A small manufacturing company in Osaka got hit with ransomware last November.
The attacker had gained access using a password that the owner used for both his email and his admin panel. That password had been compromised in a 2019 data breach. He wasn't notified of the breach. Nobody was checking. Four years later, someone used the password to lock him out of his own business.
Recovery cost: 2.3 million yen in downtime, cleanup, and ransom negotiation.
The fix would have taken him 15 minutes: enabling two-factor authentication.
This isn't a tech company — it's a small manufacturer with 12 employees. They don't have a dedicated IT person. They shouldn't have to be security experts. And yet, the vast majority of small business breaches happen because of preventable oversights, not sophisticated zero-day exploits.
The good news? You don't need a CISO or a six-figure security budget. You need 10 concrete steps that block the attack vectors that are actually coming after small businesses.
The reality: most attacks don't require technical genius
Here's the uncomfortable truth: 91% of breaches start with phishing. Not zero-day exploits. Not sophisticated APT groups. A convincing email that tricks someone into entering their password.
The second most common vector? Reused or weak passwords. Compromised in a breach at some other company, then used to break into yours.
The third? Unpatched software. You ignored that Windows update notification. Someone found the vulnerability two years ago. You're now exposed.
These are all preventable. None of them require hiring anyone. None require expensive tools. What they require is understanding the actual threats and taking specific, simple actions.
Let's go through them.
10 Quick Wins for SMB Cybersecurity
1. Enable two-factor authentication (2FA) on everything critical
Email, banking, admin panels, cloud storage — anything that contains money or operational data.
Most 2FA is free (Google Authenticator, Microsoft Authenticator, Authy). Some services support SMS, which is less ideal but better than nothing.
Why it works: Even if someone has your password, they can't get in without the second factor. The Osaka manufacturing company would still be operating today.
Time: 30 minutes. Cost: ¥0.
2. Enforce unique, strong passwords — or use a password manager
Your employees are reusing passwords across work and personal accounts. That's guaranteed.
Stop trying to get them to remember complex passwords. It doesn't work. Give them a password manager instead.
Free options: Bitwarden (works across devices, straightforward). Paid: 1Password, LastPass (more polished, better support).
The manager generates and stores unique passwords. Employees only need to remember one master password. You can audit and revoke access from a central dashboard.
Why it works: When Employee A's Netflix password gets breached, the attacker tries it on your email, your bank, your customer database. With unique passwords, the Netflix breach doesn't matter.
Time: 2 hours to set up and train staff. Cost: ¥0-5,000/year for a team of 10.
3. Keep operating systems and software updated
Yes, updates are annoying. Yes, they take time. Yes, sometimes they break things.
Updates are also where security patches live.
Set Windows, Mac, and Linux systems to auto-update. For software you control (not web browsers, which should update automatically), create a calendar reminder to check for updates monthly.
If you're running Windows 7 or 8, stop immediately. Windows 7 hasn't received security patches since 2020. You're operating a business with a building that has no locks.
Why it works: Most attackers don't invent new vulnerabilities. They find known ones and exploit them before the company patches. Auto-updates close these gaps before attackers can use them.
Time: 1 hour to set up auto-updates. Cost: ¥0.
4. Set up email authentication (SPF, DKIM, DMARC)
Attackers often impersonate your company's email address to trick clients into sending money or opening malicious attachments.
If someone receives an email that looks like it's from your CEO asking for an urgent wire transfer, they might actually send the money — until they realize it was a hacker.
Email authentication tells the recipient's server: "Any email from @yourcompany.com that doesn't match these cryptographic signatures is fake."
Most domain registrars and email providers have built-in wizards to set this up. It's a one-time 30-minute configuration.
Why it works: This stops 90% of impersonation attacks in their tracks. Even if the attacker manages to send the email, it arrives marked as suspicious or gets rejected entirely.
Time: 30 minutes. Cost: ¥0.
5. Require VPN for remote access — or use a zero-trust VPN
If employees work from home, they're accessing your network from untrusted networks (coffee shops, hotels, etc.).
Use a VPN (Virtual Private Network) to encrypt all traffic between their device and your office network.
Free option for small teams: WireGuard (open source, lightweight). Paid: Cloudflare Zero Trust, Tailscale (easier to set up, better for less technical teams).
Why it works: Even if they're on a hacked WiFi network, the attacker can't see their traffic or intercept their login. The encryption happens at the device level.
Time: 2-3 hours to set up. Cost: ¥0-5,000/year.
6. Back up critical data (offline and automated)
Ransomware encrypts your files and demands payment. But if you have a backup that the attacker can't reach, you ignore their demand and restore from the backup.
Set up automatic, daily backups to: 1. A cloud service (Google Drive, Dropbox, OneDrive) — encrypted, offsite 2. An external hard drive kept disconnected when not in use (so ransomware can't reach it)
Many small businesses use Backblaze (¥150/month per device) or Acronis True Image (one-time purchase ¥6,000-8,000).
Why it works: You lose a few hours of work, not your entire business. Ransom demands become toothless.
Time: 1-2 hours to set up. Cost: ¥0-2,000/month.
7. Install and configure a firewall (or check you have one)
A firewall sits between your devices and the internet, blocking unsolicited incoming traffic.
If you're on a corporate network, you likely have one already. If you're a remote team or have a small office: check that your router has a firewall enabled (it probably does by default — just confirm).
For more control, tools like pfSense, OPNsense (free, open source) or Firewalla (¥1,000-5,000, plug-and-play) give you granular control over what traffic is allowed.
Why it works: Most attackers start by scanning your IP range for open ports and services they can exploit. A properly configured firewall makes this drastically harder.
Time: 30 minutes to verify you have one. Cost: ¥0-5,000.
8. Create a phishing awareness training program
Your employees are the first line of defense. One person clicking a suspicious link can give an attacker access to everything.
Spend 30 minutes every month with your team on what phishing looks like: - Grammatical errors in official-sounding emails - Unusual requests (wire transfers, credential changes) that bypass normal process - Suspicious sender addresses that are *almost* right ([email protected] instead of company.com) - Links that don't match the URL text
Tools like Knowbe4, Gophish (free version), or even just YouTube security videos can help.
Why it works: Trained employees catch obvious phishing attacks that untrained ones click. You don't eliminate phishing, but you cut the success rate from 5% to 0.5%.
Time: 30 minutes/month. Cost: ¥0-3,000/month.
9. Monitor and audit user access
Who has admin rights? Who has access to sensitive data? If someone leaves the company, are their accounts still active?
Create a spreadsheet (or use a simple tool like Okta, Azure AD) that lists: - Every user account - What systems they can access - Their permission level - Last login date
Review it quarterly. Disable or downgrade accounts that no longer need full access.
Why it works: The majority of insider threats (accidental or intentional) happen because someone has access they no longer need. A former contractor still has your database password. A junior employee has access to client payment info they've never needed.
Time: 1-2 hours/quarter. Cost: ¥0-5,000/year.
10. Have an incident response plan (written, practiced)
Despite all of this, something might still go wrong. What then?
Write down: 1. Who to contact if there's a security incident (internal IT person, external IT support, insurance company) 2. What to do immediately (shut down the affected system, don't reboot, save logs) 3. Who needs to be notified (staff, customers, authorities if required by law) 4. How to communicate (templated emails, holding statements)
Practice this once a year, even if it's just a tabletop exercise.
Why it works: The difference between a contained breach and a catastrophic one is often how fast you respond in the first hour. A plan means you're not making decisions under panic.
Time: 2-3 hours to write. Cost: ¥0.
The cost of not doing this
Here's what typically happens to a small business that doesn't have these basics in place:
- Ransomware attack: ¥500,000 - 5,000,000 in downtime + ransom
- Email compromise: Attacker poses as the owner, tricks an employee into wiring ¥200,000 - 500,000
- Data theft: Customer information stolen and sold on the dark web. GDPR/PPC fines: ¥200,000 - 2,000,000+
- Credential theft: Someone breaks into your email using a password from another breach. They reset passwords across all your tools and lock you out of your own business.
The Osaka manufacturer paid 2.3 million yen because they didn't enable 2FA.
The cost of implementing all 10 of these? Maybe ¥100,000 total (and most are free or nearly free). The ROI is obvious.
Start this week
You don't have to do all 10 at once. Pick the three that feel most urgent:
- Enable 2FA on email, banking, and admin panels (30 minutes)
- Set up automatic backups (1 hour)
- Create an updated list of who has access to what (2 hours)
Next week, do the next three. By the end of the month, you've closed the gaps that would cause 90% of attacks to succeed.
Small businesses are targets precisely because they're assumed to have weak security. The moment you take these steps, you're no longer the easiest target on the block.
---
At SolidTech, we offer IT security audits and managed IT support for small businesses. We'll walk through your current setup, identify which of these steps you need most urgently, and help you implement them without disrupting your operations.
The goal isn't military-grade security. It's leaving attackers looking for easier targets. And that's much cheaper to achieve than you'd think.
Ready to assess where you stand? Let's talk.
