43%
Of cyberattacks target small businesses (Verizon DBIR 2025)
60%
Of small businesses that suffer a significant breach close within six months
$15K
Approximate annual cost of an effective minimum viable security program for 50 employees
80%
Of SMB breaches prevented by five controls: MFA, patching, backup, email security, and endpoint protection

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Small business security guidance usually takes one of two forms: a checklist of 150 controls designed for enterprises, or generic advice about 'taking security seriously.' Neither helps the IT manager at a 50-person company who has half a day per week for security and a $15K annual budget.

This guide covers what actually matters at this size, in the order that matters, at the realistic cost of implementation. The goal is not perfect security: it is reducing the probability of the specific breach scenarios that hit companies this size and sector.

The Breach Scenarios That Actually Hit Companies Your Size

Before buying tools, understand what you are defending against. The Verizon DBIR consistently shows that small business breaches cluster into five patterns:

  1. Phishing delivering ransomware or credential theft: a malicious email gets clicked, and either ransomware runs or a Microsoft 365 credential is stolen and used to access company data.

  2. Credential stuffing via RDP: internet-exposed RDP gets credential-sprayed until an account is compromised, then ransomware is deployed manually.

  3. Compromised cloud credentials: an API key, AWS access key, or Microsoft 365 admin credential gets exposed in a repository or phishing attack and is used to access or exfiltrate data.

  4. Supply chain software compromise: a tool the company uses (accounting software, project management, CRM) is compromised at the vendor level, affecting all customers.

  5. Insider data theft: a departing employee takes customer lists, proprietary information, or other data via personal cloud storage or email forwarding.

Note what is not on this list: nation-state attackers, zero-day exploits, and sophisticated APT techniques. These patterns represent over 80% of actual SMB incidents. Your security program should address these five scenarios before anything else.

Domain 1: Identity and Access Management (Implement First)

What it prevents: Credential compromise leading to unauthorized access, business email compromise, and account takeover.

The minimum:

1. Enable MFA on everything. Every cloud service that offers MFA should have it enabled. Priority order: email (Microsoft 365 or Google Workspace), cloud infrastructure (AWS, Azure, GCP), administrative tools, banking and financial services, payroll. Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS: SMS MFA can be bypassed by SIM swapping.

Cost: Included in most cloud service subscriptions. No additional cost if you are on Microsoft 365 Business Basic or higher.

2. Enforce a password manager. When employees cannot reuse passwords, a single breach does not cascade. Bitwarden (free for personal use, $3/user/month for business) or 1Password ($4/user/month) are the right tools for this size.

Cost: $3-5 per user per month = $150-250/month for 50 employees.

3. Configure Microsoft 365 Conditional Access or Google BeyondCorp. Block legacy authentication, require MFA for all users, and restrict admin access. If you followed the Azure Conditional Access guide previously, you have this covered.

4. Off-board employees the same day they leave. Create a documented checklist: disable the user account, revoke all active sessions, remove from distribution lists, transfer ownership of files, remove from any external services the employee accessed. A former employee whose account is still active 30 days after departure is a data exfiltration or access risk.

Priority: Do items 1 and 4 this week. Items 2 and 3 within the first month.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Domain 2: Endpoint Protection (Implement Second)

What it prevents: Ransomware execution on endpoints, malware delivery via phishing, and credential theft from endpoint memory.

The minimum:

1. Deploy endpoint protection with EDR capabilities. For 50 employees on Windows, the right choices at this size:

  • Microsoft Defender for Business ($3/user/month): included in Microsoft 365 Business Premium. Full EDR, automatic investigation, and integration with the Microsoft 365 security center. The right choice if you are already a Microsoft 365 customer.
  • Malwarebytes Teams (~$4/user/month): simpler interface, easier for non-security IT staff to manage, good detection rates.
  • Sophos Intercept X Essentials (~$4/user/month): strong ransomware-specific detection.

All three include anti-ransomware rollback capability: when ransomware behavior is detected, the tool attempts to roll back encrypted files.

2. Keep endpoints patched. Unpatched endpoints with known CVEs are the second-most common initial access vector after phishing. For Windows:

  • Enable Windows Update with automatic installation for security updates
  • Use Microsoft Intune (included in Microsoft 365 Business Premium) for patch status reporting
  • Review patch status monthly: any machine 30+ days behind on patches needs manual attention

3. Harden RDP per the guide we published earlier. Enable NLA, restrict source IPs, enable account lockout. This eliminates the credential-spray-via-RDP breach pattern entirely.

Cost: Microsoft 365 Business Premium includes Defender for Business and Intune at $22/user/month total. If you are already paying $12/user/month for Microsoft 365 Business Standard, the upgrade is $10/user/month = $500/month for 50 users.

Domain 3: Email Security (Implement Third)

What it prevents: Phishing delivering ransomware, business email compromise (BEC), and domain impersonation.

The minimum:

1. Configure DMARC, DKIM, and SPF for your domain. These DNS records prevent attackers from sending email that appears to come from your domain: stopping both outbound impersonation (attackers claiming to be you) and improving your deliverability.

  • SPF: Specify which mail servers are authorized to send email for your domain
  • DKIM: Add a cryptographic signature to outbound emails
  • DMARC: Tell receiving servers what to do with emails that fail SPF/DKIM (reject, quarantine, or monitor)

Setting up DMARC in p=monitor mode first, then moving to p=quarantine and eventually p=reject after confirming all legitimate mail sources pass SPF/DKIM.

Cost: Free. These are DNS record configurations.

2. Enable Microsoft Defender for Office 365 or Google Workspace advanced protection. For Microsoft 365, Defender for Office 365 Plan 1 (included in Business Premium) provides:

  • Safe Links: URLs in emails are rewritten and checked at click time against threat intelligence
  • Safe Attachments: email attachments are detonated in a sandbox before delivery
  • Anti-phishing policies: impersonation detection for your domain and common executive names

For Google Workspace, enable Enhanced pre-delivery message scanning and attachment sandboxing in the Admin console under Apps > Gmail > Safety.

3. Train employees on phishing: once, briefly, with simulated tests. Generic security awareness training is ineffective. A targeted 15-minute phishing-specific training plus quarterly simulated phishing tests (KnowBe4, Proofpoint Security Awareness, or Microsoft Attack Simulator: the last is free with Microsoft 365) is significantly more effective. Focus on: how to identify sender address spoofing, why they should never enter credentials via an email link, and who to report suspicious emails to.

Domain 4: Backup and Recovery (Implement Fourth)

What it prevents: Ransomware encrypting all data with no recovery path, and accidental or malicious deletion.

The minimum:

1. Follow the 3-2-1 backup rule. Three copies of data, on two different media types, with one copy offsite (or in a different cloud region). For a 50-person company:

  • Production data is in Microsoft 365, Google Workspace, or on file servers
  • Daily backup to an offsite or air-gapped destination (Backblaze B2, AWS S3 Glacier, Azure Cool Storage)
  • Weekly backup snapshot retained for 90 days

2. Backup Microsoft 365 data: Microsoft does not do this for you. Microsoft's backup policy is point-in-time 90-day recycle bin for most data types, with no ransomware recovery guarantee. Dedicated Microsoft 365 backup tools: Veeam Backup for Microsoft 365 (free for up to 10 users, $4/user/month above that), Acronis Cyber Backup, or Dropsuite.

3. Test your backups quarterly. A backup you have never restored from is theoretical. Run a quarterly restoration test: pick a random file, a random mailbox, and a random SharePoint document and restore them from the backup. Document that the test occurred and the restore was successful.

4. Separate backup credentials from production credentials. Your backup system's admin account should have a different password than your production admin account, MFA enabled, and no overlap with any production system credentials. An attacker who compromises your production admin account should not automatically be able to delete your backups.

Domain 5: Basic Detection and Response (Implement Fifth)

What it prevents: Long dwell time for successful breaches, and inability to understand what happened after an incident.

The minimum:

1. Enable logging everywhere that allows it. Microsoft 365 Unified Audit Log (enable in the Security and Compliance Center), Azure Active Directory sign-in logs (enable in Entra ID), and Windows event logs on all servers. Set retention to 90 days minimum.

2. Set up basic alerting for the highest-priority events. In Microsoft 365 Defender, configure email alerts for:

  • Multiple failed sign-in attempts (brute force indicator)
  • Admin account added (privilege escalation indicator)
  • Mail forwarding rule created (BEC exfiltration indicator)
  • User added to admin role (privilege escalation indicator)

Microsoft 365 Defender includes built-in alert policies for all of these: enable them in the Security and Compliance Center > Alert policies.

3. Know your IR contact before you need them. Your cyber insurance policy includes an IR hotline. Find the number, save it in your phone, and verify it is current. If you do not have cyber insurance: purchase it. For a 50-person company with standard risk, cyber insurance runs $2,000-8,000 per year depending on industry and coverage. The cost of a single ransomware incident typically exceeds $50,000 for recovery: insurance is the highest-ROI security investment at this size after the technical controls above.

4. Document what 'normal' looks like. Write down: which email server you use, which DNS provider, the IP ranges of your office and VPN, the names of all admin accounts, and the location of all critical data. This documentation: a one-page network/identity inventory: halves the time it takes an IR firm to begin responding to an incident.

The bottom line

A minimum viable security program for 50 employees requires five domains implemented in priority order: identity (MFA + password manager + offboarding), endpoint protection (EDR + patching + RDP hardening), email security (DMARC/DKIM/SPF + advanced filtering + phishing training), backup (3-2-1 rule with tested restores), and basic detection (logging + Microsoft 365 alerts + IR contact). The total cost is approximately $15,000 per year. This program prevents 80% of the breach scenarios that hit organizations this size. Implement in order: do not skip to Domain 5 before Domain 1 is complete.

Frequently asked questions

What security controls should a 50-person company prioritize?

Implement in this order: MFA on all cloud services and an employee offboarding checklist (Domain 1), then EDR endpoint protection and RDP hardening (Domain 2), then email authentication (DMARC/DKIM/SPF) and phishing filtering (Domain 3), then 3-2-1 backups with quarterly restore tests (Domain 4), then basic logging and alerting (Domain 5).

How much does a basic security program cost for a small business?

Approximately $10,000-15,000 per year for 50 employees. The largest components are Microsoft 365 Business Premium at $22/user/month (includes EDR, email security, and Conditional Access), password manager at $3-5/user/month, Microsoft 365 backup at $4/user/month, and cyber insurance at $2,000-8,000/year depending on industry.

Should a 50-person company hire a full-time security person or use a managed security service?

For most organizations under 100 employees, a managed security service provider (MSSP) or managed detection and response (MDR) provider delivers more capability per dollar than a single full-time security hire. A mid-tier MDR service costs $25,000-75,000/year and provides 24/7 detection, response support, and threat intelligence. A junior security engineer costs $85,000-120,000/year in salary alone, lacks the tooling, and cannot provide 24/7 coverage. Hire your first full-time security person when you reach 150-200 employees or when compliance requirements demand an internal owner.

What is the single most impactful security control for a small business?

MFA (multi-factor authentication) on all cloud accounts is consistently the highest-impact control for small organizations. The 2024 Verizon Data Breach Investigations Report found that stolen credentials are the top attack vector for small businesses, and MFA blocks the vast majority of credential-based attacks including phishing, credential stuffing, and password spray. Enforce MFA organization-wide in Microsoft 365 or Google Workspace using Conditional Access policies or Google Context-Aware Access before any other security investment.

What is cyber insurance and does a small business need it?

Cyber insurance covers breach response costs (forensic investigation, legal notification, regulatory fines), ransomware extortion payments (insurers provide negotiation support), and business interruption losses. For most 50-person companies handling customer data, cyber insurance is worth carrying: premiums are $2,000-8,000/year for $1M in coverage. Underwriters now require MFA, EDR, and offsite backups as minimum controls before issuing a policy. Getting your security controls in place first reduces premiums and avoids claim denials.

What are the most impactful security controls a 50-person company can implement for under $10,000 per year?

The highest-ROI controls at this budget level, roughly ordered by impact: Entra ID P1 or Google Workspace Business Plus includes MFA enforcement and Conditional Access for around $6-12 per user per month ($3,600-7,200/year for 50 users) -- MFA alone eliminates 99% of account compromise attacks per Microsoft's data. Email security (Microsoft Defender for Office 365 Plan 1 or Proofpoint Essentials) adds phishing simulation and safe links/attachments for around $2-3 per user per month. DNS filtering (Cisco Umbrella, Cloudflare Gateway, or DNSFilter) blocks known malware and phishing domains at the DNS layer for $2-5 per user per month. Endpoint protection with EDR (Microsoft Defender for Business is included in Microsoft 365 Business Premium at around $22/user/month; standalone EDR like Huntress runs $8-10/user/month) -- if budget is tight, Huntress on Windows servers at minimum is the priority target. Password manager for the organization (1Password Teams or Bitwarden Business runs $3-5/user/month) eliminates password reuse across the organization. Total for all five: roughly $6,000-12,000/year for 50 users, within budget. Prioritize in the order listed: MFA first, email security second, DNS filtering third, EDR fourth, password manager fifth.

Sources & references

  1. CISA: Small and Medium Business Cybersecurity Resources
  2. NIST Cybersecurity Framework Small Business Guide
  3. Verizon DBIR 2025: Small Business Breach Patterns

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.