I get some version of this question almost every week: "Sammy, I'm a one- or two-person shop. What's the one security thing I should actually do?" My honest answer is that there are two, they take about an afternoon combined, and together they shut the door on the overwhelming majority of break-ins I see at small businesses around here. They're multi-factor authentication (MFA) and a password manager.
Neither one is glamorous and neither one costs much. But do both this week and you've done more for your security than most shops on Columbia Pike have. Let me walk you through them.
Why these two, and not a fancy firewall
Here's how small businesses actually get hit, and it's more boring than the movies. Someone reuses the same password on their email, their bank, and some random website that later gets breached. The crooks scrape that password from the breached site and replay it everywhere else, automatically, by the millions. That's the whole attack. Credential stuffing, it's called, and it's most of what I clean up after.
These two moves break that attack from both ends. A password manager gives every account its own long, random password, so one leak doesn't unlock the rest. MFA means that even if someone has your password, they still can't get in without the second code. Front door locked, deadbolt added. It's the best dollar-for-dollar security you can buy, and most of it is free.
Setting up MFA (the second code)
MFA just means that after your password, the account asks for one more proof it's really you, usually a six-digit code. Turn it on first for the accounts that matter most: your email (the big one, since email resets every other password), your business banking, and your Microsoft 365 or Google Workspace.
You'll usually get a choice of methods. Text-message codes are fine and far better than nothing, but I'd nudge you toward an authenticator app like Microsoft Authenticator, Google Authenticator, or Authy. They're free, they live on your phone, and a text code can be intercepted in a way an app code really can't. The steps are the same every time: open the account's security settings, find "two-factor" or "two-step verification," and scan the QR code with the app. Two minutes per account.
One tip from doing this for folks all over Arlington and Alexandria: when the site offers backup codes, save them. Print them or stash them somewhere safe. They're your way back in if you lose your phone, and the day you need them is not the day you want to be hunting for them.
Setting up a password manager
A password manager is a locked vault for all your logins. You remember one strong master password; it remembers everything else, fills in logins, and generates new random ones on demand. Bitwarden and 1Password both do the job well, and Bitwarden's free plan is plenty for most small shops.
You don't have to convert every account in one sitting. Install it, set a master password you've never used anywhere else (turn on MFA for the vault itself, naturally), and let it capture logins as you sign into things over the next couple of weeks. By month's end the vault has filled itself in and you'll wonder how you ever tracked it all before.
The objections I hear (and my straight answers)
"I'll get locked out of my own accounts." The worry I hear most, and it's fair. The fix is the backup codes above, plus writing your master password on paper and keeping it somewhere safe. Do that and the lock-out risk basically disappears.
"It'll slow me down." It speeds you up. Auto-fill beats typing, and you stop doing the "forgot password" dance every other login.
"My business is too small to be a target." Nobody's targeting you by name. The attacks are automated and they don't care whether you're a solo bookkeeper in Shirlington or a 40-person firm in Crystal City. Small shops get caught in the same nets, and they're usually the ones with the least set up to stop it.
If you want a hand
You can do both of these yourself in an afternoon, and I'll tell you straight: most people don't need to pay anyone for it. But if you'd rather have someone set it up cleanly across your team and devices, that's the kind of thing I handle on-site or remotely across Northern Virginia. For the next layers, my small business cybersecurity checklist covers what comes after, and if you want a professional read on where you actually stand, that's what a vulnerability assessment is for.
Either way, do these two this week. Call me at 571-680-5334 if you get stuck. It's the easiest security upgrade you'll ever make.
— Sammy