Some New Year’s resolutions are easier to jumpstart than others. Eat healthier? Stock up on fruit. Better work-life balance? Block off the calendar. Become more cyber resilient in 2025? Big shrug.

Where should small and midsize businesses (SMBs) even start? There’s an endless deluge of cybersecurity recommendations, new threats to watch for, and technical solutions that promise to mitigate risk. But it’s not realistic or affordable to buy every tool or product that hits the market. And most SMBs don’t have the time or headcount to implement every single patch or security best practice. 

That doesn’t mean SMBs are destined for “cybersecurity survival mode” forever. To help SMBs start their 2025 security journey off right, we’ve compiled 7 security actions that enable businesses to focus on long-term security strategy over last-minute fixes. 

We spoke to Joe Toomey, Coalition’s Head of Security Engineering, and Amy Cohagan, Coalition Incident Response (CIR) Senior Incident Response Analyst, for real-world insights on why these security actions offer the best cybersecurity ROI for SMBs. 

1. Implement access controls

Access controls manage who can get inside a business’ digital doors. The most popular unauthorized gateway to private data? Compromised credentials. 

To help address the risk of compromised credentials, organizations should implement multi-factor authentication (MFA) on email, cloud storage, and other vital technologies. MFA is a process that requires two or more forms of verification to access a system, application, or account. By requiring additional authentication factors, like “something you have” (a smartphone) or “something you are” (a fingerprint) in addition to “something you know” (a password), attackers can’t achieve their goals with compromised credentials alone.

To level up in 2025, businesses should consider turning to FIDO2, which uses biometric factors or hardware keys to tie authentication with the user's device. 

“FIDO2 is the gold standard when it comes to MFA,” said Toomey. “It’s not that expensive to get hardware authentication devices, especially if your organization uses MacBooks or high end Windows systems. That feature may exist in the fingerprint readers in the hardware you already own.”

2. Educate employees

Employees are the frontline defense against some of the most common cybersecurity risks, like social engineering. By promoting a culture of security with the right educational tools, SMBs can reduce the risk of successful phishing attacks at their organization. To address employee risk, security awareness training informs employees on common tactics while phishing simulations test their knowledge. 

“Running phishing simulations with your employees builds their confidence when escalating a potential situation,” said Cohagan. “So, it’s really important to teach your teams what to watch for, like unexpected attachments, mismatched reply-to addresses, or requests for any type of sensitive information.” 

Training programs can reduce cyber risk by 60% within one year. More than just making sure employees know where they shouldn’t click, real-life simulations also encourage them to act when they catch suspicious links or messages in the wild. 

“Running phishing simulations with your employees builds their confidence when escalating a potential situation.” — Amy Cohagan, Senior Incident Response Analyst

3. Protect email accounts

The majority of cyber attacks originate in the inbox. Business email accounts are a treasure trove of valuable data for threat actors, rich with private conversations, customer information, and financial details. 

Spam filters can defend inboxes from low-hanging fruit, such as phishing attempts that use keywords like “urgent” and senders frequently associated with junk emails. But another risk lies with an employee or vendor being compromised — and threat actors leveraging trusted relationships to commit fraud.

“Funds transfer fraud used to be easier to recognize when you'd get an email with multicolored text and spelling errors everywhere. We all knew about the Nigerian prince,” said Toomey. “But now threat actors have gotten a lot better, and they will compromise your vendor’s account, learn your children’s names, and use that information when sending you a fraudulent invoice from their account.” 

Regular monitoring and auditing of email activity can help a business detect unauthorized access early and provide valuable records in the event of an attack. 

4. Monitor endpoints

If left unprotected, endpoints can serve as the gateway to a business’ network for bad actors. Any device that connects to a network, like a laptop, desktop, or mobile device, is an endpoint — the number of potential entry points can add up fast, even for SMBs. 

Endpoint security tools, which use real-time threat detection to flag suspicious activity and respond to attacks, are a growing fixture of a comprehensive cybersecurity strategy. But they output a high frequency of alerts that require near full-time human intervention, which leaves a high margin of error if not properly monitored or implemented. 

“In many cases, we’ve seen that our clients have endpoint detection and response (EDR) deployed but not configured properly, and those tools can fail. When you have a real-time team supporting your endpoint detection tools, it can reduce the impact a cyber incident has on your organization," said Cohagan. 

The solution for SMBs: Managed detection and response (MDR) provides 24/7 monitoring from security experts without requiring any additional headcount. In fact, businesses with MDR in place have a 50% faster mean time to respond. 

When you have a real-time team supporting your endpoint detection tools, it can reduce the impact a cyber incident has on your organization." — Amy Cohagan, Senior Incident Response Analyst

5. Manage vulnerabilities

Known vulnerabilities (weaknesses in technology, like software or hardware) are commonly exploited by threat actors to gain unauthorized access to a business’ network. 

In 2024, 22,254 vulnerabilities were disclosed by August — a 30% YoY increase from 2023.  Only 0.9% were weaponized by threat actors. With the constant influx of new vulnerabilities, prioritization can feel like a shot in the dark. Where should businesses focus their attention?

“Anything that’s exposed to the public internet should get your immediate attention,” said Toomey. “Focus on your external attack service. Patch your boundary devices, your VPN [virtual private network] server, and your firewall. That’s what an adversary will see and target first.”

“Anything that’s exposed to the public internet should get your immediate attention.” — Joe Toomey, Head of Security Engineering

If SMBs want help managing vulnerabilities, unified cyber risk management platforms, like Coalition Control®, can pinpoint the most impactful threats with ongoing monitoring and personalized alerts. 

6. Back up data

Reliable backups can be the last thing standing between SMBs and a hefty ransom payment. Ransomware gangs use this to their advantage — 94% of organizations hit by ransomware in the past year said threat actors targeted their backups during an attack.

“Threat actors target backups that live within your network during ransomware incidents. Small businesses should implement cloud-based backups to protect their data if they ever get locked out or it gets erased,” said Cohagan.

One way to ensure backups aren’t all compromised at once is to follow the 3-2-1 rule. This includes three copies of critical business data (one original, two copies), both backups stored on two different types of devices, and one copy stored at an offsite location. 

7. Prepare for an incident 

As the age-old cybersecurity proverb goes: “It’s not if you experience a cyber incident, but when.” Even with the best preventive measures, no one is immune to an attack. However, when adequately prepared, a business can minimize the damage and bounce back faster from an incident. 

SMBs need a blueprint of how they would handle an attack. There’s no better time than the present to start putting together an incident response plan.

“With the start of a new year, now is the perfect time to review your current security posture and your budget for tools and training. Do an assessment of where you are, confirm where your sensitive data lies, and how that would be impacted if you were to experience an incident,” said Cohagan. 

Cyber resilience in 2025

Knowing which security actions to prioritize is the first step toward becoming more cyber resilient in 2025. 

Brokers are a valuable resource for clients looking to improve their security posture, especially SMBs with limited in-house expertise. Help your clients jumpstart their 2025 security journey: Send the SMB Cyber Survival Guide their way. 

Tackling security alone? Download our complete SMB Cyber Survival Guide or book a consultation to see how Coalition Security™ can help your business. 

This article originally appeared in the January 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.