Skip to main content

IT Support

How small businesses actually get hacked — and the simple fixes

It's almost never a Hollywood hacker. It's an email, a reused password, or an update nobody installed — and the fixes are just as ordinary.

· 6 min read

When people picture getting hacked, they imagine a hooded genius and a wall of green code. The reality for a small business is far more mundane — and that's actually good news, because mundane problems have mundane fixes. Criminals don't usually pick small businesses for a dramatic heist; they pick them because the basics were left undone. Here's how it really happens, and how to shut the easy doors.

How it happensThe simple fix
A convincing email (phishing)Be suspicious of unexpected requests; never log in through an email link — go to the site directly
Reused or weak passwordsA password manager for unique passwords, plus two-factor on anything important
Updates nobody installedTurn on automatic updates for your computers, phones, and website

1. A convincing email (phishing)

This is the big one. Someone gets an email that looks like it's from your bank, Microsoft, a supplier, or even you, asking them to log in or pay an invoice. They click, they type their password into a fake page, and now someone else has it. It's not carelessness — these are designed to fool busy people having a normal day.

The fix: a moment of healthy suspicion ('was I expecting this?'), and never logging in through a link in an email — go to the site directly instead. A quick chat with your team about what these look like prevents more breaches than any expensive gadget.

2. Passwords that are reused or weak

If the same password unlocks five accounts, then one leaked password unlocks all five. Attackers count on this; when a password leaks from some unrelated website, they quietly try it everywhere else.

The fix: a password manager (so every account gets a different, strong password you don't have to remember) and turning on two-factor authentication — that text-message or app code — on anything important. Two-factor alone stops the vast majority of these attacks cold.

3. Updates nobody got around to

Those update reminders you keep dismissing often contain security patches. Skipping them leaves a known, published hole open — and attackers actively scan for exactly those holes. It's the digital equivalent of leaving a window everyone knows about unlatched.

The fix: turn on automatic updates wherever you can — for your computers, your phones, and especially your website. Most of the time, simply staying current is the entire defense.

If you'd rather not keep track of all this yourself, that's exactly the sort of thing managed IT quietly handles in the background — updates applied, two-factor set up, your team gently trained. Either way, the takeaway is hopeful: the simple stuff really does stop most of it.

Frequently asked questions

What's the single most effective thing I can do?
Turn on two-factor authentication on your important accounts — email first. It stops the large majority of account break-ins, even if a password leaks.
Are small businesses really targets?
Yes — often more than big ones. Attackers aren't picking you personally; automated tools scan for easy, unpatched, unprotected setups, and small businesses are frequently the softest target.
What is phishing, exactly?
An email or text designed to look legitimate — your bank, Microsoft, a supplier — that tricks you into entering a password or paying a fake invoice. The defense is a habit: pause on unexpected requests, and never log in through a link.
Do I need expensive security software?
Usually not to cover the basics. Most small-business breaches walk in through the four ordinary gaps above — close those first; they're cheap or free.
How do I know if an account has already been compromised?
The clearest signs are a sign-in from a place or device the person didn't use, or emails disappearing from a mailbox on their own. If you see either — or someone entered their password after clicking a suspicious link — reset that password, turn on two-factor, and have someone check the account right away.

Keep reading

Book a consult

Let's talk about what's not working

The first conversation is free and pressure-free. You talk, we listen, and by the end you'll have at least one concrete thing you can act on — whether you work with us or not.

30 minutes, via phone or video

We come prepared if you share your brief first

Flexible scheduling, including evenings and weekends

What to expect

0–5 min

Context

We learn about your business and what's not working

5–20 min

Diagnosis

We ask specific questions and share our initial read

20–30 min

Next steps

You leave with at least one concrete recommendation

“James created something that I have no doubt is the reason my practice has been at capacity for years.”

— Donovan Bigelow, LMHC