data.day
risk management / smb / budgeting

The Small-Business Threat Model: Three Scenarios and One Shopping List

Stop buying enterprise security tools for a ten-person firm. Focus on the three risks that actually destroy small businesses.

Lars Parse Lars Parse

You Are Not Lockheed Martin

I see it constantly. A boutique law firm with six partners is paying for a “Threat Intelligence Platform.” They have dashboards showing global cyberwarfare maps. They feel important.

Strictly speaking, they are burning money.

Security is not about buying the most expensive tool. It is about matching the defense to the threat. If you build a bunker to protect against a nuclear strike, but you leave the window open during a rainstorm, you will still get wet. And water damage is far more likely than nuclear war.

For the SMB (Small and Medium Business), we ignore the movie-plot scenarios. We focus on the three boring, devastating realities.

The Risk: The Triad of Disaster.

  1. The Subpoena (The Legal Attack): A regulator or opposing counsel demands your data. If your vendor holds the keys, you must comply instantly. You lose privilege. You lose leverage.
  2. The Insider (The Emotional Attack): An employee feels slighted. They decide to leave. Before they go, they download the entire client database to a personal drive. Or they delete a critical project folder.
  3. The Lost Device (The Physical Attack): A partner leaves an iPad in a taxi. The iPad contains unencrypted client contracts. This is a reportable breach. It destroys reputation.

The Defense: The Shopping List.

We do not buy “Cybersecurity Suites.” We buy specific controls for these specific problems.

  • For the Subpoena: We buy Zero-Knowledge Storage. We choose vendors who cannot decrypt our files. When the subpoena arrives, we can honestly say, “We have the data, but we are the only ones with the keys.” This forces the dispute into a different legal arena.
  • For the Insider: We buy Identity Management (IdP). We need a single dashboard where we can click one button—“Revoke”—and the employee loses access to email, files, and chat instantly. No shared passwords. No loose ends.
  • For the Lost Device: We enable Mobile Device Management (MDM). This sounds complex, but for an SMB, it is simple. It allows us to send a “Remote Wipe” command to the lost iPad. Ideally, we also enforce Full Disk Encryption on every laptop.

This architecture is quiet. It does not beep. It does not have a “War Room” dashboard. But it addresses 95% of the actual liability you face.

The Machine rewards precision. Buy what you need. Secure what you have. Ignore the noise.

FAQs

Do I need an intrusion detection system?

Likely not. You are not hosting infrastructure; you are using SaaS. You need a way to revoke access, not a way to watch network packets.

Is antivirus enough?

No. Antivirus catches old threats. It does not stop a legal demand or an employee copying a client list to a USB drive.

What is the most cost-effective security tool?

Full Disk Encryption. It is usually free, built into the OS, and saves you from liability when a device is stolen.