Security for Small Teams: How to Protect 10 People Without a Dedicated IT Department

Your company has grown past the founding stage. You have 10, maybe 20 people. There’s real customer data, real revenue, and real compliance obligations. But there’s no CISO, no IT security team, and the “security policy” is whatever the first engineer set up three years ago.

This is the most dangerous phase for a growing company. You’re big enough to be a worthwhile target, but small enough that nobody owns security full-time. The BACS (Switzerland’s Federal Office for Cybersecurity) has flagged this gap repeatedly: Swiss SMEs are increasingly targeted by ransomware operators, phishing campaigns, and credential stuffing attacks because they combine valuable data with minimal defenses.

The three-layer framework

Enterprise security frameworks (NIST, ISO 27001) are comprehensive but overwhelming for a small team. Here’s a simplified model that covers the threats that actually hit SMEs:

Layer 1: Credential hygiene (prevents unauthorized access) Layer 2: Network security (protects data in transit) Layer 3: Endpoint protection (defends individual devices)

Each layer has specific tools and policies. Together, they address phishing, ransomware, credential stuffing, malware, and network interception, the attack vectors that account for the vast majority of SME incidents.

Layer 1: Credential hygiene

The single most effective security investment for any team.

Business password manager

Deploy a password manager to every team member. This is the one tool that addresses the widest range of threats:

• Eliminates password reuse (the #1 enabler of credential stuffing)
• Blocks phishing via domain-aware auto-fill
• Enables instant credential revocation when someone leaves
• Provides audit logs for compliance

Recommendation: 1Password Business or Bitwarden Organization. Both support shared vaults, admin controls, and compliance reporting.

Policy: Every team member uses the password manager for all work accounts. No exceptions. Browser-saved passwords are disabled via policy.

Mandatory 2FA

2FA is the safety net when passwords fail. A leaked password without 2FA is an open door. A leaked password with 2FA is a locked door.

Policy: 2FA required on all business accounts. TOTP apps minimum, hardware keys (YubiKey) for admin accounts and infrastructure access.

Access reviews

Maintain a list of who has access to what. Review it quarterly. Revoke access for departed employees on their last day. This sounds basic, but orphaned accounts are one of the most common entry points in SME breaches.

Layer 2: Network security

VPN

A VPN encrypts all internet traffic between team devices and your services. This is especially critical for:

• Remote workers on home networks or coworking spaces
• Employees traveling or working from client sites
• Any device connecting over public Wi-Fi

Recommendation: NordVPN Teams or Proton VPN for Business. Both offer centralized admin, Swiss servers, and per-user management.

Policy: VPN auto-connects on any network outside the office. Most business VPN apps enforce this centrally.

Firewall configuration

Your office firewall (usually built into the router) should be configured, not just left at defaults:

• Block unnecessary inbound ports
• Enable logging for unusual traffic patterns
• Segment guest Wi-Fi from the business network
• If you have servers or NAS devices, put them on a separate network segment

For remote-first teams, the “firewall” is effectively the VPN + each device’s host-based firewall (Windows Firewall, macOS Firewall). Ensure both are enabled.

Layer 3: Endpoint protection

Modern antivirus / EDR

Every work device needs endpoint protection. Modern solutions go far beyond traditional virus scanning:

• Behavioral detection catches unknown malware and ransomware
• Centralized dashboards show the security status of all team devices
• Automated isolation can quarantine a compromised device before it spreads
• Patch management features flag outdated software across the fleet

Recommendation: Norton Small Business, Avast Business, or Bitdefender GravityZone. All offer per-device pricing and centralized management.

Device encryption

Encryption on every work device (FileVault, BitLocker). If a laptop is lost or stolen, encryption is the difference between “we lost a device” and “we have a reportable data breach under the nDSG.”

Policy: Encryption must be enabled before a device accesses company data. Verify compliance centrally if your endpoint tool supports it.

Patch management

Unpatched software is the other door attackers walk through. Patch management for a small team means:

• Enable automatic OS updates on all devices
• Use a tool that flags outdated applications (many endpoint protection products include this)
• Prioritize patches for internet-facing software (browsers, email clients, VPN clients)

Backups: Your ransomware insurance

Backups are not optional. Ransomware targeting Swiss SMEs is increasing, and the average recovery time without backups is 21 days.

• 3-2-1 rule: Three copies, two storage types, one offsite/offline
• Immutable backups: At least one copy that ransomware cannot encrypt (offline drive, immutable cloud storage)
• Test quarterly: A backup you’ve never restored is a backup you hope works
• Encrypt backup media: An unencrypted backup drive is a data breach waiting to happen

nDSG compliance for SMEs

The nDSG doesn’t distinguish between a 10-person company and a 10,000-person enterprise. Your obligations:

• Data processing records: Document what personal data you process, where it’s stored, and who accesses it
• Technical measures: The three-layer framework above constitutes your “appropriate technical measures”
• Breach notification: If personal data is compromised, notify the EDÖB as soon as possible
• Employee awareness: Your team should understand phishing, social engineering, and your reporting procedures
• Data processing agreements: With every cloud provider, SaaS tool, and IT vendor that accesses your data

For FINMA-regulated businesses (financial services, insurance), add mandatory penetration testing, formal incident response plans, and documented business continuity procedures.

Who owns security?

You don’t need a full-time security hire. You need one person (often the CTO, office manager, or a tech-savvy team lead) who:

• Owns the security tools and their configuration
• Conducts quarterly access reviews
• Runs occasional phishing simulations (even simple ones like sending a test phishing email)
• Keeps the data processing records current
• Is the first contact when someone reports a suspicious email or incident

Give them 2-4 hours per month and the authority to enforce policies. That’s enough for a small team.

What this costs

Tool	Cost (10 users)	Layer
1Password Business	~CHF 80/mo	Credential hygiene
NordVPN Teams	~CHF 50/mo	Network security
Norton Small Business	~CHF 40/mo	Endpoint protection
Cloud backup	~CHF 30/mo	Backup
YubiKeys (admin accounts)	~CHF 250 one-time	Credential hygiene

Total: ~CHF 200/month + CHF 250 one-time. For context, the average cost of a ransomware incident for a Swiss SME (downtime + recovery + regulatory) runs into six figures. This is the insurance premium.

Implementation roadmap

Week 1:

• Deploy password manager to all team members
• Enable 2FA on all business accounts
• Verify device encryption on all work devices

Week 2:

• Roll out VPN with auto-connect policy
• Install endpoint protection on all devices
• Configure office firewall (or review existing config)

Week 3:

• Set up backup infrastructure (cloud + offline)
• Create data processing records for nDSG
• Document access control list

Week 4:

• Run a test phishing email
• Test a backup restore
• Assign security ownership to one team member

One month. No disruption to daily work. A security posture that meets Swiss regulatory expectations and protects against the threats that actually target SMEs.