Cybersecurity Essentials.

/ 01What SMBs actually face

The cybersecurity industry sells fear of advanced persistent threats, nation-state actors, and AI-powered attacks. Those exist, but they're not what's hitting SMBs in Tennessee. The actual threat model is more boring and more solvable.

Real attacks on Tennessee SMBs over the last 24 months have been overwhelmingly:

• Phishing — fake login page, real credentials harvested, attacker logs into M365 / Google Workspace, sends payment-redirect emails to your accounting team or customers
• Compromised credentials from prior breaches (your password from the LinkedIn breach is on a list; attacker tries it on your M365 account)
• Ransomware via RDP — Remote Desktop exposed to the internet, weak password, attacker drops ransomware
• Vendor compromise — your bookkeeper, your law firm, or your IT vendor gets breached; attackers pivot to your environment via the trust relationship
• Lost / stolen unencrypted devices — laptop in airport, phone in restaurant; data exposed
• Wire fraud / business email compromise (BEC) — attackers use compromised email accounts to redirect payments. This category accounts for billions of dollars in losses annually per FBI IC3 reports.

What's not attacking your business: nation-state advanced threats, custom zero-days, AI-powered polymorphic malware. Those exist; they target large enterprises and government, not your 25-person medical practice. Defend against what's actually hitting you.

/ 02The 10 controls in priority order

Implement these in this order. Each control buys you measurable risk reduction. Skipping ahead to "fancy" controls before getting the basics right is how SMBs end up with a $40K security budget and a breach.

1. MFA on everything (priority: critical)

Multi-factor authentication on M365 / Google Workspace, VPN, RDP, admin accounts, financial systems, EHR, your password manager. This single control would prevent the majority of SMB breaches we see. Microsoft says MFA blocks 99.2% of automated attacks on accounts.

Common gotchas: "MFA via SMS" is much weaker than MFA via authenticator app or hardware token (SIM-swap attacks are real). Use Microsoft Authenticator, Google Authenticator, Authy, or YubiKey. Avoid SMS where possible.

Cost: Often $0 (included in M365 / Google Workspace). Conditional Access policies require M365 Business Premium or higher.

2. Managed EDR on every endpoint (priority: critical)

Endpoint Detection & Response is the modern replacement for antivirus. EDR looks at behavior, not just file signatures. When ransomware starts encrypting files, EDR detects the behavior pattern and stops the process, even if the malware itself is brand new.

What to deploy: SentinelOne, CrowdStrike Falcon, Huntress (SOC-included), Microsoft Defender for Business Premium. All four are mature EDR platforms.

Why "managed": EDR generates alerts. If nobody's watching them 24/7, they go to a dashboard nobody checks. Either pay for the vendor's MDR (managed detection and response) service or have your MSP / SOC respond to alerts.

Cost: $8-$25 per endpoint per month for managed EDR.

3. Backup that's actually tested (priority: critical)

Backups that have never been restored aren't backups; they're hopes. Ransomware recovery requires known-good backups, isolated from production (so the ransomware can't encrypt them too), with tested restoration procedures.

What to deploy: Datto, Cove (formerly N-able Backup), Veeam, MSP360 are all solid SMB-grade backup platforms. Cloud-first or hybrid. Critically: immutable backups (attacker can't delete them) and 3-2-1 strategy (three copies, two media types, one offsite).

Test quarterly. Pick a random server or workstation and prove you can restore it. If you can't, you don't have backups; you have backup software.

Cost: $50-$200 per server per month, $5-$15 per workstation per month, plus storage.

4. Patch management with verification (priority: high)

The majority of successful exploits target known vulnerabilities with available patches that the victim hadn't installed. Patching is boring and unglamorous and catches more than any new product you'll buy this year.

What this looks like: Critical patches deployed within 7-14 days. Routine patches monthly. Reporting that proves patches landed. Third-party app patching (Adobe, Java, Chrome, Zoom, etc.) — Microsoft Update doesn't cover these.

Cost: Usually included in MSP managed-IT pricing. Standalone RMM tools: NinjaOne, ConnectWise Automate, Kaseya VSA, Datto RMM.

5. Email security with phishing protection (priority: high)

M365 / Google Workspace built-in email security is decent. For higher-risk environments (healthcare, financial, accounting), add a layer.

Options: Microsoft Defender for Office 365 P1 or P2 (built into M365 Business Premium / E3+), Proofpoint, Mimecast, Abnormal Security (AI-based BEC detection). The advanced layers catch what built-in misses: targeted phishing, BEC, payload-less attacks (no malicious attachment, just social engineering).

Cost: $3-$10 per user per month above what's built into M365.

6. DNS filtering (priority: medium-high)

Block known-bad domains at the DNS layer before users can reach them. Stops most malware command-and-control, blocks phishing destinations, stops a lot of casual-browse risk.

What to deploy: Cisco Umbrella, DNSFilter, Webroot DNS Protection. Some firewalls include this (Sophos, SonicWall, Fortinet). Or use Cloudflare Gateway / Zero Trust at the free or paid tier.

Cost: $2-$5 per user per month.

7. Endpoint encryption (priority: medium-high)

Full-disk encryption on every laptop, workstation, and phone. BitLocker on Windows, FileVault on Mac, native iOS/Android encryption with screen lock. A lost or stolen device with encryption is a minor incident; an unencrypted one is a regulated-data breach.

Verify centrally. Don't trust users to enable it themselves. Use Intune, Jamf, or your RMM to enforce and report.

Cost: $0 (built into modern OSes). Management costs depend on your MDM tool.

8. Identity management with least privilege (priority: medium)

Most users shouldn't be local administrators on their workstations. Most users shouldn't have access to all the shared drives. The receptionist doesn't need to see the medical records, and the medical assistant doesn't need to see payroll. Apply least-privilege.

What this means in practice: Standard user accounts (not admin), role-based access groups for shared resources, M365 Conditional Access policies, just-in-time admin elevation for IT staff, periodic access reviews (quarterly).

Tools: Azure AD / Entra ID (built into M365), CyberArk for higher-end privileged access management.

9. Security awareness training (priority: medium)

Your people are the attack surface. Training reduces but does not eliminate the human-error factor. The best programs combine short monthly micro-trainings (2-5 min) with periodic phishing simulations.

What to deploy: KnowBe4, Proofpoint Security Awareness, Hoxhunt, Curricula. All have SMB-priced tiers.

Realistic outcome: Phishing-click rates drop from 25-30% baseline to 3-8% after 12 months of consistent training. You'll never get to zero.

Cost: $2-$5 per user per month.

10. Written incident response plan (priority: medium)

If you get breached at 2 AM on a Saturday, who do you call first? What do you say to the team? When do you notify customers? When do you notify regulators? An incident response plan answers these before you're panicking.

What it includes: Named incident lead, communications tree (who calls whom in what order), legal counsel contact, cyber insurance contact, MSP/IT contact, forensics partner contact, regulator notification timelines (HIPAA, state breach laws, SEC, GDPR if applicable), customer communication templates, post-incident review process.

Practice it. Tabletop exercises — talk through a hypothetical scenario quarterly. Most plans look great on paper and fall apart in execution.

/ 03What you can skip (for now)

Things the cybersecurity industry will try to sell you that, for an SMB without the ten above in place, are premature:

• Penetration testing — useful at scale, but if you don't have EDR yet, you don't need a pentest. Fix the obvious before testing for the subtle.
• SIEM / SOAR platforms — Splunk, Sentinel, etc. These are valuable but require staff to operate. For SMBs, managed EDR with included SOC monitoring covers the high-value use cases at 1/10th the complexity.
• Zero-trust network access (ZTNA) products — useful for distributed workforces but often a sledgehammer for small organizations. Your conditional access policies in M365 are probably enough.
• Threat intelligence subscriptions — your EDR vendor already does this for you. Standalone TI feeds are for SOCs.
• AI-powered everything — vendors slap "AI" on the box. Look at what the product actually does, not the marketing.
• Custom firewall rules and DLP everywhere — useful in regulated environments but generates more false positives than catches in SMBs. Start with strong baselines.

None of these are bad. They're just out of order. Build the foundation first.

/ 04Realistic budget

For a 25-user Tennessee SMB without industry-specific regulatory burden, a proper security stack lands at roughly:

Add MSP labor on top if you're not running this yourself. For a fully-managed cybersecurity-included MSP relationship, expect $130-$180 per user per month total, all-in.

/ 05Who actually runs all this

You have three realistic options for who operates your security stack:

Internal IT person + tools

Buy the tools, hire someone (or assign existing IT staff). Works if your IT person has security expertise (rare) and the time (also rare). 24/7 coverage is impossible with one person — security incidents happen at 3 AM.

MSP with cybersecurity included

Most modern MSPs include a baseline security stack in their managed services. Verify what's included. Many cheaper MSPs include only basic antivirus and call it "cybersecurity." Real cybersecurity-included MSPs deploy managed EDR, do patch verification, monitor SIEM-level logs, and have a 24/7 SOC behind them.

MSSP (Managed Security Services Provider)

A specialized security firm, separate from your IT provider. Has its own 24/7 SOC, threat hunters, incident responders. Costs more than an MSP-included security layer but offers deeper expertise. Common for regulated or high-risk environments.

For most Tennessee SMBs under 100 users, a properly equipped MSP is the right answer. For 100-500 users in regulated industries, hybrid (MSP for IT + MSSP for security) becomes appealing. Over 500 users or high-regulation, consider building internal SecOps.