Fractal Interests

Security Basics for Businesses

Planted 02026-05-19

A practical security checklist for small businesses, agencies, and software teams.

You don’t have to be the bank to get robbed. Sometimes you’re the locksmith, the courier, or the person with a spare key to the back door.

Many attackers don’t care who you are. If you have an open door you will be swept up, reused, and exploited.

Security isn’t about becoming impossible to hack. It’s about reducing easy mistakes, limiting damage, and knowing what to do when something goes wrong. Small businesses don’t need giant-company bureaucracy, but they do need basic habits.

  • Don’t say “the team owns security.” That’s like saying “the village owns the fire extinguisher.” When the fire starts, you want to know exactly who grabs it. Every important area needs a named human. Security is no exception.
  • Every project needs an owner after launch. Decide who patches it, who backs it up, who monitors it, who pays for it, and who gets called when it breaks.
  • Use a password manager. Humans are bad at inventing passwords and worse at remembering unique ones. Let the machine generate long, unique passwords and let the password manager remember them.
    • Don’t rely on weird symbol rules or frequent forced changes. They often train people to make predictable passwords.
  • A password is one lock. MFA is a second lock. Use it everywhere important. Security keys and passkeys are strongest; authenticator apps are good; SMS is weaker, but still better than nothing.
    • Hardware-based FIDO security keys are the most effective.
    • Avoid SMS MFA where stronger options are available. Use passkeys, authenticator apps, or hardware security keys. SMS MFA is weak, but better than no MFA. (see: urgent need to replace SMS-based MFA)
    • Don’t treat email or SMS as secure proof of identity. They can be intercepted, forwarded, spoofed, phished, and controlled.
  • Don’t give a thing more authority than the job requires. A screwdriver doesn’t need the launch codes. Least privilege.
  • Access needs an expiration date. When a project ends, an employee leaves, a contractor finishes, or a client relationship changes, remove the keys.
  • If your business is a notebook, a backup is a photocopy. For important things, don’t keep the photocopy in the same burning building. And every so often, check that the photocopy is readable. Test restores. A backup that cannot be restored is not a backup.
    • 3 copies of the data, 2 different types of storage, 1 copy offsite
  • Don’t inspect the bridge only after cars are already driving across it. Build checks into the way the bridge is designed, built, and opened. Secure delivery means the software does not just work when it ships but that it has passed the safety checks before people depend on it. Know OWASP ASVS
  • You cannot lock doors you don’t know exist. You should know every system, domain, repo, cloud account, vendor, laptop, production app, and admin user your business depends on.
  • Never put API keys, tokens, passwords, or private keys in places not designed for secrets. Never put them in source code, screenshots, tickets, Slack, email, or documentation.
  • Attackers don’t always hack the vault. Sometimes they send a believable invoice and wait for someone to pay it. Protect your domain and email: lock your domain registrar, restrict DNS access, and configure SPF, DKIM, and DMARC.
  • A smoke alarm does not stop a fire, but it changes when you find out. Turn on logs and alerts for the systems that matter.
  • When something goes wrong, do not invent the plan while bleeding. Write down who decides, who communicates, who investigates, who restores, and who contacts clients, vendors, insurers, lawyers, or law enforcement.
  • The safest data is the data you never collected, never copied, and never kept.
  • Your laptop is an office, filing cabinet, keyring, and production console. Encrypt it, update it, lock it, back it up, and do not use unmanaged personal devices for production access.
  • People hide mistakes when punishment is the first response. A blameless culture is a critical safety feature. Protect it.
  • Old locks do not get safer with age. Patch operating systems, browsers, plugins, frameworks, dependencies, servers, and SaaS settings before attackers use yesterday’s bug against you.