it costs (honest ranges)

All 10 controls implemented DIY:

  • Built-in tools (Windows Defender, BitLocker, Microsoft 365 built-in features): Free
  • Password manager: $3-$8/user/month
  • DNS filtering: $1-$3/user/month
  • Backup: $100-$500/month for business-grade solution

All 10 controls via managed security provider: $15-$40/user/month typically covers MFA, monitoring, patching, backup, and incident response.

When to hire help

Do it yourself if:

  • You're comfortable configuring cloud services (Microsoft 365, Google Workspace)
  • You have fewer than 15 employees
  • You can dedicate 2-4 hours per month to security maintenance

Get help if:

  • You have 20+ employees
  • You handle sensitive data (health, financial, customer SSNs)
  • You've had an incident or near-miss
  • You want someone accountable for all 10 controls
  • You're bidding on contracts that require documented security controls

Related Reading

7 min · Intro

A Simple Security Policy Pack You Can Actually Follow

Most SMB security policies fail because they're written for enterprises. Here's how to write one that actually works for a 5-person HVAC company or a 12-seat dental office.

6 min · Intro

Logging For Small Business Owners: What To Keep And Why

Logs are records of what happened on your systems. When something goes wrong, they're your only way to figure out what happened, when, and how far it spread.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch