Stop thinking you’re ‘too small to be a target.’ A Senior DevOps engineer breaks down the essential, non-negotiable security practices that protect small businesses from automated threats and low-hanging fruit vulnerabilities.

From the Trenches: Real-World Security for Your Small Business

I remember the call. It was a Saturday, 2 AM. A small e-commerce client, maybe 15 employees, was completely dead in the water. Their site was down, replaced with a ransomware note. The owner was in a panic, asking me, “Why us? We’re nobody!” I spent the next 72 hours rebuilding their infrastructure from backups because a single, forgotten admin portal on an old server had the password ‘Pa$$w0rd123’. They weren’t a “target.” They were just an open door an automated scanner happened to walk through. This stuff isn’t personal; it’s a numbers game, and if you make it easy for the bots, they will find you.

The “Why”: You’re Not a Target, You’re an Opportunity

Let’s get one thing straight. A hacker in a hoodie probably isn’t spending weeks trying to break into your small accounting firm. The reality is far more boring and far more dangerous: automated scripts are constantly scanning the entire internet for known vulnerabilities. They look for things like:

• Unsecured remote desktop ports (RDP/SSH) facing the public internet.
• Out-of-date software with known exploits (like an old WordPress plugin).
• Weak or default passwords on admin panels.
• Exposed API keys accidentally committed to a public GitHub repository.

These bots don’t care if you’re a Fortune 500 company or a two-person startup. They find a flaw, exploit it automatically, and either steal data, install crypto-mining malware, or deploy ransomware. The root cause isn’t malice directed at you; it’s your business being low-hanging fruit in an automated orchard.

The Fixes: From ‘Stop the Bleeding’ to ‘Fort Knox’

Look, you don’t need a multi-million dollar security budget. You just need to be more trouble than you’re worth. Here’s my no-nonsense, tiered approach that I walk every small business client through.

Solution 1: The ‘Do This Yesterday’ Baseline

This is the absolute bare minimum. If you don’t have these things in place, stop reading and go do them right now. This is the digital equivalent of locking your front door.

• Multi-Factor Authentication (MFA) Everywhere: I don’t care if it’s your email, your AWS account, your bank, or your domain registrar. Turn it on. A password breach is a matter of ‘when’, not ‘if’. MFA is the single most effective control you can implement to stop an account takeover.
• A Password Manager: Stop reusing passwords. Stop writing them on sticky notes. Get a password manager for your team (like Bitwarden or 1Password). Every single login should have a long, random, unique password. There are no exceptions.
• Automated, Off-Site Backups: Your data needs to exist in at least three places (the 3-2-1 rule: 3 copies, 2 different media, 1 off-site). Use a cloud service, have it run automatically, and most importantly, test your restore process once a quarter. A backup you’ve never tested is just a hope.

PRO TIP: When setting up MFA, use an authenticator app (like Google Authenticator or Authy) instead of SMS if you can. SMS is better than nothing, but it’s vulnerable to SIM-swapping attacks. It’s a small step that significantly hardens your accounts.

Solution 2: The ‘We’re a Real Business’ Layer

Once you’ve locked the front door, it’s time to put some bars on the windows. This layer is about reducing your attack surface and limiting the blast radius if something does go wrong.

• Principle of Least Privilege (PoLP): This is a fancy term for a simple concept: people should only have access to the things they absolutely need to do their job. Your marketing intern doesn’t need admin access to the production database `prod-db-01`. Your new junior dev doesn’t need permissions to delete the entire S3 bucket. Create specific roles and policies. It’s a pain to set up, but it prevents a single compromised account from taking down the entire company.
• Firewall Everything and Segment Your Network: Your cloud provider and even your office router have firewalls. Use them. By default, block ALL incoming traffic. Then, only open the specific ports you need. For example, never, ever leave a remote desktop port (RDP 3389 or SSH 22) open to the whole world.

Instead of this madness in your firewall rules:

# DANGER: DO NOT DO THIS
ALLOW TCP INGRESS | Port: 3389 (RDP) | Source: 0.0.0.0/0 (Anywhere)

Do this. Set up a simple VPN (like Tailscale or OpenVPN) and only allow access from the VPN’s IP range:

# MUCH BETTER:
ALLOW TCP INGRESS | Port: 3389 (RDP) | Source: 100.64.0.0/10 (Your VPN Network)

Solution 3: The ‘Thinking Ahead’ Mindset

This is less about specific tools and more about building a culture of security. This is what separates businesses that survive an incident from those that don’t.

• Continuous Employee Training: The biggest vulnerability in any company is its people. Phishing emails are incredibly sophisticated now. You need to run regular, simple training sessions to teach your team how to spot them. A user who reports a phishing email is infinitely more valuable than any firewall.
• Endpoint Protection (EDR): Basic antivirus is dead. Modern threats are fileless and evasive. You need a modern Endpoint Detection and Response (EDR) tool on all company laptops and servers. Solutions like SentinelOne, CrowdStrike, or even Microsoft Defender for Business are designed to detect suspicious behavior, not just known viruses.
• Have a One-Page Incident Response Plan: When things go sideways, people panic. You need a simple checklist. It doesn’t have to be a 50-page document. Just answer these questions:
  1. Who is the point person to call? (Have their cell number).
  2. How do we isolate a compromised machine from the network? (e.g., “Unplug the ethernet cable”).
  3. Who is authorized to contact our customers or legal counsel?
  4. Where are the credentials for our backup and recovery systems?

Warning: Don’t assume your cloud provider is handling all of this for you. Under the “Shared Responsibility Model,” AWS, Azure, and Google secure the cloud, but you are responsible for securing what’s in the cloud. That means your data, your user access, your firewall rules, and your applications are all on you.

Security isn’t a one-time project; it’s a continuous process. Start with the baseline today, and slowly build your way up. You don’t have to be impenetrable, you just have to be a less appealing target than the next guy. And trust me, there are a lot of easy targets out there.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions