The honest floor for SMB security

You are the IT lead, which at your company means you are also the help desk, the procurement team, and the person who remembers the Wi-Fi password for the conference room nobody uses. Somewhere in your notes is a security to-do list. You started it after a vendor demo, or after a customer asked a question you could not answer cleanly, or after reading one too many breach headlines on a Sunday.

The list is not the problem. The list is full of reasonable items: turn on multi-factor authentication everywhere, fix the leavers who still have access, get someone to read the alerts. The problem is that every item competes with a ticket that is on fire right now, and the fire always wins. So the list sits there, half done, quietly aging.

Here is the question worth answering before you touch that list again. What is the minimum you genuinely cannot skip, the floor below which you are not protected no matter how busy the week was? Not the dream program. The floor. It turns out to be shorter than the demo suggested, mostly paid for already, and reachable without a heroic quarter.

A wish list has no edges. Every security article adds an item, every vendor adds three, and none of them tells you what you can safely leave for later. So the list grows until it is too big to start, which is the same as having no list at all.

A floor is different. A floor is the small set of controls that, if any one of them is missing, the rest barely matters. Most incidents that hit companies your size are not exotic. Verizon's annual breach research has consistently found that the majority of breaches involve a human element, such as stolen credentials, phishing, or simple error (Verizon Data Breach Investigations Report). That points you straight at the unglamorous controls, not the threat-map dashboard.

The floor gives you three things a wish list never will:

• A clear stopping point, so you know when you have done enough to be genuinely covered.
• A priority order, so the fire-fighting weeks still leave the most important things standing.
• A defensible answer when a customer or auditor asks what you do, because the answer is a short list you can point to.

You are not trying to be a 5,000-person security team. You are trying to not be the easy target. That is a much smaller job.

Strip the noise away and the baseline is a handful of controls operated reliably. None of it is new, and most of it is already sitting in subscriptions you pay for.

Identity comes first, because identity is where the attacks land. Multi-factor authentication enforced everywhere, with no quiet exceptions for executives or service accounts. If you run Microsoft 365, Microsoft Entra ID can apply Conditional Access policies that block a sign-in from an untrusted device or a risky location (Microsoft documents Conditional Access). The capability ships with the license. Turning it on and tuning it so you do not lock out the sales team is the work.

Joiners and leavers handled the same way every time. New people get the access their role needs on day one. People who leave lose it the day they leave, not the Friday someone remembers. The leaver who keeps access for three months is a classic finding, and it is entirely preventable.

Your cloud has a watcher. If you run on AWS, Amazon GuardDuty is a threat detection service that monitors the account for suspicious activity (AWS documents GuardDuty). Again, the capability is included. What it lacks is a person who reads the findings and acts before a finding becomes an incident.

The work leaves a record. When a customer's procurement team sends a questionnaire, the answer should come from how the environment is run, not from your memory at 11 p.m. That record is also what an auditor eventually asks to see.

That is the floor. Notice what is not on it: no security operations center, no threat intelligence subscription, no platform you cannot staff.

Here is the part the demos skip. Almost everything on that list is a capability you already own. The gap between you and the floor is not a purchase. It is the hours and the discipline to turn the controls on, tune them to how your company works, and keep them running when the week goes sideways.

That reframe matters because it changes what you are shopping for. You do not need another tool that produces alerts nobody reads. A control you bought but do not operate is not coverage; it is a receipt. Conditional Access does nothing until someone writes the policy and tests it. GuardDuty findings only count if a human triages them. The license is the cheap, easy part. The operating is the part that keeps falling to you, after hours, between everything else.

The floor is reachable for almost every small company, because the controls are already paid for. What is missing is rarely the technology. It is someone whose job is to run it.

So the honest version of the floor is not a budget line for software. It is a decision about who operates the basics, reliably, on a schedule, so the most important controls stay standing whether or not this was a calm week.

Go back to that half-finished list in your notes. The reason it never got done was never that the items were wrong. It was that the list had no floor, no edges, and no clear sense of what you absolutely could not skip, so it competed with every fire and lost.

The floor changes that. It is short. It is mostly capability you already pay for. Identity locked down, joiners and leavers handled the same way every time, the cloud watched by someone who reads the findings, and a record that falls out of running things properly. A small company that holds that line is in better shape than a much larger one drowning in tools it cannot operate. Getting there is not a heroic quarter or a big check. It is the basics, operated like they matter, by someone whose job that is.

So before you reopen the list, ask yourself the real question: of everything on it, which few items are the floor, and who is going to keep them standing next week?