Skip to content
← Back to blog

Cybersecurity

Cybersecurity for SMBs: the small list that does most of the work

Eight controls that block the overwhelming majority of attacks against small and mid-sized businesses.

5 March 2026 · KodingTech

You do not need a SOC. You need a small set of controls, configured correctly, and someone who notices when one of them stops working.

The list

  1. MFA on every account that can reach data. Email, VPN, admin consoles, SaaS — no exceptions. Hardware keys for admins.
  2. Conditional access. No legacy authentication. Block sign-ins from countries you do not operate in.
  3. EDR on every endpoint. Defender for Business, Bitdefender GravityZone, SentinelOne — pick one and configure it.
  4. Patching as a process. Monthly cadence, monitored, with an emergency window for critical CVEs.
  5. Email security. Anti-phishing, anti-spoofing, link rewriting. SPF, DKIM, DMARC at “reject”.
  6. Backup with immutable copies and a tested restore. If you have not tried to restore it, you do not have a backup.
  7. Least privilege. Standard users cannot install software. Admin accounts are separate, and only used for admin tasks.
  8. Awareness, lightly. Quarterly phishing simulation and a 15-minute briefing — not a 90-minute video no one watches.

What is not on the list

  • A SIEM for a 40-person company.
  • A pen test before you have done the basics.
  • A 200-page policy binder.

These have their place — later, and only if a real risk or auditor asks for them.

How to start

If you can only do three things this quarter: MFA everywhere, EDR everywhere, tested backup. The rest can follow.

Want a real audit, written down and prioritized? We do those.

#security#mfa#edr#backup

Grab a coffee with us

A coffee, a roadmap.

Tell us what is broken, slow, or just unclear. We will sketch the next two or three moves on a napkin and tell you if you actually need us.

Book a 30-minute call Contact us