Owner-Led SMB Security Case Study

A representative 12-person business moves from unclear security ownership to a practical baseline and 90-day improvement roadmap.

Representative scenario: this composite case is designed for planning conversations. It avoids regulated-industry promises and focuses on practical security operations for a smaller business.

Business profile

Company: 12-person professional services business.
Environment: cloud email, laptops, file sharing, line-of-business SaaS, outsourced bookkeeping, and a small remote team.
Constraint: no internal security owner; the business owner and office manager split IT/security decisions.
Trigger: cyber-insurance renewal and a customer security questionnaire due within 60 days.

Starting point

Area	Observed condition	Risk
Identity	MFA enabled for some users, not admins or every app.	Account takeover could spread quickly.
Devices	Mixed personal and company laptops; no complete inventory.	Unknown patch and endpoint protection coverage.
Backups	Cloud backup assumed, but no restore evidence.	Recovery may fail when needed.
Email	SPF configured; DKIM/DMARC incomplete.	Higher spoofing and phishing exposure.
Response	No incident contact tree or first-24-hour plan.	Delayed decisions during account compromise or ransomware.

What changed in the first 30 days

Named the business owner as decision owner and the office manager as evidence coordinator.
Built a device and account inventory from available systems.
Closed obvious MFA gaps for email, admin accounts, and finance tools.
Captured endpoint protection and backup status in a shared evidence folder.
Documented four simple incident paths: suspicious email, account compromise, lost device, and ransomware concern.

90-day roadmap

Window	Focus	Outcome
Days 1–30	Visibility and urgent gaps	Inventory, MFA coverage, evidence folder, incident contacts.
Days 31–60	Resilience	Backup restore test, endpoint health review, risky mailbox rule review.
Days 61–90	Operating rhythm	Monthly owner report, exception register, quarterly access review schedule.

Practical result: the business moved from “we think this is covered” to a visible evidence packet and a short roadmap the owner could actually govern.

Evidence packet produced

MFA coverage export and exception list.
Device inventory with endpoint protection status.
Backup report and restore-test note.
Email-domain authentication status and remediation steps.
Incident contact tree and first-response checklist.
90-day roadmap with owners, target dates, and status.

Lessons for similar SMBs

Ownership matters before tools. Someone must own decisions, exceptions, and follow-through.
Evidence beats memory. Screenshots, exports, and short notes prevent last-minute scrambling.
Roadmaps should be small enough to execute. A 90-day plan with five visible items is better than a giant framework spreadsheet nobody maintains.
Compliance can come later. A practical security baseline makes future regulated work easier, but it does not require starting with a regulated program.