Published: 25 May 2026 · Roy Morken, Datafolka
Cybersecurity for small businesses: 8 things you actually need to do in 2026
Microsoft Digital Defense Report 2024 reports that approximately 7 000 password attacks are blocked every second, and that over 99 percent of the 600 million daily identity attacks are password-based. The number of human-operated ransomware incidents increased 2.75 times from the previous year. In Norway, NSM (Norway's National Security Authority) Risiko 2025 highlights that sabotage attempts and supply-chain attacks are likely, and that small businesses are often the route in to larger targets. The threat landscape is no longer theoretical for SMBs. It is a daily operational factor.
Most articles on cybersecurity for small businesses are either scare pieces or a list of 40 points that nobody has time to implement. This is something different. Here are eight measures, prioritised by how much risk they remove per kr and hour invested. The list is built from what actually dominates in Norwegian and international threat reports, not from theoretical best-practice frameworks.
For each measure you get: what it costs, how long it takes to set up, and how much risk is actually reduced. At the end we have a section on what you can safely skip — certifications, expensive SIEM systems, EDR overhead — if your business does not require it for contractual reasons.
Why small businesses ARE targets — three numbers that disprove "we are too small"
The most common objection in a security conversation with an SMB leader is some variation of "we are not interesting enough". The numbers say otherwise.
First, supply chain. NSM Risiko 2025 highlights supply-chain attacks as a key attack vector. The mechanism is simple: the attacker wants to get into a large organisation, but the front door is locked. So they go through a smaller subcontractor with weaker security and a valid connection to the main target. If you sell services to a larger customer, you are not the target — but you are the channel. This means that your security level is a certification question for larger customers, not an internal matter.
Then, automation. 7 000 password attacks per second (Microsoft Digital Defense Report 2024) are not targeted attacks against specific companies. They are mass scanners trying every known login page with leaked password combinations. If an employee's work email appears in an old database leak from LinkedIn or Dropbox, and they used the same password on their work account, you are hit without anyone having specifically targeted you. SMBs lose value here because they often do not have MFA enabled. Larger organisations do.
Finally, ransomware. SOCRadar Nordic Threat Landscape Report 2024 documented 105 ransomware incidents against Nordic organisations in 2024, with the manufacturing sector most exposed (36 percent). Norway accounted for nearly 17 percent of dark-web activity among Nordic countries. Norway is not a low-interest market — we have a highly technology-mature SMB segment with sufficient payment capacity that attackers see returns. There is no safety in hiding behind the flag.
Microsoft Digital Defense Report 2024 simultaneously states that 90 percent of all organisations have at least one exposed attack path, and 80 percent have paths leading directly to critical assets. That is the central finding behind this entire list: it is not advanced social engineering that does the most damage. It is forgotten baseline measures.
The 8 measures in prioritised order
The order is deliberate. Each measure assumes the previous ones are in place, and each measure delivers more risk reduction than the next. If you start at the top and work down, you have done the most important things first, regardless of how far you get.
1. MFA on everything that has a login
If you only do one thing from this list, do this. Microsoft's own research indicates that multi-factor authentication stops over 99 percent of account takeover attempts. NorSIS (Norwegian Centre for Information Security) survey for 2024 shows that 60 percent of Norwegians use 2FA where it is available, up from 50 percent in 2023. That means 40 percent still do not. On business accounts with access to customer data, invoicing systems, and banking, it is not optional.
In practice: enable MFA on Microsoft 365 or Google Workspace first. That covers email, calendar, and file sharing. Then accounting systems (Tripletex, Visma, Fiken), CRM, banking, payroll systems, invoicing tools, and everything with a login page that contains customer data or money.
Choose an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) over SMS. SMS codes can be hijacked via SIM-swap attacks where someone takes over a phone number at the carrier. This is not theoretical — it happens in Norway, particularly targeting exposed individuals such as executives and finance managers. For administrator accounts and accounts with access to payments, skip SMS and app entirely and use a hardware key (YubiKey). The FIDO2/WebAuthn protocol is phishing-resistant in a way that no code-based MFA is.
Time: 2–4 hours to roll out to a ten-person team.
Cost: kr 0 for app-based, kr 600–900 per YubiKey if you go the hardware route.
Risk reduction: Stops >99 percent of credential-stuffing and phishing-based
account takeovers. The single biggest measure you can take.
2. Backup that has actually been tested with a restore drill
Backup that has never been tested is not backup. It is a folder with data and an assumption that it works. Assumptions die in a crisis.
Follow the 3-2-1 rule: three copies of critical data, stored on two different media, one of which is offsite. For a typical SMB this means:
- Original data on local disk or file share
- Backup 1: local NAS or external drive in the office
- Backup 2: cloud storage in a different jurisdiction (Backblaze, Wasabi, Azure Backup, OneDrive with version history)
The most important part is not the setup. It is the test. Schedule a quarterly date in the calendar and do the following: retrieve one random file from last week, retrieve one folder from last month, and retrieve one complete client archive from last quarter. Open them. Verify they are intact. If something is corrupt or missing, you find out BEFORE the crisis, not during it.
For businesses running ransomware-exposed software locally (accounting, older line-of-business systems), ensure the backup is immutable — write-protected for a period after it is taken. Otherwise, ransomware attackers can encrypt the backup along with the original.
Time: 1 day setup, 2–3 hours per quarter for the drill.
Cost: kr 100–500 per employee per month depending on data volume.
Risk reduction: The difference between an incident that takes two days and one
that takes three weeks — or that cannot be recovered from at all.
3. Patch management with 14-day windows
Microsoft Digital Defense Report 2024 shows that 1.25 million DDoS attacks were handled in the second half of 2024 — a fourfold increase from the previous year. Many of these exploit known vulnerabilities in unpatched software. Patch management is the most tedious measure on the list, but it is the quiet value worker.
Concrete setup:
- Windows PCs: enable automatic Windows Update. For a managed fleet, use Microsoft Intune or Windows Update for Business to control when updates roll out.
- Macs: enable automatic macOS updates. For a fleet, use Jamf or Mosyle.
- Browsers (Chrome, Edge, Firefox, Safari): let them update automatically. The most common attack surface is the browser.
- Office, Adobe Reader, Zoom, Teams, and other office tools: enable auto-update in each tool.
- Servers and network equipment (routers, firewalls, switches): patch within 14 days for critical CVEs.
Target: critical and high-severity vulnerabilities patched within 14 days of vendor release. Medium and low severity within 30 days. Not perfect, but practical — and noticeably better than average.
Time: 2 days initial setup of central management, then 1–2 hours per month
to check reports.
Cost: Intune is included in M365 Business Premium. Standalone Intune is
approximately kr 50 per device per month. Jamf for Mac is kr 80–150 per device per month.
Risk reduction: Removes the equivalent of unlocked doors.
4. Quarterly phishing training — not an annual course
NorSIS survey for 2024 shows that 41 percent of Norwegians are worried about being tricked into sharing sensitive information. Worry without training does not help. NorSIS also reports that 30 percent received formal digital security training in 2024 (up from 25 percent in 2023), and that 65 percent of these felt their skills improved afterwards.
The important number is what is not stated: that 70 percent received no training. That is where the main gain lies for most SMBs.
The model that actually works:
- Quarterly phishing simulations, not annual. The brain forgets in three months.
- Employees who click receive a short 10–15 minute micro-course, not a reprimand.
- Example scenarios: email pretending to be an invoice from a supplier, email with a fake sharing link from a colleague, email pretending to be a notification from Microsoft or a bank. Vary the pattern each quarter.
- Target: click rate should fall from the typical 25–35 percent in the first simulation to under 10 percent after one year.
Tools:
- KnowBe4: the market leader. kr 200–400 per employee per year. Broad library.
- Hoxhunt: Nordic alternative. More focus on continuous micro-training rather than annual campaigns.
- GoPhish: free open source. Requires some time budget for self-hosting, but zero cost per employee.
Time: 4–8 hours per quarter to build campaign and follow up on results.
Cost: kr 200–500 per employee per year for a commercial service, kr 0 for GoPhish.
Risk reduction: Directly addresses the largest attack vector against SMBs.
5. EDR or modern antivirus
Classic signature-based antivirus stops known threats. Modern attackers use living-off-the-land techniques (PowerShell, legitimate system tools used maliciously) that do not trigger signature scanners. Endpoint Detection and Response (EDR) monitors behaviour, not just files.
For SMBs:
- Microsoft Defender for Business: included in M365 Business Premium. For many SMBs this is sufficient. Enable it.
- CrowdStrike Falcon Go: market leader among SMB EDR. kr 150–250 per device per month. Strong detection, good reporting.
- SentinelOne Singularity: alternative to CrowdStrike. Similar cost.
- Sophos Intercept X: strong specifically on crypto-ransomware protection.
Recommendation: start with Defender for Business if you have M365 Business Premium. Consider CrowdStrike or SentinelOne if you handle particularly sensitive data or have explicit compliance requirements.
Time: 1–2 days setup, mostly spent defining policies.
Cost: kr 0 (included in Business Premium) to kr 300 per device per month for
premium EDR.
Risk reduction: Catches what MFA and patching do not catch.
6. Access management following least-privilege
No one gets admin rights they do not actively need. Standard user account for daily work, separate admin account for installations. This is the principle behind least privilege and there are ready-made solutions for it in Microsoft 365 and Google Workspace.
Concrete checklist:
- Every employee has one standard user account. Local admin rights on work PCs are removed.
- Admin actions are performed with a separate admin account that has MFA and is logged separately.
- Guest access always gets an expiration date — typically 30, 60, or 90 days. No permanent consultant accounts.
- When employees leave, accounts are deactivated within 24 hours. Set up an HR flow that triggers IT action automatically — in Microsoft 365 this can be done via Entra ID lifecycle workflows.
- Use role-based access control (RBAC) rather than individual permissions. Define "Marketing", "Sales", "Accounting" as roles, and assign employees to roles. Easier to maintain and easier to audit.
Time: 2–3 days to clean up initially in a business that has grown without
governance. Then 30–60 minutes per month for maintenance.
Cost: Included in M365 and Google Workspace. No additional licence.
Risk reduction: Limits blast radius when something goes wrong — a compromised
account should not have access to everything.
7. Incident response plan with a call tree
If an attack happens at 4 AM on a Sunday, who do you call? That is not a rhetorical question. It is the most important question in all of cybersecurity work, and very few SMBs have the answer ready.
An incident response plan does not need to be long. It needs to be concrete. It should cover:
- Who discovers: typically an employee who notices something odd, or an alert from EDR/Defender.
- Who is notified internally: short list with names, mobile numbers, and email. Maximum 3–5 people.
- Who isolates the machine: unplug the network cable, disconnect Wi-Fi, but do not shut down the machine (memory evidence may be lost).
- Who changes passwords: critical accounts must be changed from a clean device.
- Who contacts external help: IT provider, incident response service (Mnemonic, KPMG, PwC, Sopra Steria, various specialists), or insurer if you have cyber insurance.
- Who contacts Datatilsynet (Norwegian Data Protection Authority): if personal data may have been exposed, you have 72 hours to notify under GDPR Article 33. Identify in advance who at your organisation writes that notification.
- Who communicates with customers or media: one designated person, not ad hoc.
Write the plan as a flowchart or short table, not a 40-page rulebook. Print it out and hang a copy up — if the servers are on fire, the plan needs to be accessible without cloud access.
Test the plan once a year with a 1–2 hour tabletop exercise. Choose a realistic scenario (employee clicks on a phishing invoice, invoice payment goes to the wrong account, a random system stops responding on a Monday morning). Ask each person in the call tree what they would do. Note what does not work. Update the plan.
Time: 2–3 days to write the first version. 4 hours per year for testing.
Cost: kr 0 internally. Optional external facilitator kr 8,000–15,000.
Risk reduction: The difference between managing an incident and letting it
escalate.
8. Access logging and alerts on high-risk actions
The eighth measure is the first that is optional for the smallest SMBs — but it becomes critical quickly once you exceed 15–20 employees or handle sensitive customer data.
Enable logging and alerts on the following events:
- Login from an unusual geography (employee in Stavanger logging in from Vietnam)
- Login at impossible speed (same user from Oslo and New York within 1 hour)
- Mass download from OneDrive, SharePoint, or Google Drive
- Creation of new admin accounts or modification of existing permissions
- Disabling MFA on an account
- Changes to email forwarding rules (common pattern in compromised accounts)
- Mass deletion of files
In Microsoft 365, this is set up via Microsoft Defender for Cloud Apps and Microsoft Purview Insider Risk Management. In Google Workspace, use Alert Center and Investigation Tool. Both support alerts via email or integration with Teams/Slack.
For SMBs without dedicated security staff, an external Managed Detection and Response (MDR) service can monitor these signals 24/7 for typically kr 150–400 per employee per month. That is the right step once you reach a certain size or have explicit contractual requirements.
Time: 1 day setup if you have M365 Business Premium or Google Workspace
Enterprise.
Cost: Included in Business Premium / Workspace Enterprise. MDR service is
kr 150–400 per employee per month.
Risk reduction: Reduces detection time from months to hours.
What it costs — summary for a 10-person business
| Measure | Setup (hours) | Ongoing cost / year | Risk removed |
|---|---|---|---|
| 1. MFA | 4 | 0–9 000 kr | ★★★★★ |
| 2. Backup + restore drill | 8 | 12 000–60 000 kr | ★★★★★ |
| 3. Patch management | 16 | 6 000–18 000 kr | ★★★★ |
| 4. Phishing training | 8 | 2 000–5 000 kr | ★★★★ |
| 5. EDR / Defender | 12 | 0–36 000 kr | ★★★★ |
| 6. Access management | 16 | 0 kr | ★★★ |
| 7. Incident response plan | 16 | 4 000–15 000 kr | ★★★ |
| 8. Logging and alerts | 8 | 0–48 000 kr | ★★★ |
| Total (10 employees) | 88 | 24 000–191 000 kr | - |
For a ten-person SMB that already has M365 Business Premium and a backup solution, the ongoing cost is typically around kr 50 000–80 000 per year for all eight measures combined. That is roughly half the cost of an average ransomware incident before production losses are factored in.
What you CAN skip — common overkill for SMBs
The list above is what actually delivers results. It is equally important to know what does not. These things look good in a proposal but deliver little real security benefit for a typical SMB.
ISO 27001 certification, if your customers do not require it. Certification typically costs kr 200 000–400 000 and requires 6–12 months of preparation. It is meaningful when you sell to large enterprise customers or public sector organisations that require it as a tender condition. For a local SMB serving local customers, it rarely delivers direct return. Build the eight measures first, document as you go, and consider certification when a specific customer asks.
An in-house SIEM system (Splunk, QRadar) for under 25 employees. Security Information and Event Management systems are built for large organisations with dedicated security analysts. For SMBs, SIEM systems are typically expensive to licence and impossible to maintain internally. If you genuinely need centralised logging and analysis, buy it as a managed service, not as an in-house system.
Advanced EDR for under 10 employees with M365 Business Premium. Microsoft Defender for Business is already included in the package. The marginal gain from adding CrowdStrike or SentinelOne for a business of under ten people is small. Upgrade when you exceed 15–25 employees or handle particularly sensitive data.
An expensive annual penetration testing programme if the basics are not in place. A pentest reveals what MFA, patching, and EDR would already have removed. For a business without these baseline measures, a pentest produces a long list of findings and little room to act. Get the basics right first, and run a pentest once you have a security maturity that requires validation.
VPN for employees working from home, if you are fully SaaS. If your entire stack is M365 or Google Workspace with MFA and Conditional Access, traditional VPN adds minimal extra protection — and introduces an additional attack surface (the VPN concentrator). What actually helps is identity-based access management and Conditional Access, not network tunnels.
When do you need professional help
Most of the list can be set up by an IT-competent internal person using vendor guides. Points 1 (MFA), 2 (backup), and 4 (phishing training) are typically done without external assistance in businesses of under 20 employees. Point 3 (patching) requires a weekend with Intune or equivalent.
External help makes the most sense for:
- Initial setup of points 5–8 (EDR policy, access management, incident response plan, logging and alerts). Typically 20–40 hours of external work.
- Annual security review. 1–2 days of external assessment of the setup.
- Acute incident response. A retainer with a specialist (Mnemonic, KPMG, smaller independents) typically costs kr 5 000–15 000 per year just to have the number active, plus hourly rates for an actual incident.
- Compliance work if you need to document security work for a customer, regulatory authority, or insurer.
For a standard SMB of 10–25 employees, the typical combined budget for external security assistance is kr 40 000–100 000 per year, covering setup, ongoing advisory, and incident readiness.
Next steps — start at the top
The list is prioritised. If you only have one week to spend on cybersecurity this month, spend it on point 1 (MFA) and point 2 (backup test). Those two remove the largest share of risk for the lowest cost. Points 3–8 can be rolled out over the next 4–12 weeks in that order.
If you want a sparring partner who has done this package before for Norwegian SMBs, we can help with setup of points 5–8 and with an annual security review. Send an email to Roy.Morken@Datafolka.no , and we will schedule a call. We also offer incident response retainers if you want a number to call when something happens.
Related reading on datafolka.no: IT security services , Private AI without data leakage and IT consulting .
Sources
- NSM Risiko 2025: nsm.no/regelverk-og-hjelp/rapporter/risiko-2025
- Microsoft Digital Defense Report 2024: microsoft.com/security/security-insider
- NorSIS digital security culture survey 2024: norsis.no
- SOCRadar Nordic Threat Landscape Report 2024: socradar.io
Roy Morken, co-founder of Datafolka. This article is built on public industry sources (NSM, Microsoft, NorSIS, SOCRadar) and translated into practical language for Norwegian SMBs. No customer data or anonymised cases have been used. Last updated 25 May 2026.