The 5 Security Layers Most Small Businesses Are Missing

Most small businesses we meet are not careless about security. They care a lot. The problem is that they built it the way most teams build anything — one tool at a time, when there was time, and usually after a scare.

A new firewall after a close call. Endpoint protection because a customer asked. MFA on email after a near-miss. Each tool helps. But added together, they often leave gaps in places nobody's checking.

That's how a security stack ends up "mostly on" instead of "actually working." It's not bad people. It's just how most small shops grow.

The shift that helps most: stop counting tools, and start asking what each part of your day is supposed to *do*.

NIST has a free framework for this — the Cybersecurity Framework 2.0. It groups security into six simple jobs:

Govern — who decides what's allowed?
Identify — do you know what you're protecting?
Protect — what stops a bad day from starting?
Detect — how fast do you know something's off?
Respond — when it happens, who does what?
Recover — how do you get back to normal?

Most small businesses are strong in *Protect*. They have firewalls, MFA, antivirus. The gaps usually show up in *Govern*, *Detect*, *Respond*, and *Recover* — the parts that don't come in a box.

None of these need a giant new platform.

1. Phishing-resistant sign-ins. MFA is good. MFA that can't be faked by a clever login page is better. Phishing-resistant means hardware keys (FIDO2 / WebAuthn) for the accounts that matter most — admin accounts and anyone with access to sensitive data. Regular MFA stays everywhere else.

2. Device trust + clear BYOD rules. Most teams know which laptops they own. Far fewer have written rules for what counts as a "trusted" device, or what to do when one falls behind on updates. If you let people work on personal laptops, the rules need to live somewhere a person can read them.

3. Email safety rails (not just training). Training people to spot phishing is fine. Betting on it is not. The email tools you already pay for can do a lot more — flagging external senders, blocking lookalike domains, catching links to known-bad sites. Most of these settings ship turned off. A 30-minute config session catches a lot.

4. Patching that's actually verified. Almost everyone says they patch. Far fewer can show what got patched last month, what didn't, and why. The "why" pile is where trouble lives. A simple monthly review pulls this out of the dark.

5. A real "what now" plan. Detection only matters if someone acts on it. Two or three short runbooks for the most common scenarios — phishing report, device acting weird, unexpected admin signup — covers more than people expect.

Don't try to fix all five at once. Pick the layer that worries you the most, fix that, and move to the next.

If you're not sure where to start, the order we usually suggest is: lock down sign-ins (layer 1), turn on the email safety rails (layer 3), then write down what counts as a trusted device (layer 2). Patching and "what now" plans come next, in either order.

The point is not to buy more tools. It's to make sure the ones you already have are pulling together.