02 June 2026
A few years ago I sat down with the owners of a small business that had grown steadily over the previous decade. They had good staff, loyal customers and healthy revenue. Like many business owners, they worried about cybersecurity because they had heard the stories about ransomware, online fraud, privacy breaches and so on. They wanted to know whether they had missed anything important.
The conversation started where most conversations about small business cybersecurity start, namely software. They asked about email security, backups, password managers and cyber insurance. Sensible topics, worth discussing but not the place to start. When I asked them if they were to loose something tomorrow morning, what would hurt the business most. The room went quiet.
One owner suggested client information. Another thought email would cause the biggest problem. Someone else argued that the accounting system would be impossible to operate without. Nobody gave a wrong answer, but nobody agreed either. What struck me was not the disagreement but that the leadership team had never actually had this conversation.
Businesses need a shared knowledge of the information domain and its associated risks
These were intelligent people who knew their business inside out. They could tell you which clients generated the most revenue and which projects carried the most risk. Yet they had never stopped to identify the information and systems that mattered most to the organisation.
We spent the next hour drawing diagrams on a whiteboard. We mapped clients, systems, suppliers, documents and workflows. As we worked through the exercise, a pattern emerged. The business did not face a technology problem. The business faced a visibility problem.
The owners discovered that they depended heavily on a handful of systems. They discovered that several people had access to information that no longer related to their roles. They discovered that one supplier had become far more important to the business than anyone had realised. Most importantly, they discovered that if certain information disappeared, operations would slow dramatically within a day.
Nobody installed software during that meeting. or changed a password, or purchased a new security product. But the owners left with a shared understanding of what actually mattered and why. I think it was time well spent.
Too much security is also a problem
This experience captures something that people often miss about small business cybersecurity. Actually scratch that, people miss this about cyber security in general, even in large corporate systems and in government. Nobody asks which information needs the most protection. The result is that money is spent double locking everything and creating a system that is too weak and too strong. The critical first step is knowing what matters.
When organisations skip that first step, they often spend money in the wrong places. They buy tools, they lock things down, they gum up their production with unnecessary directives from ‘the security people’. Meanwhile, they never build a clear picture of the assets that create value, the people who depend on them and the consequences of losing them.
Good cybersecurity for small businesses starts with understanding the business itself.
What information would seriously damage the organisation if it disappeared?
Which systems support day-to-day operations?
Which suppliers could stop the business from functioning?
Who has access to critical information?
How would the business recover if something went wrong?
These are business questions before they are technology questions.
Over the years I have noticed that organisations with strong small business cybersecurity rarely obsess over technology. They understand their dependencies, which information matters and where risk sits within the organisation. As a result, they make better decisions about security, recovery and investment.
Technology still plays an important role. Firewalls, backups, multi-factor authentication and monitoring all have their place. But those controls work best when they protect something the business genuinely values.
Before you spend money on another security product, try a simple exercise. Gather the people who know your business best and ask a single question:
“What would hurt the most if we lost it tomorrow?”
You may learn more about your risks in an hour than you would from months of worrying about the latest cybersecurity headline.
