Security

What’s the Minimum Viable Cybersecurity Setup for an SMB With Limited Cash Flow?

With artificial intelligence increasing the sophistication of threats, small businesses must invest in cybersecurity.

Jordan Scott is the web editor for HealthTech magazine and a multimedia journalist with experience in B2B publishing.

Small to medium-sized businesses and startups often lack the right resources to properly implement a robust cybersecurity strategy, especially with new risks created by artificial intelligence (AI). This could be due to the lack of IT expertise, budget, time, or the knowledge and leadership needed to bring all of those together, says Anupam Upadhyaya, senior vice president of product management for Prisma SASE at Palo Alto Networks.

However, there is a certain level of security SMBs and startups need to have to protect their data, their reputations and their business. SMB technology leaders should have a minimum viable cybersecurity setup in place, which includes a focus on devices, identity, browsers and visibility.

DISCOVER: Here are four security trends to watch in 2026.

Why Cybersecurity Matters for Small Businesses

“Cybersecurity matters for small businesses because a single breach can be an existential, company-ending event. Attackers don’t care how big you are; they go after the organizations with the weakest defenses,” says Daniel Bernard, chief business officer at CrowdStrike. “And today, small businesses are operating in the same digital environment as the world’s largest enterprises. They rely on cloud apps, they store sensitive customer data and they increasingly have remote teams. That all expands their attack surface.”

Small businesses often face more risk than larger enterprises if they are the victims of a successful attack. Large enterprises are more likely to have the resources to bounce back, while small businesses and startups might not be able to weather the storm.

The Cost of a Breach

Upadhyaya points out that the average cost of a breach for small business is often reported to be at least $120,000, which could lead to bankruptcy for some SMBs.

“What we see at CrowdStrike is that adversaries are bringing enterprise-level tradecraft to SMBs. So, the real question isn’t, ‘Am I too small to be a target?’ It’s, ‘Can my business afford the downtime, data loss and reputational hit from an attack?’ For most small businesses, cybersecurity is about serving customers and keeping the business running. It’s that simple,” adds Bernard.

Cybersecurity is already a top priority for SMBs, according to Upadhyaya: “There’s a report that says almost 57% of SMBs put cybersecurity as their No. 1 business priority.”

Upadhyaya says that SMB leaders should care about cybersecurity because the cost of a breach is high, AI is making security more topical than ever, and many small businesses and startups aren’t currently in a good position to address cybersecurity as the landscape rapidly evolves.

The Most Common Cyberthreats Small Businesses Face

“The biggest threats hitting small businesses right now are identity-driven attacks and ransomware. Attackers aren’t breaking in; supercharged with AI, they’re logging in with stolen credentials and moving across cloud and SaaS apps as if they belong there,” Bernard explains. “And once they’re in, ransomware actors move fast because they know most SMBs don’t have the teams or tools to spot them early.”

Identity-based intrusions and ransomware are accelerating, according to CrowdStrike’s 2025 State of SMB Cybersecurity Survey. At the same time, most SMBs are still relying on legacy defenses and haven’t adopted AI-powered security, says Bernard.

“That widening gap between the sophistication of the attacks and the tools SMBs have in place is exactly why adversaries view small businesses as high-value, low-friction targets,” he says.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

Upadhyaya says that as workflows shift to browsers, so do the source of attacks: “These attacks will be in the form of phishing, malware, business email compromise, credential theft and sensitive data leakage.”

Protecting data in the browser is complicated because the browser itself is vulnerable, he says, noting that a lot of malware gets reassembled in the browser.

“There are extensions that start as benign, productive extensions but morph into malicious extensions, and this is where the new attack vectors are coming in,” he says

AI has also lowered the barrier to entry for attackers by increasing the number of attack vectors and making it easier to compromise SMBs’ networks. Bad actors can use generative AI to create localized and context-aware phishing emails at a larger scale than seen before, says Upadhyaya.

“These email campaigns are so sophisticated that they could monitor your LinkedIn to find a new employee and then email the CEO with some specific information about that employee to create an attack,” he explains. “There’s much more context behind these attacks, which makes it very difficult to figure out if the attack is real or not.”

Another major challenge is that some SMBs are sitting on legacy anti-virus and endpoint security problems, which are completely ineffective in this new landscape, according to Upadhyaya.

EXPLORE: Get the answers to five questions about security debt for small businesses.

Following are some threats that SMB leaders must protect against.

Phishing Attacks

Phishing emails are one of the top ways bad actors try to infiltrate a business. These emails typically impersonate someone in the company in an attempt to either take short-term gains in the form of gift cards, for example, or long-term gains in the form of gathering user credentials to launch a larger attack.

AI is making it even easier for phishing emails to slip by security tools and end users. Generative AI can be used to write emails that sound like they’re written by a native speaker. AI can even be used to gather information about a target so the emails sound more personal and real. With this in mind, SMBs should focus on security training in addition to other security controls implemented to stop phishing attacks.

Ransomware and Malware

According to the FBI, “Ransomware is a type of malicious software — or malware — that prevents you from accessing your computer files, systems or networks and demands you pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.”

A user can accidentally download ransomware or malware via email attachment, an unknown link, visiting a website or clicking on an ad.

Ransomware attacks are highly lucrative for cybercriminals. They can hold certain data or access for ransom, and even after being paid a large sum of money to release control of a business’s systems, they could still release data on the black market, endangering an SMB’s reputation and overall business.

DDoS Attacks

A distributed denial of service attack, or DDoS attack, targets websites and servers, according to Microsoft. Their goal is to exhaust an application’s resources by flooding a site with false traffic. This can result in reduced website functionality or even a website crash. These types of attacks especially focus on businesses in the gaming, e-commerce and telecommunications industries, according to Microsoft.

Man-in-the-Middle (MITM) Attacks

In a man-in-the-middle attack, a bad actor intercepts a communication pathway between two devices or services and aims to capture the traffic and forward it to an attacker, continuing the communication. With this style of attack, a bad actor could alter security information and intercept traffic. Many businesses don’t notice that they’ve been compromised until it’s too late.

Drive-By Downloads

According to McAfee, now Trellix, a drive-by download occurs when a user visits a web page. They don’t need to click or accept any software. Instead, malicious code downloads in the background while on the web page. This type of attack exploits the vulnerabilities present in a browser, app or operating system. The initial code downloaded is often smaller, intended to connect the device with another so it can download the rest of the malicious code unknowingly.

Software Vulnerability Exploitation

The Log4j vulnerability is a memorable example of a software vulnerability exploitation. Cyberattackers can discover a vulnerability that exists within a specific software and exploit that vulnerability across users to launch an attack on a larger scale. It’s important that when these vulnerabilities become known, SMBs take the necessary steps to patch them and protect themselves from a costly cyberattack.

Cybersecurity should be viewed the same way you view business insurance: It protects your ability to operate.”

Daniel Bernard Chief Business Officer, CrowdStrike

Creating a Cybersecurity Plan and Strategy

Small businesses should keep their strategy focused on impact, not complexity. Bernard recommends that SMBs start by understanding the devices, applications and identities their business depends on, because a business can’t protect what it can’t see.

“Then, prioritize identity protection. Today, most attacks begin with compromised credentials, so you need the ability to detect suspicious logins and account misuse in real time,” he says. “From there, prioritize technology that does the heavy lifting for you. Most SMBs don’t have dedicated security teams, so the tools you choose need to be simple to deploy, easy to manage and effective the moment they’re turned on. That’s why solutions such as CrowdStrike Falcon Go resonate so strongly. They deliver the same AI-powered protection we provide to the largest enterprises but in a way that’s accessible and intuitive for smaller teams. A good SMB security strategy is one that’s built around stopping breaches, not managing tools.”

Focus On the Foundation

To create a robust cybersecurity strategy, Upadhyaya suggests, SMBs should start by assessing their current approach. He says it’s crucial for SMBs to consider which are their key Software as a Service apps, where important data is stored and how employees access systems. Are they using company-issued devices or their own?

“What’s the first thing you need to secure? It’s a browser, because that’s when the interactions are happening, whether you’re using an unmanaged device, a phone or accessing SaaS applications,” he explains. “You’ve got to make sure you start by securing the place where you interact with these things. And that’s a browser.”

Upadhyaya recommends that SMBs have a three-part plan. The first part is securing the browser and production layer, where the most common threats reside. The second level is about employee training and awareness, which should include an overview of how AI should be used and what data it should interact with as well as a deep dive into email and identity security.

Once the business has foundational capabilities in place such as a secure browser, identity protection, data security, and endpoint detection and response, then the business can focus on building advanced capabilities depending on its needs.

Click the banner below to get small business insights delivered to your inbox weekly.

How Much To Budget for Cybersecurity

“SMBs are the backbone of our economy, but they don’t have gigantic revenue,” says Upadhyaya. “It’s different to say, ‘Allocate X% of your budget or even your IT budget to security.’ First, you have to understand the potential cost of a breach. Depending on your segment, there is data out there,” he says. “You’ve got to understand what a breach could cost, including the financial and reputational damage.”

Invest In Proactive Security

Upadhyaya adds that the sooner an SMB detects a problem, the lower the cost will be, meaning that prioritizing investment in proactive security is important.

“If you let the problem happen, then reactive security becomes that much harder,” he says. “This is what SMBs have to contend with when they start thinking about budgeting. Make sure you understand the crucial cost of a breach and make sure you’re putting the right tools in proactive security to make sure that you don’t get encumbered.”

Find Security Solutions Built With SMBs in Mind

He also points out that the responsibility for effective cybersecurity doesn’t fall on SMBs alone.

“Some of that is also on the industry to provide more cost-effective yet highly effective security solution for SMBs,” he explains. “We cannot push down the enterprise stack to SMBs and ask them to adopt it. It’s too complex, too costly and too specialized. Democratizing cybersecurity is a bit of a cliche, but we believe at Palo Alto that it’s our mission to go and deliver that.”

Bernard suggests an alternative way of thinking about cybersecurity.

“Cybersecurity should be viewed the same way you view business insurance: It protects your ability to operate. A breach today costs far more than the preventative investment — not just financially, but in lost productivity and customer trust,” he says. “The good news is that enterprise-grade protection is now accessible at SMB-friendly price points. And our partnership with Nord Security makes it even more attainable by bringing CrowdStrike’s AI-native protection together with Nord’s secure access and credential management. SMBs can buy and deploy powerful security through platforms they already use and trust, without complexity or a long onboarding cycle. It’s less about how much you spend and more about choosing the right security foundation from day one.”

CONSIDER: How can SMBs stay ahead of evolving ransomware threats?

Step-by-Step Implementation Priorities

Upadhyaya points out that it’s crucial that SMBs try to stop breaches as close to the user as possible. That means focusing on where your users interact with sensitive data and SaaS applications. This creates more visibility into an SMB’s network as well.

Bernard advises small businesses to focus on three things: “Secure the devices your business runs on, protect your identities, and make sure you have visibility into how your people and applications are connecting and operating. You don’t need a 20-step checklist; you need a strong foundation that closes the most common paths attackers use.”

He describes identity as an SMB’s “front door,” since it’s where most attacks begin. The endpoints are where attackers do damage, so modern protection there is essential, he explains. “And because so much of SMB work happens in the cloud, increasingly with AI agents and AI-powered software, securing access to SaaS apps and cloud environments has to be part of the plan. When those pieces are in place, SMBs dramatically reduce the likelihood of a breach.”

kate_sept2004/Getty Images