Small businesses are a primary target for cybercriminals — not because attackers particularly want your data, but because small businesses are easy. Automated scanning tools probe millions of IP addresses looking for known vulnerabilities. When they find one, an attack can be launched in minutes with no human involvement at all.

The good news is that the most common gaps are also the most fixable. None of the five issues below require expensive software or a dedicated security team. They require attention, a couple of hours, and ideally someone who knows what they're looking for.

Gap 1: Default credentials still set High Risk

Every router, switch, network camera, printer, and NAS device ships with a default username and password. These are publicly documented in the manufacturer's manual — and indexed by tools like Shodan, which lets anyone on the internet search for exposed devices by model.

If your office router still has admin / admin or admin / password, it's not a matter of if someone will get in — it's when. The same applies to IP cameras, especially budget models purchased from online marketplaces.

The fix

Change the default password on every network-connected device to a unique, strong password. Store them in a password manager (Bitwarden is free and excellent). While you're at it, disable remote management on your router unless you specifically need it — most small businesses don't.

Gap 2: No MFA on email High Risk

Business email compromise (BEC) is one of the most common and costly cyberattacks targeting small businesses. An attacker gains access to an email account — usually through a phished or reused password — and uses it to redirect payments, impersonate the owner, or move laterally into other systems.

Multi-factor authentication (MFA) stops the vast majority of these attacks cold. Even if an attacker has your password, they can't log in without also having your phone.

Microsoft reports that MFA blocks over 99.9% of account compromise attacks. It takes about five minutes to enable in Microsoft 365 or Google Workspace. There is no good reason not to have it turned on for every account in your organization.

The fix

Enable MFA for all users in your Microsoft 365 or Google Workspace admin panel. Use an authenticator app (Microsoft Authenticator or Google Authenticator) rather than SMS where possible — SMS can be intercepted. Enforce it as a policy so new employees get it automatically.

Gap 3: Unpatched firmware and software High Risk

The majority of successful ransomware attacks exploit known vulnerabilities — security holes that have already been patched by the software vendor. The problem isn't that patches don't exist; it's that nobody installed them.

This applies to Windows updates on workstations (often disabled because "updates cause problems"), router and firewall firmware (often never updated after installation), network-attached storage (NAS) devices (frequently forgotten entirely), and browser plugins and third-party software.

When a patch is released, security researchers and attackers both read the release notes. Attackers immediately start looking for unpatched systems. The window between a patch release and active exploitation is often measured in days, not months.

The fix

Enable automatic updates for Windows and macOS. Set a monthly calendar reminder to check the admin interface of your router, firewall, and any other network appliances for firmware updates. If you have a NAS, check it too — QNAP and Synology both had critical vulnerabilities exploited at scale in recent years.

A note on "updates break things": Yes, occasionally an update causes an issue. That's a real concern. But leaving known security vulnerabilities unpatched because updates are occasionally inconvenient is trading a small, manageable risk for a potentially catastrophic one. The right answer is a test environment or a staged rollout — not skipping patches entirely.

Gap 4: No tested backup and recovery plan Medium Risk

Almost every business owner will tell you they have backups. Fewer can tell you the last time those backups were tested. Even fewer have actually restored from a backup to verify the process works.

Backups that have never been tested are not backups — they're hopes. We've seen businesses pay ransomware demands because their backups were incomplete, corrupted, or stored on the same network as the encrypted files.

The standard recommendation is the 3-2-1 rule:

  • 3 copies of your data
  • 2 different storage media (e.g. local drive + cloud)
  • 1 offsite/offline copy that ransomware can't reach

The fix

Set up automated daily backups to both a local destination and a cloud service. Backblaze B2, Wasabi, or even a basic Microsoft 365 backup solution work well for most small businesses. Once a quarter, actually restore a file from backup to verify it works. Document the restore process so someone other than you can follow it.

Gap 5: Flat networks with no segmentation Medium Risk

In most small business networks, everything is on the same network: staff laptops, the point-of-sale system, the guest WiFi, the IP cameras, the server, and the smart TV in the boardroom. If any one of those devices is compromised, an attacker can potentially reach all the others.

Network segmentation separates devices into different logical groups (VLANs) so that a compromised device can't automatically communicate with everything else. At minimum, most businesses should separate:

  • Guest WiFi — completely isolated from internal systems
  • IoT devices (cameras, printers, smart TVs) — on their own VLAN
  • POS or payment systems — isolated for PCI compliance
  • Staff devices — the main internal network

This doesn't require enterprise hardware. Most modern business-grade routers and access points (Ubiquiti, Meraki, even higher-end consumer gear) support VLANs and multiple SSIDs.

The fix

At minimum, set up a separate guest WiFi network that's isolated from your internal systems. Your router almost certainly supports this already. For fuller segmentation, this is where a network assessment makes sense — the right architecture depends on what devices you have and how they need to communicate.

The bottom line

None of these are exotic. They're the basics — and they're the basics because attackers reliably exploit them. A business that gets these five things right is dramatically harder to compromise than one that doesn't, and significantly ahead of most small businesses in the Lower Mainland.

If you're not sure where your business stands on any of these, a security assessment is the right starting point. It gives you a clear picture of your current posture and a prioritized list of what to address first — without the pressure of a sales pitch attached.

SecureDeer offers free cybersecurity assessments for small businesses in Langley and across the Fraser Valley. Book one here — we'll walk through your environment and give you an honest report, no strings attached.