The Verizon 2024 Data Breach Investigations Report found that 51% of small businesses have no cybersecurity measures in place at all. That's not a talent gap — it's a visibility problem. Owners don't know what's missing because they've never had a framework to check against. This post gives you that framework: the five mistakes that show up again and again when we assess small-business environments in the Philadelphia area, with specific tools and steps to fix each one.
No Multi-Factor Authentication — or Relying on SMS Alone
80% of hacking-related breaches involve compromised or weak credentials (Verizon DBIR). Attackers don't need to "hack in" — they log in with a password bought from a breach dump. In 2024 alone, 2.8 billion credentials were posted for sale on criminal forums. If your team reuses passwords across sites (and statistically, they do), your business email, banking portal, and cloud apps are only as secure as the weakest password in that pile.
The fix is multi-factor authentication. Microsoft's own data shows 99.9% of compromised accounts had no MFA enabled. Yet only 27% of small businesses with fewer than 25 employees use it — and 65% of global SMBs have no plans to implement it (Cyber Readiness Institute).
One caveat: basic SMS MFA (a text code) is better than nothing, but it's not enough anymore. Adversary-in-the-Middle (AiTM) phishing kits now intercept SMS codes in real time. Push-based or FIDO2 hardware-key MFA closes that gap.
- Enable MFA on every account that supports it — starting with Microsoft 365 / Google Workspace, your VPN, banking portals, and accounting software
- Deploy Cisco Duo (free for up to 10 users; ~$3/user/month for SMB tier) — supports phishing-resistant FIDO2, app-based push, and SSO
- Add a company-wide password manager: Bitwarden Teams ($3/user/month, open-source) or 1Password Business ($7.99/user/month) — eliminates password reuse at the root
- Long-term: move toward FIDO2 passkeys — CISA has designated phishing-resistant MFA its highest-priority defensive goal
Letting Patches Pile Up
78% of 2024 data breaches involved a known, unpatched vulnerability. These weren't zero-days — they were CVEs with published patches that organizations simply hadn't applied. Ransomware groups don't write exploits from scratch; they scan the internet for the specific software versions they already know how to attack.
The timeline has compressed badly. In 2024, the mean time to exploit a critical vulnerability dropped to approximately 5 days — and organizations face a 1-in-4 chance of exploitation before they patch. High-profile examples: a Fortinet vulnerability disclosed in early 2024 still had 133,000 unpatched devices 60 days later. A Palo Alto GlobalProtect flaw scored a perfect 10/10 CVSS — and was being actively exploited within days of disclosure.
For small businesses, the problem isn't usually negligence — it's that patching is informal. No one owns it. IT "handles it when there's time."
- Assign a named person to own patch status — even if that's your MSP
- Enable automatic Windows Updates and verify they're actually running on every device
- Use Action1 (free for up to 100 endpoints) for automated patch management across all Windows devices — deploys OS, app, and driver patches on a schedule
- Prioritize: OS patches, browsers (Chrome/Edge/Firefox), Microsoft Office, Adobe, and firewall/VPN appliances — those last ones especially, as they're internet-exposed
- Subscribe to CISA's Known Exploited Vulnerabilities (KEV) catalog — free email alerts for actively weaponized CVEs; anything on this list needs a 48-hour response
Backups That Have Never Been Tested
Every business owner we've assessed believes they have backups. Most do. What they don't have is a tested, ransomware-resistant backup that would actually let them recover.
96% of ransomware attacks specifically target backup repositories, and 76% successfully compromise them (Sophos 2024). When attackers take out your backups, you're 2x more likely to pay the ransom and face recovery bills 8x higher than if backups were intact. The median ransom payment in 2025 reached $1 million — and 69% of companies that paid were attacked again.
Beyond ransomware: only 57% of backup jobs actually complete successfully (Backblaze 2024), and 4 in 10 restore attempts fail when they're actually needed. Most companies don't learn this until they're trying to recover from an incident.
Two overlooked gaps: Microsoft 365 and Google Workspace do not back up your data for you. Your emails, SharePoint files, and Teams data live in Microsoft's infrastructure, but Microsoft explicitly states that data protection is your responsibility — not theirs. Many businesses discover this after an accidental deletion or ransomware event.
- Adopt the 3-2-1-1 rule: 3 copies of data, on 2 different media types, with 1 copy offsite — and 1 copy immutable or air-gapped (the original 3-2-1 no longer protects against ransomware)
- Use immutable cloud backup: Backblaze B2 (~$7/TB/month) or Wasabi with Object Lock enabled — ransomware cannot overwrite or delete these copies
- Protect Microsoft 365 / Google Workspace with Veeam Backup for M365, Datto SaaS Protection, or Barracuda Cloud-to-Cloud Backup
- Test restores quarterly — schedule a 30-minute exercise where you actually restore a file or folder from backup to a test machine; if you haven't done this, your backup is theoretical
- Keep at least one backup copy in a location your main network cannot write to — this prevents a compromised device from encrypting your backup alongside everything else
Treating Security Awareness Training as a One-Time Event
68% of cybersecurity incidents are attributed to human error — and the human element is involved in roughly 60% of all breaches (Verizon DBIR). Your technical controls are only as effective as the person at the keyboard. That's not a criticism of your team — it's a reflection of how sophisticated social engineering has become.
In 2024, AI-generated phishing campaigns achieved a 54% success rate in controlled testing. These emails have no spelling errors, no suspicious formatting — they read like messages from your CFO or a vendor you trust. Social engineering attacks surged 135% from 2024 to 2025. Business Email Compromise (BEC) scams — where attackers impersonate a vendor or executive to redirect a payment — transferred $6.3 billion in 2024 alone.
The standard response is annual security awareness training. It's not enough. KnowBe4's data shows that organizations running monthly training plus weekly phishing simulations see a 96% reduction in click rates compared to less frequent programs. Contextual training — triggered the moment an employee clicks a simulated phishing link — reduces susceptibility by an additional 40%.
- Run a free phishing simulation baseline first — KnowBe4 offers one at no cost; you'll get a "Phish-prone Percentage" showing what percentage of your team clicks before training
- Follow with a monthly cadence: short 3–5 minute training modules + simulated phishing emails sent to random employees at random times
- Train specifically on: BEC wire fraud (always call back on a known number to verify any payment request — never use contact info in the suspicious email), AI-generated phishing tells, and proper credential hygiene
- Establish a written wire transfer verification policy: any payment above a threshold (e.g., $2,000) requires a live phone call to a pre-verified number, regardless of how urgent the email sounds — no exceptions
- Alternatives to KnowBe4: Proofpoint Security Awareness, Cofense PhishMe
Exposed Remote Access and Flat Networks
Remote Desktop Protocol (RDP) was used as the initial entry point in 9 out of 10 cyberattacks in 2023. Among ransomware insurance claims, 45% involved VPN appliances and 23% involved RDP (Halcyon 2024). If your business has a Windows machine with RDP enabled and port 3389 accessible from the internet — which is an extremely common default configuration — that machine is being actively scanned and probed right now. Automated tools run credential stuffing attacks against exposed RDP around the clock.
The second half of this mistake is network segmentation — or rather, the lack of it. Most small businesses run a flat network: every device — employee laptops, server, printers, office IoT, guest Wi-Fi — sits on the same subnet. After initial compromise, attackers can move laterally across a flat network in as little as 2 minutes 7 seconds (2024 threat data). One infected laptop becomes total network compromise within minutes.
On a flat network, one compromised device reaches everything — in minutes.
- Disable direct RDP exposure to the internet entirely — never expose port 3389 publicly; use your firewall to block it
- Replace direct RDP with access through a VPN, or move to Zero Trust alternatives: Cloudflare Access (free tier available) or Tailscale (free for small teams) — both are significantly more secure than traditional VPN and don't require an open port
- Segment your network into at minimum 4 VLANs: employee workstations, servers, IoT/printers, and guest Wi-Fi — a printer doesn't need access to your file server, and guest Wi-Fi definitely doesn't
- Hardware that supports VLANs without a recurring license: Ubiquiti UniFi ($300–500 for hardware; no subscription) or Fortinet FortiGate 40F (~$300)
- Enable geo-blocking on your firewall — block remote access login attempts from countries you don't do business with; this alone eliminates the majority of automated attack traffic
- For Microsoft 365 environments: configure Conditional Access policies to block logins from unexpected locations or unmanaged devices — this is included in Microsoft 365 Business Premium
The Common Thread
None of these five mistakes require a sophisticated attacker to exploit. They're exploited by automation, by credential stuffing scripts, by ransomware that scans for open ports. The good news is they're also the most fixable — with specific tools, clear ownership, and a small recurring time investment.
The businesses that avoid catastrophic breaches aren't the ones with the biggest security budgets. They're the ones that closed these five doors and kept them closed.
If you're unsure where your business stands on any of these, a free IT security assessment is the fastest way to find out. We run through your environment — remote access configuration, backup status, patch posture, MFA coverage — and give you a prioritized list of what to address first. No sales pitch, just findings.