What is the biggest cybersecurity threat to small businesses?

Phishing emails are the number one attack vector for small businesses, responsible for over 90% of successful breaches. Attackers send convincing emails that trick employees into clicking malicious links, downloading malware, or entering credentials on fake login pages. The best defense is employee training combined with technical controls like email filtering, multi-factor authentication, and DNS-level blocking.

How much does a cybersecurity breach cost a small business?

The average cost of a data breach for small businesses is $120,000-$200,000, according to industry reports. For many small businesses, this is enough to force closure. Costs include incident response, customer notification, legal fees, regulatory fines, and lost business. Proper network security, backups, and employee training cost a fraction of what breach cleanup runs.

Do small businesses in Oklahoma need to comply with any cybersecurity regulations?

Oklahoma has a data breach notification law (24 O.S. Section 163) requiring businesses to notify affected individuals of breaches involving personal information. Beyond that, businesses handling healthcare data must comply with HIPAA, those processing credit cards need PCI DSS compliance, and businesses working with government contracts may need CMMC certification. Even without specific regulations, all businesses are expected to protect customer data.

Is a firewall enough to protect my business?

No. A firewall is one layer of protection, but modern threats require a layered approach: firewall + endpoint protection + email filtering + multi-factor authentication + employee training + encrypted backups + network segmentation. Think of it like your home: a locked front door (firewall) helps, but you also need locks on windows (endpoint protection), a doorbell camera (monitoring), and awareness of social engineering (training).

How often should we back up our business data?

Follow the 3-2-1 rule: 3 copies of your data, on 2 different types of media, with 1 copy offsite or in the cloud. Critical business data should be backed up daily. Test your backups quarterly by actually restoring files to verify they work. Untested backups are not backups. For businesses using cloud services (Google Workspace, Microsoft 365), remember that these platforms do not fully back up your data by default.

Small Business Cybersecurity Guide Oklahoma

1. Why Small Businesses Are Targets

If you run a small business in Oklahoma, you might assume cybercriminals are focused on the big fish: banks, hospitals, Fortune 500 companies. The reality is the opposite. According to industry data, 43% of all cyberattacks target small businesses, and that number keeps going up.

The reason is simple: small businesses typically have weaker defenses than enterprises. Most lack dedicated IT staff, formal security policies, or even basic protections like multi-factor authentication. Attackers know this. They also know that small businesses are less likely to detect a breach quickly, giving criminals more time to extract data, install ransomware, or use compromised accounts to attack the business's customers and partners.

Oklahoma businesses face the same threats as companies in New York or San Francisco. Phishing campaigns, ransomware, credential stuffing, and business email compromise do not discriminate by geography. A dental office in Yukon is just as vulnerable as one in Dallas if it lacks proper defenses.

The financial hit is serious. The average cost of a data breach for a small business ranges from $120,000 to $200,000. That includes incident response, customer notification, legal fees, regulatory fines, lost business during downtime, and reputational damage. For many small businesses, a single breach is enough to force permanent closure.

The good news is that the most effective defenses are not expensive or complicated. They require discipline, not deep pockets. The rest of this guide walks through exactly what your business needs, in priority order, to cut your risk significantly.

Key Takeaway: Small businesses are targeted specifically because attackers know they have fewer defenses. The most effective protections are process-driven, not expensive. The basics in this guide will block most of the common attacks.

2. The Essentials: Your Security Baseline

These are the minimum defenses every Oklahoma business should have in place, regardless of size or industry. If you do nothing else, implement these six controls. They stop most common attacks.

Multi-Factor Authentication (MFA)

MFA adds a second verification step beyond your password. Even if an attacker steals your password through phishing or a data breach, they cannot access your account without the second factor. Enable MFA on every account: email, banking, social media, cloud services, accounting software, and any system that supports it.

Not all MFA is equal. SMS text codes are better than nothing, but they can be intercepted through SIM swapping attacks. Authenticator apps (Google Authenticator, Microsoft Authenticator, or Authy) are much safer. For the highest protection, hardware security keys (YubiKey or Google Titan) provide phishing-resistant authentication that cannot be bypassed remotely.

Password Manager

Reusing passwords is the single most dangerous habit in business computing. When one service is breached (and breaches happen constantly), attackers try those stolen credentials on every other service. If your QuickBooks password matches your email password, one breach compromises both.

A password manager generates and stores unique, complex passwords for every account. Your team only needs to remember one master password. Recommended options: Bitwarden (open-source, excellent free tier, business plans from $4/user/month), 1Password (polished business features, $7.99/user/month), or Keeper (strong compliance features). Every password should be at least 16 characters and completely unique.

Endpoint Protection

Every device that connects to your business network needs anti-malware protection. This means every laptop, desktop, tablet, and phone that accesses company email, files, or applications. Windows Defender is acceptable for very small businesses (under 5 employees) and comes free with Windows. For more robust protection, Bitdefender GravityZone or SentinelOne provide business-grade endpoint detection and response (EDR) with centralized management dashboards.

Email Filtering

Since phishing is the number one attack vector, blocking malicious emails before they reach employee inboxes is critical. Google Workspace and Microsoft 365 both include built-in spam and phishing filters that catch the majority of threats. For businesses that want additional protection, Proofpoint or Barracuda provide advanced email security with URL rewriting, attachment sandboxing, and impersonation detection.

Automatic Updates

Unpatched software is the second most common attack vector after phishing. Attackers actively scan for known vulnerabilities in operating systems, web browsers, plugins, and business applications. When a security patch is released, the clock starts ticking. Enable automatic updates on all devices, operating systems, browsers, and applications. This includes your router firmware, printer firmware, and any IoT devices on your network. If a device cannot be updated, it should be isolated on a separate network segment or replaced.

Encrypted Drives

If a laptop or external drive is lost or stolen, the data on it is exposed, unless the drive is encrypted. BitLocker (Windows Pro/Enterprise) and FileVault (macOS) encrypt the entire drive so that data is unreadable without the correct login credentials. Enable full-disk encryption on every company laptop and require encryption on any external drives used for business data. This is a one-time setup with zero ongoing effort.

3. Network Security

Your network is the highway that connects every device in your business. If the highway is unprotected, everything on it is vulnerable. Business network security goes well beyond plugging in a consumer router from Walmart.

Business-Grade Firewall

Consumer routers provide basic connectivity but lack the inspection and control capabilities that a business requires. A business-grade firewall from UniFi, Fortinet, or pfSense gives you deep packet inspection, intrusion detection and prevention (IDS/IPS), content filtering, and granular access control rules. Configure your firewall with default-deny rules: block everything by default, then explicitly allow only the traffic your business needs.

Network Segmentation (VLANs)

Network segmentation divides your network into isolated zones using VLANs (Virtual Local Area Networks). At minimum, create separate VLANs for: business devices (computers and phones), guest WiFi, IoT devices (printers, smart TVs, thermostats), and cameras. This isolation means that a compromised smart TV or a guest's infected laptop cannot access your accounting software, file server, or point-of-sale system.

DNS Filtering

DNS filtering blocks access to known malicious domains at the network level, before any device can connect to them. This stops malware callbacks, phishing sites, and command-and-control servers. Cloudflare Gateway offers a free tier suitable for small businesses. NextDNS provides granular control with logging and analytics. DNS filtering gives you a lot of protection for very little work.

VPN for Remote Access

If employees work remotely or need to access business systems from outside the office, use a VPN (Virtual Private Network) to create an encrypted tunnel between their device and your network. Never expose internal services (file shares, remote desktop, management interfaces) directly to the internet. WireGuard is the modern standard for VPN performance. Tailscale simplifies setup with zero-configuration mesh networking. For larger businesses, site-to-site VPN between office locations provides always-on encrypted connectivity.

WiFi Security

Use WPA3 encryption (or WPA2 at minimum) with a strong, unique passphrase of at least 20 characters. Create a separate SSID for guests that is isolated from your business network. Hide the management interface of your access points and router so they are not accessible from guest or IoT VLANs. Disable WPS (WiFi Protected Setup) as it is a known vulnerability. Change default admin credentials on all networking equipment.

For detailed network architecture guidance, including equipment recommendations and configuration steps, see our Home Network Guide. For professional network design and implementation, explore our Small Business IT Services.

Key Takeaway: Network segmentation is the single most impactful network security measure for small businesses. Separating business devices, guests, and IoT into isolated VLANs means a breach in one zone cannot spread to the others. Combined with DNS filtering, you block most threats before they reach any device.

4. Employee Training

Technology alone cannot protect your business. Your employees can either catch threats that technology misses or click on phishing links that bypass every technical control you have. Training makes the difference.

Phishing Simulation

Run quarterly phishing simulations that send realistic but harmless test emails to your team. Track who clicks, who reports, and who enters credentials. Use the results to provide targeted training, not punishment. Over time, click rates go down as employees get better at spotting suspicious messages. Tools like KnowBe4, Proofpoint Security Awareness, and various free phishing simulation platforms make this straightforward to implement.

Email Verification Habits

Teach every employee a simple verification checklist for suspicious emails: hover over links before clicking to see the actual destination URL. Check the sender address carefully, as attackers often use addresses that look similar to legitimate ones (leios-billing@gmail.com vs. billing@leios.consulting). When in doubt, verify by calling the sender directly using a known phone number, not one from the suspicious email. Establish a clear procedure: when an employee receives a suspicious email, they forward it to a designated contact (IT provider or manager) before taking any action.

Social Engineering Awareness

Phishing is just one form of social engineering. Train employees to recognize other tactics: phone calls from someone pretending to be a vendor, IT support, or executive asking for credentials or wire transfers. USB drops, where attackers leave infected USB drives in parking lots or lobbies. Shoulder surfing in coffee shops and coworking spaces. Pretexting, where an attacker invents a scenario to gain trust and extract information. If an interaction feels unusual or pressured, employees should verify through a separate communication channel before complying.

Policies and Documentation

Written policies remove ambiguity. Every business should have documented policies covering: acceptable use (what company devices and networks can be used for), BYOD rules (if employees use personal devices for work, what security requirements apply), password requirements (password manager mandatory, no password reuse), and incident reporting procedure (who to contact, how quickly, and what information to provide when something suspicious occurs).

Onboarding and Refreshers

Security training should happen on day one for every new employee, before they receive access to any business systems. Cover your security policies, demonstrate the password manager, set up MFA on their accounts, and walk through examples of phishing emails. Then conduct annual refresher training for all staff to reinforce good habits and cover new threat trends. Short, focused training sessions (30-45 minutes) are more effective than long, infrequent sessions.

5. Backup and Recovery Strategy

Backups are your last line of defense. When everything else fails, when ransomware encrypts your files, when a hard drive dies, when an employee accidentally deletes critical data, your backups are what keep your business alive. But only if they are done correctly.

The 3-2-1 Rule

Every business should follow the 3-2-1 backup rule: maintain 3 copies of your data, stored on 2 different types of media, with 1 copy offsite or in the cloud. For example: your working data on your computer (copy 1), a local backup on a NAS or external drive (copy 2, different media), and a cloud backup (copy 3, offsite). This ensures that no single failure, whether hardware, ransomware, fire, or theft, can destroy all your data.

Daily Automated Backups

Critical business data, including financial records, customer databases, project files, and email, should be backed up daily with automated processes. Manual backups are unreliable because they depend on someone remembering to do them. Set up automated backup schedules and verify they complete successfully by checking logs weekly.

Cloud Backup

Your offsite copy should be in a cloud backup service that encrypts data in transit and at rest. Backblaze B2 is an excellent option for small businesses, offering affordable per-GB pricing with no egress fees. Wasabi provides S3-compatible storage with predictable pricing. AWS S3 with lifecycle policies works well for businesses already in the AWS ecosystem. Whichever service you choose, enable versioning so you can recover previous versions of files, not just the most recent backup.

Local Backup for Fast Recovery

Cloud backups are essential for disaster recovery, but restoring terabytes of data over the internet takes time. A local backup on a NAS (network-attached storage) or dedicated external drive provides fast recovery for the most common scenarios: accidental deletion, file corruption, or a single device failure. Synology and QNAP NAS devices support automated backup schedules, snapshot versioning, and replication to cloud storage.

Test Your Restores

Untested backups are not real backups. Schedule quarterly test restores where you actually recover files from your backups and verify they are complete and usable. This catches issues like corrupted backup files, misconfigured backup jobs that miss critical directories, or expired cloud storage credentials, before you discover them during a real emergency.

Ransomware Resilience

Modern ransomware specifically targets backups. Attackers know that if they can encrypt both your working data and your backups, you have no choice but to pay. To defend against this, keep at least one backup copy offline or immutable. An immutable backup cannot be modified or deleted for a set period, even by an administrator account. Backblaze B2 and AWS S3 both support object lock (immutability) policies. For local backups, consider an air-gapped drive that is physically disconnected from the network when not actively running a backup job.

Document Recovery Procedures

When a crisis hits, you do not want to figure out recovery steps under pressure. Document your procedures clearly: who is responsible for initiating a restore, where backups are located (cloud credentials, NAS location, drive storage), what order to restore systems (email first? accounting? customer database?), and how long each type of restore takes. Keep this documentation accessible to at least two people in the organization.

Key Takeaway: The 3-2-1 backup rule with one immutable copy is your ultimate safety net against ransomware. But backups only matter if they work. Test your restores quarterly. The day you need to recover from a breach is not the day to discover your backups are broken.

6. Incident Response Plan

No defense is perfect. Even businesses with strong security postures can experience incidents. Whether an incident is manageable or catastrophic depends on whether you have a plan. Every business needs a written incident response plan that the entire team understands before an incident occurs.

Step 1: Detection

How do you know a breach has occurred? Detection sources include: automated monitoring alerts from your firewall or endpoint protection, employee reports of suspicious activity, customer complaints about phishing emails that appear to come from your business, unexpected account lockouts, unusual login locations or times flagged by your email provider, and unexplained system slowdowns or file changes. The faster you detect a breach, the less damage it causes. Establish clear channels for employees to report suspicious activity immediately without fear of blame.

Step 2: Containment

Once a potential breach is identified, act immediately to limit the damage. Disconnect compromised devices from the network (unplug ethernet, disable WiFi). Disable compromised accounts and force password resets. Block known malicious IPs or domains at the firewall. The goal is to stop the attacker from spreading further while you assess the situation. Do not shut down or wipe compromised systems yet, as forensic evidence may be needed.

Step 3: Assessment

Determine the scope of the incident: what systems were accessed, what data was potentially exposed (customer records, financial data, credentials), how the attacker gained access (phishing, unpatched vulnerability, stolen credentials), and how long they had access before detection. This assessment informs your notification obligations and recovery priorities.

Step 4: Notification

Oklahoma law (24 O.S. Section 163) requires businesses to notify affected individuals when a breach involves personal information such as names combined with Social Security numbers, driver's license numbers, or financial account numbers. Notification must be made "without unreasonable delay." Contact your attorney to determine your specific obligations. If you handle healthcare data (HIPAA) or payment cards (PCI DSS), additional notification requirements apply. Do not delay notification to avoid bad press, as delayed notification increases legal exposure and erodes customer trust.

Step 5: Recovery

Restore systems from your verified backups. Change all passwords across the organization, including service accounts and API keys. Patch the vulnerability that was exploited. Re-image compromised devices rather than attempting to clean them, as persistent malware can survive standard cleanup. Verify that the attacker's access has been fully revoked before bringing recovered systems back online.

Step 6: Post-Incident Review

After recovery, conduct a thorough post-incident review. Document exactly what happened, how it happened, when it was detected, how long containment took, and what the total impact was. Most importantly, identify what changes will prevent a recurrence. Update your security controls, training program, and incident response plan based on lessons learned. Every incident, even a near-miss, should lead to concrete improvements.

Keep Your Plan Accessible

Print your incident response plan and store physical copies in an accessible location. If your systems are encrypted by ransomware, you cannot access a digital-only plan stored on those systems. The printed plan should include key contacts: your IT provider, attorney, cyber insurance company, and local FBI field office (Oklahoma City: 405-290-7770). Keep this list updated quarterly.