Why every small business needs a security baseline (and what that actually means)

"We are too small to be a target." We hear it weekly. It is also the most expensive sentence in IT, because it leads directly to the choices that turn a 30-minute incident into a 30-day one.

What a baseline actually means

A security baseline is not a product. It is a documented, testable, repeatable set of controls that every system in your organization meets, regardless of who configured it or when. Without a baseline, every laptop is its own snowflake and every breach is its own surprise.

The five controls that earn their keep

1. Multifactor authentication on every account that supports it. Phishing-resistant MFA where possible (security keys, passkeys), TOTP otherwise.
2. Patch management with documented coverage. Operating systems, browsers, and the third-party apps your team actually uses.
3. Tested backups, with at least one offline copy. Backups you have not restored from are not backups.
4. EDR, not just antivirus. Modern threats require behavioral detection.
5. Documented offboarding. When someone leaves, what happens to their accounts, devices, badge, VPN, and email forwarding?

What a baseline document looks like

Two to four pages is plenty for most organizations. It says what tools we use, what configuration each system gets, who owns the control, and how we verify it is in place.