A Practical Security Guide for Small Companies

Basic security checks for companies that are not primarily technical

This is an older background article. It is not a Lavenix service description.

Small companies are often attacked because they are connected to larger customers, suppliers, platforms, or public systems. The attacker may not care about the small company itself. They may care about the email account, invoice process, website, remote access, or existing business relationship that leads somewhere else.

Where the Risk Usually Starts

Review these areas first:

  • public email accounts and shared mailboxes
  • websites, forms, domains, and DNS records
  • cloud file storage and shared folders
  • invoices, payment changes, and supplier communication
  • laptops and phones used for business access
  • remote access, VPNs, admin panels, and business SaaS tools
  • social media accounts and public staff information

Minimum Controls

Start with controls that reduce common failure modes:

  • Use a password manager and unique passwords.
  • Turn on multi-factor authentication for email, banking, cloud storage, and admin accounts.
  • Keep laptops, phones, browsers, and business software updated.
  • Keep offline or separately protected backups for important files.
  • Limit who can approve payment changes or supplier-bank changes.
  • Remove access for people who no longer work with the company.
  • Keep a short list of domains, hosting providers, business-critical SaaS tools, and admin accounts.

Supplier and Customer Risk

If your company works with larger customers, treat email and document exchange as security-sensitive. Attackers often imitate suppliers, customers, finance staff, or managers.

Before changing payment details, transferring money, opening unusual files, or granting account access, verify the request through a second channel.

When to Ask for Help

Ask for external help when:

  • you do not know who controls a domain, mailbox, website, or cloud account
  • backups are untested
  • staff share admin accounts
  • payment changes are handled only by email
  • a customer asks security questions you cannot answer
  • you suspect an account or laptop has been compromised

Keep It Simple

The goal is not a large security program. The goal is to know what you have, reduce the easiest attack paths, and make recovery possible when something goes wrong.