Small Business Security Checklist
A 2026 playbook for Vermont small businesses — defending against BEC wire fraud, ransomware, supply chain attacks, and AI-powered impersonation.
Why this matters for VT small business
Small businesses absorb a disproportionate share of cyber losses — limited IT budget, no dedicated security staff, and attacker tooling that scales without effort. The FBI's 2024 IC3 report tracked over $16B in losses, with BEC (Business Email Compromise) leading the list at $2.9B. Most of those victims were small or mid-sized businesses. The good news: 90% of attacks rely on the same handful of weaknesses, and most are fixable in a weekend.
The four threats that cost small businesses the most
1. Business Email Compromise (BEC)
An attacker compromises or spoofs a trusted email account — your CEO, your bookkeeper, a vendor — and sends a believable instruction to wire money or change a payment account. The 2026 version uses AI-generated email that perfectly matches the writing style of the impersonated person, and increasingly pairs with a deepfake voice call from "the CEO" to confirm the wire.
Common variants:
- CEO fraud: "Quick favor — please wire $40k to this acquisition account today, I'm in a meeting, can't talk."
- Vendor invoice swap: A fake email from a real vendor saying "we updated our banking" — next month's invoice goes to the attacker.
- Payroll diversion: An "employee" emails HR asking to update their direct deposit to a new account.
- Attorney impersonation: Around closings (real estate, M&A) — wire instructions arrive that look correct but redirect funds.
2. Ransomware
Encrypts your files and demands payment. The 2026 model is "double extortion" — they steal your data first, then encrypt, and threaten to publish if you don't pay. Affiliates rent ransomware kits ("ransomware-as-a-service") for a 20–30% cut, so the operator pool keeps growing. Small businesses often pay because their backups are also on the network the attacker just encrypted.
3. Supply chain compromise
Your business may be solid, but the SaaS app, MSP, or accounting system you depend on gets breached, and you inherit the blast radius. Notable vectors: compromised browser extensions, malicious npm/PyPI packages in vendor software, and MSP credential theft.
4. Account takeover via stolen sessions
Info-stealer malware on an employee's laptop steals not just passwords but active browser session cookies. The attacker then logs into Microsoft 365, Google Workspace, QuickBooks, or your bank as that employee — bypassing MFA entirely because the session is already authenticated.
The 2026 small-business checklist
Identity & access (highest ROI — start here)
- Enforce MFA on every business account — Microsoft 365, Google Workspace, banking, payroll, accounting, social media, domain registrar.
- Move MFA off SMS where possible. Authenticator apps for staff, hardware keys (YubiKey) for owners and finance roles.
- Require unique passwords through a business password manager (1Password Business, Bitwarden, Dashlane).
- Disable legacy authentication protocols in M365 / Google Workspace (basic auth, IMAP/POP for mail).
- Set up conditional access: block logins from unexpected countries, require MFA from new devices.
- Offboarding checklist: when someone leaves, revoke access in under 24 hours across every system.
Email security
- Configure SPF, DKIM, and DMARC on your sending domain. Move DMARC to
p=rejectonce aligned. This is the strongest defense against domain spoofing. - Enable phishing-resistant email security (Microsoft Defender for Office 365, Google's advanced protection, or a third-party gateway like Abnormal or Proofpoint).
- Enable banner warnings for external email and lookalike-domain detection.
- Block auto-forwarding rules to external addresses (a classic BEC persistence technique).
Wire transfer & payment controls (BEC defense)
- Mandatory callback verification for any wire transfer, ACH change, or vendor banking update. Call the requester at a phone number you already have on file — never the number in the email.
- Dual approval for transfers over a defined threshold (e.g., $5,000).
- Vendor management: when a vendor "changes their banking," verify with a known contact, not by reply-email.
- Pre-authorize approved payment accounts. New accounts require an out-of-band confirmation step.
- Train finance staff to expect urgency-based pressure as a red flag, not a reason to move faster.
Endpoints & backups (ransomware defense)
- Run business-grade endpoint detection (Microsoft Defender for Business, CrowdStrike Falcon Go, SentinelOne, Huntress) — not just consumer antivirus.
- Patch on a defined cadence (OS within 7 days of release for critical, browsers within 24–48 hours).
- Enforce the 3-2-1 backup rule: 3 copies of data, 2 different media, 1 offsite or immutable. Test restores quarterly.
- Backups must be inaccessible to a ransomware actor on your network — use object-lock storage or an offline copy.
- Disable macros from the internet in Office. Block script downloads and known-bad file types at the email gateway.
People & process
- Run a 30-minute security training at hire and at least annually. Cover phishing, BEC, and what to do when something seems off.
- Run quarterly simulated phishing campaigns. Measure click rates over time, don't shame individuals.
- Designate a single "no-shame report" channel for suspicious email or events. Reward reports, even false alarms.
- Maintain a one-page incident response plan: who to call, how to isolate a machine, who decides on a ransom.
- Carry cyber insurance — but read the exclusions. Most policies require MFA and EDR to pay claims.
If you've been breached
- Contain. Isolate affected machines from the network. Don't power them off — that destroys forensic memory evidence. Disable compromised accounts.
- Preserve. Capture logs from email gateway, endpoint tools, firewalls, and identity provider before they roll over.
- Report. File with the FBI at IC3.gov immediately for BEC — wires can sometimes be recalled within 72 hours via the Financial Fraud Kill Chain. Also notify CISA at cisa.gov/report for ransomware.
- Notify. Vermont businesses must comply with VT's Security Breach Notice Act if personal info was exposed (Title 9 V.S.A. § 2435). Notify affected residents and the VT Attorney General within 45 days.
- Engage. Bring in an incident response firm for anything beyond a single compromised account. Your cyber insurance carrier likely has a panel.
- Don't pay yet. Ransomware payment may be illegal under OFAC sanctions if the actor is on a sanctions list. Consult counsel and your IR firm before paying.
Vermont & federal resources
- CISA Cyber Resource Hub — free assessments, advisories, and the Cyber Hygiene Service for SMBs
- FBI IC3 — file BEC and ransomware reports here first; speed matters
- StopRansomware.gov — joint federal portal with prevention guides and reporting
- VT Attorney General — Security Breaches — Vermont breach notification requirements
- NIST Small Business Cybersecurity Corner — free templates, training, and the NIST Cybersecurity Framework
- Contact CyberAware Initiative — free guidance for Vermont nonprofits and small businesses
Last updated April 28, 2026. This guide is general information, not legal or insurance advice.
Need help getting started?
CyberAware Initiative offers free workshops and assessment guidance for Vermont small businesses and nonprofits.
Get in Touch