Stop Getting Hacked. A Checklist for Chicago Small Businesses.
There's almost no actual hacking involved in most breaches. It's your people. Here's the 10-item checklist to fix that before somebody else does.
Let me be real with you.
Most "hacking" isn't hacking. It's not some guy in a hoodie breaking through your firewall with movie-style code scrolling across his screen. That's Hollywood.
In reality, 88% of data breaches start with a person. Your receptionist clicked a link. Your office manager reused their Netflix password for the company email. Your accountant opened an attachment from what looked like a client.
That's it. That's the breach.
The scary part isn't the technology. The scary part is that nobody told your team what to look for.
Here's the thing that frustrates me.
Your chef should be making incredible food. Your doctor should be seeing patients. Your attorney should be practicing law. None of these people went to school to become IT security experts.
But right now, they're the ones standing between your business and a breach. And they don't even know it.
The security industry has spent decades building solutions for Fortune 500 companies and completely ignoring the small businesses that actually run this country. And then when a 12-person law firm gets hit with ransomware, everyone acts surprised.
I'm not surprised. I'm tired of it.
The checklist.
Here are 10 things your business needs. This isn't complicated. Most of it is free or cheap. There's no reason not to have all 10 done by the end of the month.
1. Multi-factor authentication on every single account.
Email. Banking. Cloud storage. Payroll. QuickBooks. All of it.
This one thing stops 99% of stolen password attacks. Your phone buzzes, you approve the login, done.
If you don't have this turned on everywhere, stop reading this and go do it right now. I'll wait.
2. Email authentication. SPF, DKIM, DMARC.
I know those sound like alphabet soup. Here's what they do: they stop criminals from sending emails that look like they came from you.
Without these configured, somebody can send your client a fake invoice from "your" email address and there's nothing stopping it.
We check this for free. Takes 2 minutes.
3. Real endpoint protection on every device.
Not the free antivirus that came installed on your Dell from Best Buy. A real managed solution that watches for suspicious behavior, not just known viruses.
The threats have evolved. Your protection needs to evolve too.
4. Backups that you've actually tested.
Everybody says they have backups. Cool.
When's the last time you tried to restore from one?
If the answer is "never" or "I don't know," then you don't have backups. You have a false sense of security. Test your backups once a month. Time how long it takes to get back up and running. That number matters.
5. A password manager.
If anybody at your company is using the same password for their work email and their Instagram, you've got a problem. It's not a matter of if that password leaks. It's when.
Password managers cost like $4 a month per person. That's cheaper than one hour of breach response.
6. Phishing training. Not a PowerPoint. Real training.
This is the big one. This is where I get on my soapbox.
Social engineering is how 89% of security incidents start. Somebody gets tricked. A convincing email, a fake login page, a phone call pretending to be from IT support.
Your people need to see what these attacks actually look like. Not in a training video from 2019. In their actual inbox, in a controlled simulation, where they learn by experience.
We run these for our clients. First round results are always humbling. But by the third round, people start catching things they never would have noticed before. That's the whole point.
7. An incident response plan.
Ransomware hits at 2am on a Saturday. What do you do?
- Who do you call first?
- What do you unplug?
- Who contacts your clients?
- Who calls the insurance company?
If those answers aren't written down somewhere your team can find them, you don't have a plan. You have panic.
Write it down. Put it in a shared drive. Print a copy and tape it inside the server closet door. I'm serious.
8. Clean up old access.
That IT guy who left 18 months ago? His login still works.
The marketing agency you fired last year? Still has admin access to your website.
Your old bookkeeper? Still in QuickBooks.
Go through every system and ask: who has access, and should they? Do this once a year at minimum. Takes an afternoon. One of the easiest wins in security.
9. Cyber insurance.
It's affordable now. Seriously. Small business cyber policies are not expensive and they cover the things that will actually bankrupt you: breach notification, legal fees, business interruption, regulatory fines.
Call your insurance broker this week. Not next month. This week.
10. Know your compliance requirements.
- Healthcare? HIPAA.
- Credit cards? PCI-DSS.
- Schools? FERPA.
These aren't just regulations to check a box on. They're frameworks that force you to get the basics right. If you're in a regulated industry and you're not sure where you stand, that alone is worth a conversation.
Where do you stand?
Count how many of those 10 you can honestly check off.
10/10: Respect. You're ahead of almost every small business I walk into.
7-9: Good foundation, but the gaps are exactly where attacks get in.
Under 7: You're not alone. Most businesses are right there with you. But you need to move on this before somebody else moves on you.
We do a free 30-minute security assessment for any small business in Chicago. No pitch, no pressure, no "let me talk to my manager" nonsense. Just a straight conversation about where you are and what to fix first.
(773) 417-9994 or southsidechisolutions.com