Writing
Security Baselines for Business Operators
NIST-aligned identity, device, backup, and incident response controls for small businesses handling financial and employee data.
This is a minimum baseline for a small business handling financial records, payroll data, and client information. It aligns with NIST Cybersecurity Framework 2.0 functions—Identify, Protect, Detect, Respond, Recover—at a scale appropriate for a business without a dedicated IT department. It is not a SOC 2 program. The goal is to reduce common attack paths and limit damage when an account is compromised.
Identity and access
Credential theft is the most common entry point for small business compromises. Business email compromise (BEC) and payroll diversion fraud typically start with a phished password.
Identity controls
- Enable multi-factor authentication (MFA) on email, payroll, banking, cloud admin, and accounting software
- Use a password manager; generate unique passwords per service; do not share credentials in chat or email
- Separate owner admin accounts from day-to-day operator accounts
- Remove access within 24 hours when an employee or contractor leaves; rotate shared credentials they had access to
- Review admin user lists quarterly; remove unused accounts
- Disable legacy authentication protocols where your email provider allows (IMAP/POP without modern auth)
For businesses subject to FTC Safeguards Rule requirements (many tax preparers and financial service providers), access controls and MFA are not optional recommendations—they are regulatory expectations under 16 CFR Part 314.
Devices
Device controls
- Enable automatic OS and browser updates on all business devices
- Use full-disk encryption: FileVault on macOS, BitLocker on Windows
- Require screen lock with timeout of 5 minutes or less
- Do not store client financial data on personal devices without equivalent controls
- Use business-managed devices for payroll and banking where feasible
- Maintain an inventory of devices with access to business systems
Backups and recovery
NIST CSF Recover function: maintain and test backups.
| Backup type | What to back up | Frequency |
|---|---|---|
| Accounting file | QuickBooks export, Xero backup, or desktop company file | Monthly minimum; before major changes |
| Payroll records | Provider reports, W-2 copies, quarterly reconciliations | After each payroll run and at year-end |
| Critical documents | Entity documents, contracts, insurance policies, tax returns | When created or updated |
| Cloud configuration | Admin account list, DNS records, deployment configs | Quarterly |
Follow the 3-2-1 rule where practical: three copies, two media types, one off-site. Cloud backup is acceptable if access is controlled and the provider terms allow financial record storage.
Application hygiene for operators who build software
If you maintain a website, internal tools, or client portals:
- Rotate API keys and secrets when staff changes or on a fixed schedule (quarterly for high-privilege keys)
- Do not commit secrets to version control; use environment variables or a secrets manager
- Keep dependencies updated; run
npm auditor equivalent monthly; patch critical CVEs within 72 hours - Use HTTPS everywhere; set
Secure,HttpOnly, andSameSiteflags on authenticated session cookies - Log authentication failures and admin actions; retain logs for at least 90 days
- Principle of least privilege on cloud accounts (AWS IAM, Vercel, Netlify, etc.)
For Astro or static sites with no server-side auth, the attack surface is smaller—but DNS, hosting accounts, and form endpoints still need protection.
Vendor review
Before adopting a tool that stores financial, payroll, or HR data:
Vendor due diligence
- Read the security page or request a SOC 2 Type II report if available
- Confirm data storage location (US vs. international) and encryption at rest
- Verify export capability before you depend on the vendor
- Understand data retention and deletion on cancellation
- Confirm MFA and role-based access are supported
- Review subprocessors if client data is involved
Payroll providers, accounting software, and document storage services are high-value targets. Prefer vendors with established breach notification procedures and a track record of transparent incident disclosure.
Incident response: one page
Write a single-page incident response plan and store it somewhere you can reach without your primary email:
- Who to contact: IT support (if any), payroll provider, bank fraud line, cyber insurance carrier
- Immediate actions: Freeze payroll changes, rotate compromised credentials, revoke active sessions
- Backup location: Where accounting and payroll backups live; who can access them
- Insurance: Cyber policy number and claims process
- Communication: Who notifies clients if their data was exposed; template for notification
Run through the plan once a year. During an incident you will not have time to figure out who has admin access to QuickBooks.
Detection without a SOC
You do not need a security operations center to catch common problems:
- Enable login alerts on email and banking
- Review bank transactions weekly, not monthly
- Monitor payroll provider audit logs for direct deposit changes
- Use DNS monitoring or registrar lock on your domain
- Subscribe to breach notification services (Have I Been Pwned alerts for business email domains)
Closing perspective
Security baselines are boring until they are not. The businesses that recover quickly from credential theft are usually the ones that had MFA enabled, backups tested, and a one-page response plan in a shared drive—not the ones that planned to “get to security next quarter.”