Cybersecurity for small businesses

Cybersecurity for small businesses, without the scare tactics

Unilab handles the practical security layer most small businesses skip: multi-factor auth, verified backup, password hygiene, phishing protection and email authentication, included in your digital operations at a fixed monthly price.

Free digital health checkNIS2 for businesses

The short answer

Cybersecurity for a small business, explained

What is cybersecurity for a small business?

For a small business, cybersecurity is mostly a handful of basic habits and settings rather than an expensive product. It means turning on multi-factor auth, keeping a tested backup, using a password manager, applying updates, authenticating your email domain and helping the team spot phishing. Get those right and you have closed the gaps that catch most small businesses.

What does it cost?

The core measures are more about routine and configuration than expensive tools, so for most small businesses the real cost is time and attention. With Unilab the security basics are included in your digital operations subscription at a fixed monthly price, so there is no separate security bill. The simplest way to get a number for your own setup is a free digital health check.

The minimum measures

  • Turn on multi-factor authentication (MFA) on email, admin accounts and any tool that supports it.
  • Use a password manager and stop reusing or sharing passwords across services.
  • Set up a backup that is automatic, off-site and tested by actually restoring a file.
  • Keep operating systems, software, plugins and certificates updated, with no machine left behind.
  • Authenticate your email domain with SPF, DKIM and DMARC so it is harder to spoof in your name.
  • Give the team a short, practical briefing on phishing so a convincing email gets a second look.

The practical layer

The basics that stop most breaches

Small businesses rarely get breached by exotic hacking. They get breached through a missing backup, a reused password or an out-of-date plugin, and those are the gaps we close.

Multi-factor auth

MFA on email, admin and the tools that matter. The single biggest reduction in account-takeover risk, switched on and checked.

Verified backup

Backups that are actually tested by restoring them, not just configured and forgotten. The difference between an incident and a disaster.

Password hygiene

A password manager, no shared logins, and the obvious weak spots closed across the business.

Phishing protection

Email filtering plus short, practical training so the team recognises the messages that cause most breaches.

Email on your own domain

SPF, DKIM and DMARC set up correctly so your email is trusted and harder to spoof in your name.

Updates & patching

Software, plugins and certificates kept current. A lot of break-ins simply walk in through something that was left out of date.

Why small businesses are targets

Small does not mean safe

Attacks are automated

Much of the attack traffic online is automated and indiscriminate: bots that do not care how small you are. Being little is not protection, being unprepared is the risk.

The weakest link is one click

One reused password or one convincing email is enough. The fix is boring habits, not expensive tools.

Compliance is coming

Rules like NIS2 reach further than most expect, including suppliers. Getting the basics right now avoids a scramble later.

Need the compliance side too? See NIS2 for businesses, or check where you stand with a free digital health check.

If the worst happens

What to do if you get hacked

If you suspect a breach, the first hour matters most. Work through these steps in order, and call your IT contact early rather than late.

  1. Disconnect, do not power off

    Take the affected device off the network (unplug the cable, turn off Wi-Fi) but leave it running. Pulling the power can destroy traces that help understand what happened.

  2. Change the important passwords

    From a clean device, change the passwords on email, bank, admin and anything reused. Turn on multi-factor auth where it is missing.

  3. Tell the people who need to know

    Alert your team, your IT contact and, if money or payments are involved, your bank. Speed matters more than looking polished.

  4. Write down what you see

    Note the time, what looks wrong, any messages or ransom notes, and what you have already done. This helps whoever assists you, and any later report.

  5. Restore from a clean backup

    Once the cause is understood, rebuild from a backup you trust rather than paying or hoping. This is why a tested backup matters before anything goes wrong.

  6. Assess and report personal data

    If personal data may be exposed, a notification duty to Datatilsynet can apply. Get advice early so you handle the deadline correctly.

This is general guidance, not legal advice. A serious incident, especially one involving personal data, may carry duties under Norwegian law, so get qualified help early.

FAQ

Cybersecurity for small businesses, answered

What is cybersecurity for a small business?

In practice it is a handful of basic habits and settings, not an expensive product: multi-factor auth, tested backup, a password manager, updates that actually happen, email authentication and a team that recognises phishing. Together they close the gaps that most small businesses get caught by.

How much does cybersecurity cost for a small business?

The core measures are mostly about routine and configuration, so the cost is more about time than expensive tools. With Unilab the security basics are included in the digital operations subscription at a fixed monthly price, with no separate security bill. The best way to get a number for your setup is a free digital health check.

Do I really need this if my business is small?

Yes. A lot of attack traffic is automated and does not target you personally, it just looks for any open door. Being small is not protection, being unprepared is the risk.

Does NIS2 apply to my small business?

Probably not directly. NIS2 is not yet implemented in Norwegian law, and when it lands most small businesses will not be covered directly. The realistic impact is indirect: as a supplier to a larger customer who is covered and has to document their supply chain. See our NIS2 page for the detail.

What should I do first if I get hacked?

Disconnect the affected device from the network but leave it running, then change the important passwords from a clean device and tell the people who need to know. The step-by-step checklist above walks through the rest.

Other add-ons

What else you can layer on

Add-ons sit on top of any subscription level. Most customers start with one and add more as the business needs them.

AI-Pilot

Automate one concrete workflow in four weeks, from document handling to customer routing. We set it up, measure it and operate it.

From 8 900 NOK one-off + 990 NOK/mo

Read about AI-Pilot

NIS2 package

Gap audit, policy templates and monthly follow-up on the new security requirements. Delivered with Nordic Defence AS.

From 24 900 NOK one-off + 990 NOK/mo

Read about NIS2 package

EHF and e-invoice 2027

Get ready for mandatory B2B e-invoicing from 1 January 2027. Setup and training, delivered with Smart Økonomi AS.

From 4 900 NOK one-off + 290 NOK/mo

Read about EHF and e-invoice 2027

Get the security basics in place

Book a free health check. We score your current security and tell you the three things worth fixing first, in plain language.

Book a health check
Call usFree health check

We use privacy-friendly analytics to improve the site. The tools load only if you consent. Read more in the privacy policy