Updated June 2026
Small businesses absorb 43% of all cyberattacks — not because hackers have a grudge, but because smaller companies are easier targets than enterprises. The average breach costs $120,000, and 60% of businesses that suffer a major attack close within six months. The right IT company runs four specific security layers that stop most attacks before they start: MFA enforcement, endpoint detection, automated patching, and tested backups. Here is the checklist to hold your MSP accountable to.
This is based on GrowLocal's proprietary research into top-ranking managed IT / MSP websites across six U.S. metros.
Why do cybercriminals target small businesses?
Small businesses are not too small to be a target — they are targeted because they are small. Larger companies have dedicated security teams. Most small businesses do not.
Attackers use automated tools that scan millions of businesses for unpatched software, weak passwords, and misconfigured email. When they find a gap, they exploit it. The payoff — access to customer data, banking credentials, or a ransomware payout — is the same whether the victim is a 10-person accounting firm or a Fortune 500 company. If your IT setup is weaker than the businesses around you, you are next in line.
What should your IT company actually be doing about cybersecurity?
A good managed IT provider does not just fix your printer when it breaks. It maintains a security posture across your whole environment — constantly, in the background. Here are the four pillars that matter most, and what "done right" looks like for each.
| Threat Category | What the Threat Is | What Your MSP Should Be Doing | How to Verify |
|---|---|---|---|
| Credential theft | Stolen passwords used to access your accounts | Enforce MFA on every account, including email and cloud apps | Ask to see MFA enrollment reports — every user, every app |
| Malware & ransomware | Software that encrypts your files or steals data | Deploy EDR on every endpoint, not just antivirus | Ask for EDR dashboard access or a monthly endpoint health report |
| Unpatched vulnerabilities | Outdated software with known security holes | Automated patch management across OS, apps, and firmware | Ask to see patch compliance logs — what's pending, what's applied |
| Data loss after an attack | No usable backup = no recovery | Offsite immutable backups tested with a real restore every quarter | Request a test restore report — not a backup log, an actual restore result |
The key word in that last column is "verify." An MSP that says "we handle all that" but cannot show you a report or dashboard is telling you about their intentions, not their execution.
MFA: the single highest-return control
Multi-factor authentication stops the majority of credential-based breaches. Even if an attacker buys your password on the dark web, they cannot log in without the second factor. Basic push-based MFA can be bypassed by "MFA fatigue" attacks — spamming you with approval requests until you accidentally tap yes. Your IT company should use number-matching MFA at minimum, and hardware security keys for admin accounts.
Patching: boring, critical, and easy to skip
Attackers scan for unpatched systems. The window between a known vulnerability and an active exploit is shrinking — sometimes days. A good MSP automates patching and handles breakage in a test environment first, not on your production machines.
What is EDR, and do I actually need it?
EDR stands for Endpoint Detection and Response. Traditional antivirus blocks files that match a known "bad" list. EDR watches for behavior — an application that suddenly starts reading thousands of files, a process that connects to an unusual server, an admin account logging in at 3 a.m. from an IP address it has never used.
The difference matters because most modern ransomware does not match any antivirus signature. It is custom-written, or it uses legitimate Windows tools that the attacker has hijacked. EDR catches this; antivirus does not.
For a 10-person business: yes, you need EDR. It is not expensive through an MSP — typically bundled into their managed security service. If your current IT provider says "we use antivirus," that is not enough in 2026.
How do you know if an MSP takes cybersecurity seriously?
Before you call an MSP, look at their website. A provider that sells cybersecurity as a core service should be able to demonstrate it publicly. Here is what to look for:
- Certifications displayed as logos — SOC 2, HIPAA, PCI, CompTIA, Microsoft Certified/Silver Partner. Based on GrowLocal's proprietary research into top-ranking managed IT sites, the strongest MSP websites display these as a visible trust strip, not buried in a paragraph on the About page.
- A dedicated cybersecurity service page, not just a line item under "Services." It should list what they do: EDR, email security, backup, patch management, security awareness training.
- Industry vertical pages — healthcare, legal, CPA/finance. An MSP that handles HIPAA compliance for medical clients has cleared a meaningful bar.
- Named testimonials with real headshots. Stock photos are a warning sign in this industry.
- A free security assessment offer. Every credible MSP offers this — it is how they show you your current exposure and build trust before asking you to sign a contract.
If a provider's website is a generic three-page template with no certifications, no named staff, and no specifics about what they actually do — that tells you something about how they operate internally too.
Key Takeaway: Small businesses account for 43% of all cyberattacks, and the average breach costs $120,000. Most successful attacks exploit one of four gaps: no MFA, no EDR, unpatched software, or untested backups. An MSP that does all four consistently — and can prove it with reports — puts most attackers back in search of easier targets.
See our full research into what top-performing IT company websites do differently
How much does small business cybersecurity cost?
Cybersecurity is not a separate line item — it should be baked into your IT contract. Based on GrowLocal's proprietary research into top-ranking managed IT / MSP sites, the going rate runs $150–$250 per user per month, covering helpdesk, monitoring, patching, EDR, and backup management.
Compared to the alternative: the average ransomware recovery without a clean backup runs five or six figures. The math is not close.
Some MSPs offer a security-only tier if you want to keep your current IT setup but add a security layer on top — ask about that option if you already have a provider you trust for day-to-day support.
What is a free security assessment, and should you get one?
A free security assessment is an MSP's version of a contractor walking through your house before giving you a quote. They look at:
- Whether MFA is enforced across your accounts
- What endpoint protection is running (and whether EDR is part of it)
- Your backup setup — how often it runs and whether anyone has tested a restore
- Patch status on your workstations and servers
- Your email security configuration (are you set up to block spoofed domains?)
A legitimate MSP gives you a real findings report and tells you honestly what needs fixing — even if you do not hire them.
To request one, fill out the contact form on the MSP's website with your company size and what you are trying to solve. The MSP calls you back to schedule a call or on-site visit — it is a real conversation, not automated booking.
If you are looking for an IT company that leads with security and has the website to back it up, see what a credible MSP website looks like and what it should include.
Frequently Asked Questions About Small Business Cybersecurity
What is the biggest cybersecurity risk for small businesses?
Credential theft through phishing is the most common entry point. An employee clicks a convincing fake email, enters their password, and the attacker has access to your email, cloud storage, and any connected systems. MFA blocks most of these attacks even after the password is stolen.
Do I need cybersecurity insurance?
Cyber insurance helps cover costs after a breach — legal fees, notification costs, ransomware payments in some policies. But it is not a substitute for security controls. Most policies now require evidence of MFA, EDR, and regular backups before they will cover a ransomware claim. Your MSP should help you meet those requirements.
How do I know if my business has already been breached?
Signs include: slower-than-usual computers or network, unexpected account lockouts, strange emails sent from your accounts, files you cannot open, or unexpected password reset requests. If you suspect a breach, call your IT provider immediately — do not restart or power off machines, as that can destroy forensic evidence. If you do not have an IT provider and something seems wrong, call a cybersecurity incident response firm.
What cybersecurity certifications should my IT company have?
Look for SOC 2 Type II, Microsoft Certified Partner, CompTIA Security+ or Network+, and HIPAA credentials if you are in healthcare. Based on GrowLocal's proprietary research into the top-ranking managed IT sites in Austin, Denver, Phoenix, Charlotte, Nashville, and Tampa, the strongest providers display these publicly — visible on the homepage trust strip, not buried in a PDF.
How often should my MSP update my software?
Critical security patches should be applied within 72 hours of release for high-severity vulnerabilities. Routine patches run on a monthly maintenance window. Your MSP should show you a patch compliance report on request — what is current, what is pending.
Can I use a website builder for my IT company's site instead of a custom agency build?
Yes. The features that convert cybersecurity clients — a dedicated security services page, credential trust strip, industry vertical pages, FAQ section, and a contact form for free assessment requests — do not require custom development. They require good structure and honest copy. See how GrowLocal builds fast, credible IT company websites without the agency price tag.
Want to build an IT company website that earns trust before a prospect picks up the phone? See the full breakdown of what IT company and MSP websites need to win clients, or browse all our local business website resources.
For a deeper look at what managed IT contracts cost and whether one is right for your business, read: Managed IT Services for Small Business: What You Get, What It Costs, and When It's Worth It.
Also see what small businesses check before hiring an IT company — the buying signals MSPs need their website to answer.