Two different jobs
Most small businesses handle security the same way: they hire an IT support person or managed service provider to keep the computers running, and they assume security is part of that arrangement.
Sometimes it is. Often it is not.
IT support is reactive. Something breaks, someone fixes it. Printers are connected, software is installed, passwords are reset. A good IT provider keeps the lights on and responds when things go wrong.
Security is proactive. It is about identifying what could go wrong before it does — mapping the attack surface, finding vulnerabilities, monitoring for threats, training employees, and building the processes that reduce risk systematically over time.
These are different disciplines, different skill sets, and often different people. Assuming your IT provider is handling security because they are handling IT is one of the most common and costly assumptions small businesses make.
What IT support typically covers
A managed IT service provider or in-house IT generalist typically handles:
- Hardware procurement and setup
- Software installation and licensing
- Network configuration
- Help desk support
- Backup setup (though not always backup testing)
- Basic antivirus deployment
- Workstation patching (sometimes)
- Email configuration
This is valuable work. But it is not a security program.
What a security program actually covers
A security program is the set of people, processes, and technology specifically designed to protect the organization against cyber threats. For a small business, it does not need to be elaborate. But it needs to exist deliberately, not as a side effect of IT support.
Vulnerability management
Someone needs to know what your internet-facing systems look like from the outside. What ports are open. What software versions are running. What CVEs apply to those versions. What an attacker would find if they ran a scan against your domain today.
This is not the same as making sure the office computers have antivirus. It is an active, ongoing process of finding and remediating external exposures.
Email security
Business email compromise and phishing are responsible for the majority of small business security incidents. A security program addresses email specifically: SPF, DKIM, and DMARC configured to prevent spoofing; MFA on all email accounts; phishing simulation to train employees; policies for how to handle suspicious emails and requests for wire transfers.
Access control
Who has access to what, and do they still need it? Former employees whose accounts are not promptly disabled represent a real risk. Shared passwords eliminate accountability and make incident response harder. Privileged access — admin accounts, root access, financial system access — needs to be limited to those who genuinely need it and protected with stronger controls.
Incident response
When something goes wrong — and eventually something will — does anyone know what to do? Who do you call? What systems do you take offline first? How do you notify affected clients? What do you preserve for forensic analysis?
A basic incident response plan does not need to be a hundred-page document. It needs to answer those questions before an incident happens, not during one.
Employee training
The majority of successful attacks start with a human — a clicked link, a shared password, a wire transfer authorized based on a spoofed email. Technical controls matter, but they are undermined by employees who do not know what threats look like. Regular security awareness training and phishing simulations are not optional extras. They are core components of a functioning security program.
Backup and recovery
Backups are the last line of defense against ransomware. But backups are only useful if they work. Regular backup testing — actually restoring from backup to verify the process — is the difference between a ransomware incident being a painful but survivable event and a catastrophic one.
The security program for a 10-person firm
A small business does not need a dedicated security team or a six-figure budget. A realistic security baseline for a 10-person firm includes:
- An external vulnerability scan run quarterly and after any significant infrastructure change
- MFA enabled on all accounts — email, remote access, financial systems
- SPF, DKIM, and DMARC configured with enforcement policies
- A one-page incident response checklist everyone knows exists
- Annual security awareness training and at least two phishing simulation exercises per year
- Monthly verified backup tests
- A written policy for offboarding employees and revoking access
None of this requires a dedicated security hire. It requires intentionality — treating security as a program that someone owns, not a responsibility that falls between the cracks.
Start with a free external security assessment at kasperashield.com to see what your current external posture looks like and what to prioritize.
