Practical Steps to Protect Your Business Right Now
October is Cybersecurity Awareness Month, and if you are a business owner in Ohio or Northern Kentucky, there is no better time to take an honest look at your security posture. The threats are not abstract. In 2024, the City of Columbus suffered a data breach that exposed the personal information of approximately half a million residents — names, Social Security numbers, bank account details, and more. If a city government with dedicated IT resources can be compromised, small and mid-sized businesses from Newport, Kentucky to downtown Columbus need to take their defenses seriously.
Here are seven things you can do today — not next quarter, not next year — to meaningfully improve your cybersecurity.
1. Enable Multi-Factor Authentication Everywhere
If you do only one thing from this list, make it this. Multi-factor authentication (MFA) stops the vast majority of credential-based attacks. Enable it on every system that supports it: email, cloud applications, VPN access, banking portals, and administrative consoles. Microsoft estimates that MFA blocks over 99.9 percent of account compromise attacks. There is no legitimate reason to leave it disabled on any business-critical system in 2024.
2. Review Who Has Admin Access
Admin accounts are the keys to your kingdom. When was the last time you audited who has administrative privileges in your environment? Former employees, former contractors, and current staff who changed roles months ago may still have elevated access they no longer need. Review admin access across your Microsoft 365 tenant, your network infrastructure, your line-of-business applications, and any cloud platforms you use. Remove what is no longer necessary. The principle of least privilege is not just a best practice — it is a requirement for limiting the blast radius of any breach.
3. Test Your Backups — Actually Restore Something
Having backups is not the same as having working backups. Many businesses discover their backup failures at the worst possible moment: during a ransomware attack or hardware failure. This month, pick a critical system or data set and perform a test restore. Verify that the data is complete, current, and usable. Check your backup retention policies and confirm that backups are stored in a location that is isolated from your production environment. If a ransomware attack encrypts your network, your backups need to survive independently.
4. Run a Phishing Simulation
Your employees are your first line of defense and your most common point of failure. Phishing remains the number one attack vector for businesses of every size. Run a phishing simulation to see how your team responds. Platforms like KnowBe4 and Microsoft Attack Simulator make this straightforward. The goal is not to shame anyone — it is to identify who needs additional training and to build a culture where employees feel comfortable reporting suspicious emails without fear of embarrassment.
5. Update Your Incident Response Plan
If you do not have an incident response plan, create one. If you do have one, review it now. Does it reflect your current infrastructure? Does it include the right contact information for your IT provider, your cyber insurance carrier, and legal counsel? Does your team know where to find it and what to do in the first thirty minutes of an incident? An incident response plan that lives in a dusty binder or a forgotten SharePoint folder is not going to help you when an attacker is actively in your environment. Print it out. Walk through it with your team. Make sure it works.
6. Check Your Cyber Insurance Policy
Cyber insurance has changed dramatically in the past two years. Carriers have tightened their requirements, and many policies now mandate specific security controls — MFA, endpoint detection and response, regular patching, and encrypted backups — as conditions of coverage. Review your policy carefully. Understand what is covered, what is excluded, and what security requirements you must meet to keep your coverage valid. If you file a claim and your carrier discovers you were not meeting the policy requirements, your claim may be denied when you need it most.
7. Schedule a Security Assessment
You cannot fix what you cannot see. A professional security assessment identifies vulnerabilities, misconfigurations, and gaps in your defenses that internal teams often overlook. This includes external vulnerability scanning, internal network assessment, review of access controls, and evaluation of your security policies and procedures. For businesses in regulated industries, a security assessment also helps demonstrate due diligence to auditors and regulators.
Take Action Now
Cybersecurity Awareness Month is a useful reminder, but security is not a once-a-year exercise. The Columbus breach demonstrated that organizations of all sizes are targets, and the consequences of a breach extend far beyond the immediate financial impact. Lost customer trust, regulatory penalties, and operational disruption can linger for years. The seven steps outlined here are not expensive or complicated, but they are effective. Start today, and build on this foundation throughout the year. If you need help prioritizing or executing any of these steps, reach out to a qualified security partner who understands the challenges facing businesses in our region.
Key Takeaways
- Enable multi-factor authentication on every business-critical system -- it blocks over 99.9% of account compromise attacks.
- Test your backups by actually restoring data, and ensure backups are isolated from your production environment to survive ransomware.
- Review your cyber insurance policy carefully -- carriers now mandate specific security controls as conditions of coverage.