In 2025, 43% of cyberattacks in France targeted companies with fewer than 50 employees (source ANSSI). The average cost of an attack for a small business: 25,000 euros — between business interruption, technical remediation, and data loss.
Yet 80% of these attacks could have been prevented with basic measures. No need for a 50,000-euro security budget. 10 simple actions are enough.
Measure 1: Strong passwords and a password manager
The password "Entreprise2024!" is not a good password. It will be cracked in 3 seconds by an automated tool.
The action: install a password manager for the entire team (Bitwarden in free version, or 1Password at 4 euros/month/user). Each password randomly generated, minimum 16 characters, unique for each service.
The password manager's master password should be a long phrase you remember: "MyDogEatsShrimpOnTheTable" is infinitely stronger than "P@ssw0rd!2024".
Measure 2: Two-factor authentication (2FA)
Even with a good password, if an employee falls for a phishing scam, the attacker has the password. 2FA adds a layer: in addition to the password, you need a temporary code generated by your phone.
The action: activate 2FA on all critical accounts — email, bank, hosting, social networks, business tools. Use an app (Google Authenticator, Authy) rather than SMS (which can be intercepted).
Measure 3: Automatic updates
Security vulnerabilities are fixed by publishers within days of discovery. But if you don't update, the vulnerability remains open. Ransomware massively exploits Windows and browser vulnerabilities known for months.
The action: enable automatic updates on all computers (Windows, macOS, browsers, business software). One restart per week is the price to pay.
Measure 4: The 3-2-1 backup
The 3-2-1 rule: 3 copies of your data, on 2 different media, with 1 off-site.
Concrete action:
- Copy 1: your hard drive (production data)
- Copy 2: an external hard drive or NAS (automatic daily backup)
- Copy 3: a cloud service (Backblaze B2 at $6/month, or Synology C2)
Test restoration once per quarter. A backup you don't know how to restore isn't a backup.
Measure 5: Anti-phishing awareness
90% of attacks start with a phishing email. The weak link is human.
The action: train your team to recognize suspicious emails. The warning signs:
- Artificial urgency ("Your account will be suspended in 2 hours")
- Unknown sender or suspicious domain name
- Links to strange URLs (hover without clicking)
- Unexpected attachments (.exe, .zip, .js)
- Requests for credentials by email (no legitimate service does this)
Run a simulated phishing exercise once a year. Platforms like Gophish (free) let you send fake phishing emails to your team to identify weaknesses.
Measure 6: Secure Wi-Fi
Your office Wi-Fi is an entry point. If the password is "hello123" or if you're using the WEP protocol (obsolete for 15 years), anyone on the street can access your network.
The action: WPA3 protocol (or WPA2-AES minimum), complex password of 20+ characters, separate guest network for visitors.
Measure 7: Laptop encryption
A laptop stolen from a car, a bag forgotten on the train — it happens. If the disk isn't encrypted, the thief accesses all your data.
The action: enable BitLocker (Windows Pro) or FileVault (macOS). It's free, built into the system, and transparent to use.
Measure 8: Restricted access rights
Not everyone needs access to everything. The accountant doesn't need access to technical files, the intern doesn't need administrator rights.
The action: apply the principle of least privilege. Each user only accesses resources necessary for their work. And delete accounts of people leaving the company on their departure day.
Measure 9: Antivirus and firewall
Windows Defender is sufficient for most small businesses. No need to buy paid antivirus if your digital hygiene is good. However, verify that Defender is enabled and up to date on all computers.
Windows Firewall should remain enabled. Don't disable it "because some software doesn't work" — find the right exception rather than opening everything.
Measure 10: Incident response plan
The day it happens (and statistically, it will), you need to know what to do. A 5-point response plan:
- Isolate the infected machine (unplug the network, don't shut down)
- Notify your IT provider or call 3218 (cybermalveillance.gouv.fr)
- Don't pay the ransom (it doesn't guarantee data recovery and funds criminals)
- Restore from backup
- File a report and declare the incident to CNIL if personal data is involved
Print this plan. Post it. On day J, no one will look for a digital document on a ransomware-encrypted computer.
Cybersecurity is not a technical subject reserved for IT professionals. It's a leadership subject. 10 simple measures, applied rigorously, block the vast majority of attacks.