Protect Your Business from Cyberattacks – Playbook

Protect your business from cyberattacks a practical playbook for small and mid-sized teams covering MFA, EDR, backups, and phishing drills.

By Steven Jacob
-
Updated on May 20, 2026 EDT
-
Fact checked by Steven
Black-and-white line illustration: a minimal Notion-style scene representing protect your business from cyberattacks - playbook.

Ransomware groups are smaller, faster, and more selective than the noisy double-extortion crews. The growth area for attackers is now AI-assisted phishing, OAuth token theft, and supply-chain compromises through SaaS integrations. For small and mid-sized businesses, the result is that the biggest risks rarely come through your firewall; they come through your email, your browser, and the contractors plugged into your Google Workspace or Microsoft 365 tenant.

This is a practical 2026 playbook: the controls that actually matter, the budget split that gets you the most reduction in risk per dollar, and the specific tools that small teams are using right now.

TL;DR

The pick: Spend on identity and email security first: phishing-resistant MFA, conditional access policies, and a managed email security gateway cover roughly 70 percent of small-business breach paths.

Runner-up: Endpoint detection and response from a vendor like CrowdStrike Falcon Go, SentinelOne Singularity, or Microsoft Defender for Business is now table stakes; antivirus alone is not enough.

Skip if: Skip vanity perimeter spend; a firewall refresh is the wrong place to start when your real exposure is account takeover and SaaS misconfiguration.

Identity is the new perimeter

Almost every reported small-business breach traced back to a stolen credential, an exposed OAuth token, or an MFA push fatigue attack. The fix is phishing-resistant MFA on every administrator and ideally every user: WebAuthn security keys like YubiKey 5C, platform passkeys baked into iOS and Android, or Microsoft Authenticator with number matching and FIDO2.

Pair this with conditional access policies that block sign-in from unmanaged devices or unusual geographies, and enforce session timeouts on admin accounts. On Google Workspace, enable Advanced Protection for executives; on Microsoft 365, set up Conditional Access with the recommended security baseline.

Email security: catch phishing before it reaches the inbox

Native protection in Microsoft 365 and Google Workspace got materially better but generative-AI phishing still slips through. A managed email security gateway like Abnormal Security, Material Security, or Proofpoint Essentials adds behavioral analysis and catches the impersonation and BEC attempts that signature-based filters miss.

Implement DMARC at reject, SPF, and DKIM on every domain you own, including parked domains. Quarantining inbound mail that fails alignment shuts down a whole category of brand-impersonation phishing.

Endpoint detection and response on every device

Antivirus has not been enough for years. Endpoint Detection and Response (EDR) tools track behavior on the device and roll back ransomware actions automatically. For a small team, the realistic options are CrowdStrike Falcon Go (around 60 USD per endpoint per year), SentinelOne Singularity Core, or Microsoft Defender for Business bundled with M365 Business Premium.

Apply EDR to every laptop, every server, and any device that touches sensitive data. BYOD policy should either require enrollment in your MDM or restrict the account to web-only access via conditional access.

Backups, patching, and the recovery plan

Backups remain the difference between a bad week and a fatal one. The 3-2-1 rule (three copies, two media, one offline) still holds; verify restores quarterly, not annually. Cloud-to-cloud backup for Microsoft 365 or Google Workspace via Datto, Spanning, or Druva is cheap insurance against accidental or malicious deletion.

Patch operating systems and browsers within 14 days of release, and treat third-party browser extensions as a high-risk surface. Maintain a one-page incident response runbook with who to call, which accounts to disable, and which logs to preserve.

People: train for what attackers actually do

Quarterly security awareness training from KnowBe4, Hoxhunt, or Curricula reduces click rates on simulated phishing by 70 to 90 percent over a year. Tailor scenarios to your industry; a law firm should see fake court notices, a fintech should see fake regulator outreach.

Run a tabletop incident exercise once a year with the leadership team and your IT or MSP partner. The first ransomware call is not the time to learn that your COO does not know who to wake up at 2 a.m.

At a glance

Control areaMinimum viableRecommended for SMBMature SMB
IdentityMFA via appPasskeys plus Conditional AccessPhishing-resistant FIDO2 keys for admins
EmailNative M365/Workspace filtersAdd Material or AbnormalDMARC reject plus secure email gateway
EndpointBuilt-in OS antivirusDefender for Business or Falcon GoFull EDR plus MDR managed response
BackupLocal backupCloud-to-cloud for SaaSImmutable offsite backup plus quarterly restore tests
TrainingAnnual deckQuarterly modules with phishing testsRole-based with executive tabletop drills
Important: Cyber insurance is not a substitute for controls. Insurers routinely deny claims when basic controls (MFA, EDR, tested backups) were missing at the time of the incident. Read the warranty section of your policy before you assume you are covered.

The U.S. CISA cybersecurity best practices hub is the authoritative free playbook small and mid-sized teams can map this guide against.

FAQ

How much should a small business spend on security?

Industry benchmarks put security spend at 5 to 10 percent of total IT spend for SMBs. Concentrate that on identity, email, and endpoint controls before anything else.

Do we need a CISO or a virtual CISO?

Most SMBs under 100 employees do not need a full-time CISO. A virtual CISO engagement at a few hours per month is usually enough to set policy and review controls.

Is cyber insurance worth it?

Yes, but read the policy carefully. Insurers now require MFA, EDR, and tested backups as warranty conditions. Premiums are lower for businesses that can prove these controls.

What is the single highest-impact thing we can do tomorrow?

Roll out phishing-resistant MFA to every administrator account and disable legacy authentication protocols. That single change blocks the majority of credential-based attacks.

How do we vet a managed security provider?

Ask for SOC 2 Type 2 reports, sample monthly reports, a clear SLA for incident response, and references from businesses of your size. Avoid providers who cannot articulate how they detect lateral movement.

Bottom line

the attack surface for small and mid-sized businesses is identity, email, and endpoints, with backups as your safety net. Spend in that order, pick tools you will actually use, and run one tabletop drill before the next quarter ends. The teams that survive a breach are not the ones with the biggest budgets; they are the ones who rehearsed.

How we put this guide together

The picks and steps in this guide reflect what works on current Android builds. Our editors test apps on Pixel 8a and Galaxy S24 hardware running Android 15 and Android 16, cross-check against vendor documentation, and update each guide when behavior changes.

More From BestForAndroid
10 Best Productivity Apps for Android That Actually Save Time 10 Best Productivity Apps for Android That Actually Save Time Android 13: What It Still Matters For (and What to Upgrade To) Android 13: What It Still Matters For (and What to Upgrade To) Best Free Ad Blocking Solutions for Android (No Root Required) Best Free Ad Blocking Solutions for Android (No Root Required) How to Increase Your Snapchat Score (The Legitimate Way, No Bots) How to Increase Your Snapchat Score (The Legitimate Way, No Bots) Fix: Unfortunately, System UI Has Stopped Working on Android (Guide) Fix: Unfortunately, System UI Has Stopped Working on Android (Guide) 15+ Free Apps to Watch Movies & TV Shows (Legal & Unofficial) 15+ Free Apps to Watch Movies & TV Shows (Legal & Unofficial) CZUR StarryHub Review: Conference Projector, Camera, and Audio in One Box CZUR StarryHub Review: Conference Projector, Camera, and Audio in One Box 10 Best eSIM Apps for Android and iOS 10 Best eSIM Apps for Android and iOS How Small Businesses Should Take Advantage of New Technology How Small Businesses Should Take Advantage of New Technology Best Free VPN Options for Android/iOS: What’s Worth Downloading and What Isn’t Best Free VPN Options for Android/iOS: What’s Worth Downloading and What Isn’t 10 Best Online Tools To Help You Grow Your Small Business 10 Best Online Tools To Help You Grow Your Small Business How to Secure Employee Smartphones (BYOD Playbook for SMBs) How to Secure Employee Smartphones (BYOD Playbook for SMBs) Personal Data Leaked from Android Phone? A History of Alarming Security Breaches Personal Data Leaked from Android Phone? A History of Alarming Security Breaches Instagram Music Not Available? 4 Legitimate Fixes That Work Instagram Music Not Available? 4 Legitimate Fixes That Work How to Add a Link to an Instagram Post or Story How to Add a Link to an Instagram Post or Story How Mobile Apps Are Reshaping the Gambling Industry (and What Regulators Are Doing About It) How Mobile Apps Are Reshaping the Gambling Industry (and What Regulators Are Doing About It) Best Antivirus Apps for Android (and Why Most People Do Not Need One) Best Antivirus Apps for Android (and Why Most People Do Not Need One)