A plain-language guide for business owners and their IT person
If you run a small or mid-sized business in Maine, cybersecurity probably isn’t your favorite topic. It’s complex, it’s expensive-sounding, and it’s easy to assume the big attacks happen to big companies. But the data tells a different story — and so do the businesses right here in New England that have faced ransomware, email fraud, and data breaches in recent years.
This guide won’t overwhelm you. It’s designed to help you and whoever handles your IT get oriented, take stock of where you stand, and start building a defensible posture — one practical step at a time.
Why SMBs Are a Target (Not an Exception)
Cybercriminals don’t just go after enterprises. They automate attacks at scale and look for the path of least resistance. Small businesses are attractive precisely because they often have weaker defenses, valuable data (customer records, payment info, employee data), and limited resources to respond when something goes wrong.
According to CISA (the Cybersecurity and Infrastructure Security Agency), small and medium businesses are increasingly in the crosshairs — and a single incident can be enough to permanently damage operations, customer trust, or both.
Start Here: The Five Things That Matter Most
You don’t need a Security Operations Center (SOC) on day one. You need a foundation. CISA’s #StopRansomware guidance and their Cybersecurity Performance Goals are built around exactly this idea — prioritize the controls that reduce the most risk first.
Here’s how that translates to plain English for your business:
1. Protect Your Email — It’s the #1 Attack Vector
Most breaches start with a phishing email. Business Email Compromise (BEC) — where an attacker impersonates your CEO, a vendor, or a bank — costs U.S. businesses billions every year. Basic spam filtering isn’t enough anymore.
What to do: Deploy AI-driven email security that can detect impersonation, malicious links, and account takeover attempts. CISA recommends enabling multi-factor authentication (MFA) on all email accounts as a baseline — it’s free to implement and stops the majority of credential-based attacks. See CISA’s guidance on phishing.
2. Know What’s on Your Network
You can’t protect what you don’t know exists. A surprising number of SMBs have devices — old workstations, personal phones, unmanaged switches, forgotten IoT devices — connected to their network with no visibility or controls.
What to do: Do a basic asset inventory. Your IT person should be able to enumerate connected devices. If you’re running a mix of wired and wireless, make sure your access points support network segmentation so guest traffic, IoT, and business systems aren’t sharing the same lane. CISA’s Known Exploited Vulnerabilities catalog is a useful reference for prioritizing patching once you know what you have.
3. Patch Everything — On a Schedule
Unpatched software is one of the most common entry points attackers exploit. This includes your operating systems, applications, routers, firewalls, and wireless access points. “We’ll get to it” is how breaches happen.
What to do: Set a recurring patching schedule — monthly at minimum, weekly for critical systems. Your IT person should be subscribed to vendor security bulletins. CISA maintains a free vulnerability scanning service for eligible organizations that can help identify exposure.
4. Back Up Your Data — and Test the Restore
Ransomware works because it holds your data hostage. If you have a clean, tested backup that’s isolated from your primary network, you have leverage. Many businesses have backups — far fewer have tested them.
What to do: Follow the 3-2-1 rule — three copies of data, on two different media types, with one offsite or in immutable cloud storage. CISA’s ransomware guide specifically calls out backup integrity as a critical control. Test your restore process at least quarterly.
5. Train Your People — Regularly, Not Once
Your firewall won’t save you if an employee clicks a malicious link or hands over credentials to a convincing fake login page. Security awareness training isn’t a one-time checkbox — it needs to be ongoing, with simulated phishing tests to measure real-world readiness.
What to do: Implement a training program that includes monthly micro-lessons and regular phishing simulations. CISA offers free resources through their Shields Up program, including training materials you can use today.
WHAT COMES NEXT: BUILDING TOWARD A MATURE POSTURE
Once the basics are in place, the next layer involves:
These aren’t luxuries. Cyber insurance underwriters are increasingly requiring them. And for Maine businesses in healthcare, finance, municipal services, or the defense supply chain, regulatory frameworks like HIPAA and CMMC make them obligations.
YOU DON’T HAVE TO FIGURE THIS OUT ALONE
New England Communications works with Maine SMBs to assess where you are, close the gaps, and manage the ongoing work so your IT person isn’t drowning in alerts, and your leadership team can focus on running the business.
This post references CISA resources, which are free and publicly available at cisa.gov. New England Communications is not affiliated with CISA.