Hacked? Call PROVENDATA @ 212-335-1323 for a 30-min Incident response. You should notify local police right away and file a report with the IC3 (Internet Crime Compliance Center) if the hack involves online fraud (as opposed to, say, DDOS). Then, call your insurance provider, if you have one.
Most small businesses don’t get breached because attackers are “brilliant.” They get breached because the basics are skipped. Here are the top three mistakes we see repeatedly, the real reasons they happen, and how to recognize them early.
 |
| Remember your friends: strong passwords, MFA, data backups and employee training |
Quick Navigation
“We’re Too Small to Be Targeted” → No Asset Inventory or Risk Picture
When leaders assume size equals safety, they underinvest in visibility: no current list of devices, SaaS apps, admin accounts, third-party connections, or sensitive data locations. You can’t protect what you can’t see.
Root cause No owner for security basics; competing priorities; “it’s an IT problem” mindset; lack of a lightweight process to track assets and vendors.
Impact Missed patches, forgotten cloud storage, dormant admin accounts, and exposed test systems become the attacker’s easiest path.
- Red flag: No single source of truth for laptops, servers, routers, SaaS, and who administers them.
- Red flag: Vendor list exists in email threads, not in a living register with data-access notes.
- Red flag: No routine that ties onboarding/offboarding to account provisioning and removal.
Weak Identity & Access: No MFA, Shared Passwords, Excess Privilege
Most breaches start with a stolen or reused password. Without multi-factor authentication (MFA), password managers, and least-privilege roles, one phish can become a company-wide compromise.
Root cause Convenience beats control; lack of SSO or password tooling; unclear ownership of user lifecycle; fear that MFA will “slow people down.”
Impact Account takeovers, business email compromise, unauthorized payouts, and silent data exfiltration.
- Red flag: Shared logins for payroll, bank, social, or cloud consoles.
- Red flag: Admin rights granted “just in case,” never reviewed.
- Red flag: MFA exceptions for executives or “critical” accounts.
Backups & Incident Readiness: Unverified, Unisolated, or Unplanned
Many teams “have backups” but never test restores, don’t keep an offline/immutable copy, and lack a simple incident plan. Ransomware thrives in that gap.
Root cause Set-and-forget mindset; backup ownership unclear; no recovery time objectives (RTO) or recovery point objectives (RPO) defined; drills feel expensive.
Impact Paying ransoms, week-long downtime, lost customer trust, and regulatory headaches.
- Red flag: No quarterly restore test to a clean environment.
- Red flag: Backups live on the same network with write access from domain accounts.
- Red flag: No contact sheet, roles, or decision tree for an incident—only a hope and a prayer.
Quick FAQ
How do we start if we have almost nothing in place?
Name an owner. Build a one-page inventory of assets, admins, SaaS apps, and vendors. Turn on MFA everywhere. Test a single restore. Schedule a monthly 30-minute review.
What’s the fastest risk reducer this week?
Enable MFA for email and financial systems, remove unused admin accounts, and verify an offline/immutable backup exists.
