Open Book Cyber

Before most targeted attacks happen, someone did research.

Your business website tells an attacker a significant amount of useful information before they take any other action. The names of your staff, useful for crafting convincing phishing emails that reference real colleagues. The email format your business uses, if one employee's email is [email protected], every other employee's email can be inferred. The software tools and platforms you use, often visible in case studies, job postings, or footer credits.

Your LinkedIn page tells them your org chart. Job postings tell them what software your team uses and what your internal processes look like. A mention of specific tools in a blog post tells an attacker exactly which platforms to target for a credential attack.

This is called open-source intelligence gathering (OSINT), and it requires no hacking. It is entirely legal research done on publicly available information, and it happens before any attack begins.
The reason this matters for small businesses is that it shifts who gets targeted from random to deliberate. A business that has publicly available information about its staff, its tools, and its processes provides an attacker with a head start.

This does not mean scrubbing your website or hiding your team. It means being thoughtful about what operational details are publicly visible and making sure the security controls are in place to make that research less useful.

The reason most small business owners do not act on cybersecurity is not that they do not care.

It is that the topic feels overwhelming. Every article introduces new terminology. Every tool claims to be essential. Every conversation about security suggests that unless you are doing everything perfectly you are doing nothing at all.

That framing is both inaccurate and counterproductive.

Cybersecurity for a small business is not all or nothing. It is a series of decisions about where to focus limited time and budget to reduce the most meaningful risk. A business that has enabled MFA on all accounts and trained its staff to recognize phishing is dramatically more secure than one that has done neither, even if neither business has a full security team.

The practical starting point is knowing where you actually stand. Not where you assume you stand. Not where you hope you stand. What is actually in place, what is not, and which gaps carry the most risk for your specific business and client type.

From that baseline the path forward becomes clearer. Not everything at once. The highest impact items first, with a realistic timeline for the rest.

The businesses that get stuck are the ones that wait for a perfect plan before taking any action. The businesses that make progress start with what they can see and build from there.

This Memorial Day, we remember those who gave their lives for our freedom and honor the families who carry their legacy forward. Thank you to all who have served.

Cyber insurance renewal is becoming one of the more stressful annual events for small business owners.

Carriers are asking more questions. The questions are more technical. The consequences of answering incorrectly, either because the control does not exist or because it was not fully understood, are more significant than they were a few years ago.

For businesses that have done the work, renewal looks different.
The questions on the application map to controls that are actually in place.
MFA: yes, enabled across all accounts, here is the documentation. Employee training: yes, conducted annually, here are the completion records.
Incident response plan: yes, documented and reviewed.
Data backup: yes, tested and stored separately from primary systems.

The conversation with the broker becomes straightforward rather than anxious. There are no gaps to minimize or explain. The premium reflects the actual risk profile of a business that has invested in its security.
And the coverage that results is more reliable, because the controls that were represented at application are the controls that are actually in place. If something goes wrong, the claim is not complicated by a discrepancy between what was promised and what was present.

That outcome is available to any small business. It requires doing the actual work rather than completing the application hopefully.

Most small businesses have more shared files than they realize and more people with access to those files than they intended.

Here is a quick audit you can do right now across your cloud storage:

In OneDrive or SharePoint: Go to the OneDrive web interface. Click the Shared section on the left sidebar. You will see every file and folder that has been shared, with whom, and what level of access they have. Look specifically for anything shared with "Anyone with the link," this means the file is effectively public and accessible to anyone who has or discovers the URL.

In Google Drive: Go to drive.google.com. In the search bar type "is:shared" and press enter. This will show every item you have shared. Right click on each and select Share to review who has access and at what permission level.

In Dropbox: Open the Dropbox web interface and go to the Sharing tab on the left. Review every shared folder and shared link.

What you are looking for in each platform: files shared with people who no longer work for you, sharing links set to anyone rather than specific people, and folders with edit access granted to people who only need view access.

Most businesses find at least one thing they did not know was there. It takes five minutes and the results are worth knowing before someone else finds them first.

Also, I put together a free Small Business Cybersecurity Checklist. Takes 3 minutes and you get a score at the end. It will help you find where your gaps are. You can find it in the comments below!

When you hire a contractor to work on your building, you do not expect them to explain every technical decision in construction jargon.

A good contractor tells you what they found, what it means for your building, what your options are, and what they recommend, in language you can understand and act on. You do not need to know how to lay concrete to understand that the foundation needs attention and here is what fixing it looks like.

Cybersecurity should work the same way.

A good cybersecurity consultant is not there to demonstrate how technical they are. They are there to find the vulnerabilities in your environment, explain what those vulnerabilities mean for your specific business and your clients, and give you a prioritized path forward that makes sense given your budget and your risk.
If you have ever sat through a security briefing and understood very little of it, that is not a you problem. Plain language is not a sign of a less rigorous process. It is a sign that the consultant actually understands the problem well enough to explain it clearly.

The measure of a good security review is not the thickness of the report or the density of the technical terminology. It is whether the business owner walks away knowing exactly what to do next and why it matters.

That is the standard worth holding any security engagement to.

By the way, I put together a free Small Business Cybersecurity Checklist. Takes 3 minutes and you get a score at the end. It will help you find where your gaps are. You can find it in the comments below.

The password advice most people have received is wrong in a specific way.

The traditional guidance of at least eight characters, one uppercase, one number, one special character produces passwords that are hard for humans to remember and easier for computers to crack than most people realize. A password like P@ssw0rd satisfies all of those requirements and is cracked almost instantly by modern tools.

What actually makes a password resistant to cracking is length.

Specifically, randomness combined with length.

The most practical approach for a small business is a password manager combined with a strong master password. The password manager generates and stores unique, long, random passwords for every account, and the employee only needs to remember one strong master password to access them.

For the master password, use a passphrase. Four or more unrelated words strung together. Something like Purple Lamp Bicycle Eleven gives you a password that is both easy to remember and extremely difficult to crack. The length creates the security. The randomness of the word combination prevents dictionary attacks. The fact that it is memorable means employees will not write it on a sticky note.
For accounts where a password manager is not being used, a minimum of fourteen characters matters more than which special characters are included.

The goal is a system your team will actually follow, because a strong password policy that nobody uses accomplishes nothing.

By the way, I put together a free Small Business Cybersecurity Checklist. Takes 3 minutes and you get a score at the end. It will help you find where your gaps are. You can find it in the comments below!

Most small businesses have some form of backup. Most of them have never verified that it works.

Here are the three things worth backing up and how to confirm the backup is actually usable when needed:

Client and business records. This includes any data that would be catastrophic to lose like client files, financial records, contracts, correspondence. This data should be backed up to at least one location that is not on the same network or device as the original. A cloud backup is the most practical option for most small businesses. OneDrive and Google Drive provide automatic syncing, but syncing is not the same as a backup. If ransomware encrypts your files, the encrypted versions sync to the cloud and overwrite the clean copies. A true backup uses versioning or a separate backup tool that retains historical copies.

Email and calendar data. In Microsoft 365 and Google Workspace, email and calendar data is retained by the platform but may not be indefinitely recoverable in all incident scenarios. Dedicated third-party backup tools for Microsoft 365 provide an additional recovery layer.

How to verify: The only meaningful backup test is a restoration test. Pick a non-critical file and restore it from backup to confirm the process works and the file is intact. Do this at least once and ideally on a schedule. A backup you have never restored from is an assumption, not a verified recovery capability.
Most ransomware victims who had backups still paid the ransom because the backups had never been tested and did not work when needed.

By the way, I put together a free Small Business Cybersecurity Checklist. Takes 3 minutes and you get a score at the end. It will help you find where your gaps are. You can find it in the comments below!

Multi-factor authentication is one of the most important security controls a small business can implement.

It is also not a complete solution by itself, and understanding its limitations makes it more useful rather than less.

The most common attack against MFA is called MFA fatigue or MFA bombing. An attacker who has obtained a user's password sends repeated MFA approval requests to the user's phone, sometimes dozens in a row, until the user gets annoyed and confused then approves one to make them stop. No technical vulnerability is exploited. The user is simply worn down.

A second limitation is that text message-based MFA can be bypassed through SIM swap attacks, where an attacker convinces a mobile carrier to transfer the victim's phone number to a device the attacker controls, allowing them to receive the SMS codes.
Both of these limitations have straightforward mitigations.

For MFA fatigue: use an authenticator app rather than push notification approval wherever possible. Authenticator apps require the user to enter a time-sensitive code rather than simply tap approve, which eliminates the fatigue attack. Microsoft Authenticator and Google Authenticator are both free.

For SIM swap: where possible use authenticator apps instead of SMS codes. Contact your mobile carrier and ask them to add a SIM lock or port freeze to your account.

MFA remains one of the highest-value controls available.

Understanding how it gets defeated makes it easier to implement in a way that is actually resistant.

Also, I put together a free Small Business Cybersecurity Checklist. Takes 3 minutes and you get a score at the end. It will help you find where your gaps are. You can get it in the comments below!

Happy Mother's Day to all the moms out here! Enjoy your day! 💜