Writing

Security Baselines for Business Operators

NIST-aligned identity, device, backup, and incident response controls for small businesses handling financial and employee data.

This is a minimum baseline for a small business handling financial records, payroll data, and client information. It aligns with NIST Cybersecurity Framework 2.0 functions—Identify, Protect, Detect, Respond, Recover—at a scale appropriate for a business without a dedicated IT department. It is not a SOC 2 program. The goal is to reduce common attack paths and limit damage when an account is compromised.

Identity and access

Credential theft is the most common entry point for small business compromises. Business email compromise (BEC) and payroll diversion fraud typically start with a phished password.

Identity controls

  • Enable multi-factor authentication (MFA) on email, payroll, banking, cloud admin, and accounting software
  • Use a password manager; generate unique passwords per service; do not share credentials in chat or email
  • Separate owner admin accounts from day-to-day operator accounts
  • Remove access within 24 hours when an employee or contractor leaves; rotate shared credentials they had access to
  • Review admin user lists quarterly; remove unused accounts
  • Disable legacy authentication protocols where your email provider allows (IMAP/POP without modern auth)

For businesses subject to FTC Safeguards Rule requirements (many tax preparers and financial service providers), access controls and MFA are not optional recommendations—they are regulatory expectations under 16 CFR Part 314.

Devices

Device controls

  • Enable automatic OS and browser updates on all business devices
  • Use full-disk encryption: FileVault on macOS, BitLocker on Windows
  • Require screen lock with timeout of 5 minutes or less
  • Do not store client financial data on personal devices without equivalent controls
  • Use business-managed devices for payroll and banking where feasible
  • Maintain an inventory of devices with access to business systems

Backups and recovery

NIST CSF Recover function: maintain and test backups.

Backup typeWhat to back upFrequency
Accounting fileQuickBooks export, Xero backup, or desktop company fileMonthly minimum; before major changes
Payroll recordsProvider reports, W-2 copies, quarterly reconciliationsAfter each payroll run and at year-end
Critical documentsEntity documents, contracts, insurance policies, tax returnsWhen created or updated
Cloud configurationAdmin account list, DNS records, deployment configsQuarterly
Adjust to your systems. A backup you cannot restore is not a backup.

Follow the 3-2-1 rule where practical: three copies, two media types, one off-site. Cloud backup is acceptable if access is controlled and the provider terms allow financial record storage.

Application hygiene for operators who build software

If you maintain a website, internal tools, or client portals:

  • Rotate API keys and secrets when staff changes or on a fixed schedule (quarterly for high-privilege keys)
  • Do not commit secrets to version control; use environment variables or a secrets manager
  • Keep dependencies updated; run npm audit or equivalent monthly; patch critical CVEs within 72 hours
  • Use HTTPS everywhere; set Secure, HttpOnly, and SameSite flags on authenticated session cookies
  • Log authentication failures and admin actions; retain logs for at least 90 days
  • Principle of least privilege on cloud accounts (AWS IAM, Vercel, Netlify, etc.)

For Astro or static sites with no server-side auth, the attack surface is smaller—but DNS, hosting accounts, and form endpoints still need protection.

Vendor review

Before adopting a tool that stores financial, payroll, or HR data:

Vendor due diligence

  • Read the security page or request a SOC 2 Type II report if available
  • Confirm data storage location (US vs. international) and encryption at rest
  • Verify export capability before you depend on the vendor
  • Understand data retention and deletion on cancellation
  • Confirm MFA and role-based access are supported
  • Review subprocessors if client data is involved

Payroll providers, accounting software, and document storage services are high-value targets. Prefer vendors with established breach notification procedures and a track record of transparent incident disclosure.

Incident response: one page

Write a single-page incident response plan and store it somewhere you can reach without your primary email:

  1. Who to contact: IT support (if any), payroll provider, bank fraud line, cyber insurance carrier
  2. Immediate actions: Freeze payroll changes, rotate compromised credentials, revoke active sessions
  3. Backup location: Where accounting and payroll backups live; who can access them
  4. Insurance: Cyber policy number and claims process
  5. Communication: Who notifies clients if their data was exposed; template for notification

Run through the plan once a year. During an incident you will not have time to figure out who has admin access to QuickBooks.

Detection without a SOC

You do not need a security operations center to catch common problems:

  • Enable login alerts on email and banking
  • Review bank transactions weekly, not monthly
  • Monitor payroll provider audit logs for direct deposit changes
  • Use DNS monitoring or registrar lock on your domain
  • Subscribe to breach notification services (Have I Been Pwned alerts for business email domains)

Closing perspective

Security baselines are boring until they are not. The businesses that recover quickly from credential theft are usually the ones that had MFA enabled, backups tested, and a one-page response plan in a shared drive—not the ones that planned to “get to security next quarter.”