SMB Cybersecurity Handbook

SMB Cybersecurity · Practical Handbook

Securing Small Business in the Cloud Era

A complete reference covering the five-layer defense framework, phishing defense, MFA implementation, backup strategy, and incident response. Designed for teams without a dedicated security team.

5-Layer Defense MFA Setup Ransomware Defense Phishing Awareness Incident Response

Security is not a product — it is a system of layers. No single control stops every threat, but layered defenses make successful attacks rare and expensive. The five-layer model for SMBs:

L5Recovery — Backup, disaster recovery, incident response planWhen prevention fails
L4Detection & Response — Logging, alerting, anomaly detection, MDRWhen perimeter fails
L3Access Control — MFA, least privilege, PAM, SSOWhen credentials leak
L2Endpoint Protection — EDR, antivirus, patch management, device controlWhen email fails
L1Email & Web Security — Spam filter, URL protection, domain security (SPF/DKIM/DMARC)First line of defense

⚠Most attacks start at L1. A robust email filter stops 95%+ of malicious emails before they reach users. But the 5% that get through must be stopped at L2 or L3. Plan for failure at every layer.

Email Authentication (SPF / DKIM / DMARC)

Email spoofing is the primary delivery vector for phishing. SPF, DKIM, and DMARC prevent attackers from sending email that appears to come from your domain.

Protocol	What It Does	Implementation	Difficulty
SPF	Lists servers authorized to send mail for your domain	Add IP addresses to DNS TXT record	Easy (30 min)
DKIM	Cryptographic signature that verifies email was not altered in transit	Generate key pair, add public key to DNS	Medium (1–2 hrs)
DMARC	Tells receivers what to do with emails that fail SPF/DKIM (reject/quarantine/none)	Add _dmarc DNS TXT record	Medium (1 hr)

✓Starter DMARC policy: v=DMARC1; p=none; rua=mailto:[email protected] — monitor first, then move to quarantine after 2–4 weeks.

Link & Attachment Protection

Enable URL sandboxing in your email gateway — rewritten links open in a sandbox first
Deploy attachment detonation — open attachments in an isolated environment before delivery
Set external email banners so recipients always know when an email is from outside the organization
Disable 宏自动执行 (auto-execute macros) in Office documents received via email

Patch Management

Exploitable vulnerabilities are how attackers move from a phishing email to full system compromise. A 7-day patch lag is acceptable for most SMBs; anything beyond 30 days is high risk.

Severity	CVSS Score	Max Patch Window	Example
Critical	9.0–10.0	24–48 hours	RCE in internet-facing service
High	7.0–8.9	7 days	Privilege escalation in OS
Medium	4.0–6.9	30 days	Local file inclusion
Low	0.1–3.9	Next patch cycle	Information disclosure

✓Best practice: Enable automatic updates for operating systems and common software (browsers, Java, Adobe). Use a patch management tool for server infrastructure: WSUS (Windows), Landscape (Ubuntu), or a third-party RMM.

Endpoint Detection & Response (EDR)

Traditional antivirus catches known threats by signature. EDR (Endpoint Detection and Response) also monitors behavioral patterns — processes, network connections, registry changes — to catch zero-day attacks that signatures miss.

SentinelOne, CrowdStrike Falcon, Microsoft Defender for Endpoint — leading EDR platforms with SMB-friendly pricing
Managed Detection & Response (MDR) — outsource monitoring and response to a 24/7 SOC; ideal for SMBs without in-house security staff
Enable device encryption (BitLocker for Windows, FileVault for macOS) on all endpoints
Disable RDP unless absolutely required; if needed, always expose via VPN with MFA

Multi-Factor Authentication

MFA blocks 99%+ of automated credential-based attacks. If your organization uses only a password, enabling MFA is the single highest-impact security improvement you can make.

Method	Security	Usability	Best For
Hardware key (YubiKey, Google Titan)	★★★★★	High	Highest security; admin accounts
Authenticator app (TOTP)	★★★★	High	Most users; Google Auth, Authy
SMS/Text MFA	★★	High	Last resort; SIM swap risk
Email MFA	★	Medium	Avoid if possible

🚫Do NOT use SMS MFA. SIM swap attacks are cheap ($15–50) and effective. Use TOTP authenticator apps instead. If you must use SMS, at minimum pair it with a strong phishing-resistant method (hardware key or passkey).

Least Privilege & SSO

Implement Single Sign-On (SSO) via Okta, Azure AD, or Google Workspace — reduces password fatigue and centralizes access control
Apply least privilege: users get the minimum permissions needed for their role; review quarterly
Separate admin/privileged accounts from standard user accounts; admin accounts should have no email or web browsing
Use password manager (Bitwarden, 1Password) to enforce unique, strong passwords across all accounts
Set account lockout policies: 5–10 failed attempts triggers a 30-minute lockout

Ransomware is the most destructive threat to SMBs. The only reliable defense against ransomware is an untouchable backup that the attacker cannot reach. See Backup Strategy Guide for detailed implementation.

Follow the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite

Test backup restoration quarterly — "backup verified" means nothing without a successful restore test

Air-gap or immutable: at least one backup copy must be immutable (no deletes possible) or fully offline

Encrypt backups at rest and in transit with keys stored separately from backup data

Document RTO (Recovery Time Objective) and RPO (Recovery Point Objective) per system

People are the last line of defense and also the most likely point of failure. Phishing simulation and awareness training reduces click rates by 60–80% within 12 months.

Training Type	Frequency	Tools	Cost
Phishing simulation	Monthly	KnowBe4, Cofense, Gophish	Free–$15/user/mo
Awareness video modules	Quarterly	KnowBe4, Proofpoint	$5–12/user/mo
Tabletop incident exercise	Bi-annual	Internal	Free (2 hrs)
Red team / social engineering	Annual	Third-party vendor	$5K–20K

💡Key message to reinforce: "If an email feels urgent, suspicious, or too good to be true — stop, think, and verify by calling the sender directly. Never click first, always verify."