Security for SMBs without an IT department: what should you do this quarter?

No IT team, but still accountable. This pillar gives you a priority stack: do this first, then that, then the less urgent stuff. Each item links to a deeper guide.

You don't have an IT department. Yet you're responsible for company security. That sounds overwhelming — until you know where to start.

Quarter 1: the fundamentals

\n
1. MFA on everything. See rolling out MFA in M365.
\n
2. A password manager for everyone. See choosing a password manager.
\n
3. Disk encryption enabled on all laptops.
\n
4. A backup strategy you actually test. See backup strategy.
\n

Quarter 2: context

\n
1. SaaS inventory in order. See SaaS inventory.
\n
2. Offboarding process defined. See offboarding.
\n
3. Phishing training for employees. See recognising phishing.
\n
4. Incident response plan on paper. See incident response.
\n

Quarter 3: governance

\n
1. Access reviews.
\n
2. Start an ISO 27001 trajectory if customers are asking for it. See ISO 27001.
\n
3. Dismantle shadow IT. See cleaning up shadow IT.
\n

Quarter 4: maturity

\n
1. Vendor risk management. See vendor risk.
\n
2. Security awareness embedded in onboarding.
\n
3. Periodic phishing tests.
\n

What never to do?

\n
• Think you're "not interesting enough" to be targeted. 90% of attacks are opportunistic, aimed at vulnerable systems regardless of company name.
\n
• Treat security as something a virus scanner alone can handle.
\n
• Wait for "the big security overhaul" — do one thing every week.
\n

See also: access management pillar, GDPR pillar, ISO 27001 pillar.