Back to blog

    June 8, 2026

    Small business cybersecurity in San Diego: what actually matters under 50 employees

    If you run a business in San Diego with fewer than 50 employees, you've probably been pitched "enterprise-grade" security tools that cost more than your rent. You've also probably wondered if any of it applies to you. Most of it doesn't. Here's what actually moves the needle when you're a small shop, what you can safely ignore for now, and what it should cost.

    Who this is for

    This post is written for owners and operators of San Diego businesses in the 5–50 employee range. Think general contractors in North County, biotech startups around Sorrento Valley and Torrey Pines, law firms downtown, marketing agencies in North Park, dental and medical practices across the county. You probably use Google Workspace or Microsoft 365, a WordPress site, maybe QuickBooks Online, maybe a CRM like HubSpot or Salesforce. You don't have a CISO. You might not even have a dedicated IT person.

    If that's you, you don't need a Security Operations Center. You need the five things below, done correctly. That's it.

    The five things that actually reduce your risk

    If you do nothing else from this article, do these. In order. They cover the vast majority of how small businesses actually get hit.

    1. Multi-factor authentication (MFA) on email and admin accounts

    The single biggest risk to a small business isn't a hacker in a hoodie. It's someone phishing your bookkeeper's email password, logging into Google Workspace or Microsoft 365, watching invoice traffic for a few weeks, then inserting fake wire instructions on a real-looking thread. This is called Business Email Compromise (BEC) and it's the most common way small businesses lose real money.

    MFA on every email account stops this cold in most cases. Not SMS-based MFA if you can avoid it — use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) or a hardware key like a YubiKey for the owner and anyone with financial signing authority.

    Same goes for admin panels: your WordPress wp-admin, your QuickBooks login, your domain registrar, your hosting account. If someone gets into your domain registrar, they can redirect your email and your website. Lock it down.

    Cost: $0 if you use free authenticator apps. ~$50 per person for hardware keys. This is the highest-ROI thing you can do in the next 48 hours.

    2. Backups you've actually tested

    If ransomware hits tomorrow, do you have a clean copy of your files from yesterday? Are you sure? When was the last time someone actually restored a file from your backup to confirm it works?

    For most small businesses, this looks like:

    • Google Workspace or Microsoft 365: native retention is not a backup. Use a third-party backup like Afi, Spanning, or Datto SaaS Protection.
    • WordPress site: a plugin like UpdraftPlus or BlogVault that pushes off-site to S3, Dropbox, or its own cloud. Not on the same server as the site.
    • Local file shares or QuickBooks Desktop: cloud backup like Backblaze or Carbonite, plus a quarterly test restore.

    The "tested" part is what most businesses skip. A backup you've never restored is a guess, not a backup. Pick one file each quarter and restore it. Write down the date you did it.

    Cost: $5–$15 per user per month for SaaS backup, ~$10/mo for a WordPress site, ~$7/mo per computer for endpoint backup.

    3. Email authentication: SPF, DKIM, and DMARC

    This is the boring one nobody wants to think about, and it's why half the small businesses I look at have spam-folder problems and impersonation problems at the same time.

    SPF, DKIM, and DMARC are three DNS records that tell Gmail, Outlook, and every other receiver: "These are the only servers allowed to send email as my domain." Without them, attackers can spoof your domain to your customers, and your legitimate marketing emails get flagged as spam.

    A minimum SPF record for a Google Workspace shop looks like:

    v=spf1 include:_spf.google.com -all

    A starter DMARC record looks like:

    v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

    You start with p=none to monitor, then move to p=quarantine, then p=reject once you've confirmed your legitimate senders (Mailchimp, HubSpot, your CRM, your accountant's billing software) are all aligned. Skipping the monitoring step is how businesses accidentally block their own invoices.

    This is a one-time project. A couple of hours of work, and then it just runs. Google and Yahoo started requiring this for bulk senders in 2024, so if you do any email marketing it's no longer optional.

    Cost: $0 in tooling. $300–$800 one-time if you hire someone to set it up correctly.

    4. Web hardening (especially if you're on WordPress)

    If you have a public website — and you do — it's a target. Not because anyone is mad at you specifically, but because bots scan the entire internet looking for WordPress sites with outdated plugins, weak admin passwords, or known vulnerabilities. When they find one, they inject spam content, malware redirects, or backdoors that let them come back later.

    I did an incident response engagement for a Southern California contractor whose WordPress site had been compromised by a previous developer who'd left a self-healing backdoor in place. The site was generating 115+ spam posts that were getting indexed by Google and tanking the company's reputation. Cleaning it up took removing the backdoor, the spam posts, every admin account that shouldn't have been there, and then hardening the site so it wouldn't happen again. (Case study here.)

    The hardening basics for any WordPress site:

    • Keep WordPress core, themes, and plugins updated. Auto-update minor versions.
    • Delete plugins and themes you're not using. Don't just deactivate them.
    • Force MFA on every admin account.
    • Use a security plugin like Wordfence or Solid Security for a basic firewall and login throttling.
    • Disable file editing inside wp-admin by adding this to wp-config.php:
    define('DISALLOW_FILE_EDIT', true);
    • Don't use "admin" as a username. Don't reuse passwords.
    • Pick a host that does daily off-site backups and has WAF (Web Application Firewall) included — Kinsta, WP Engine, and Pressable all do this.

    If you're not on WordPress, similar principles apply: keep your CMS updated, enforce strong auth on the admin panel, and put Cloudflare in front of the site for free DDoS protection and a basic WAF.

    5. An incident contact you can call at 9 PM on a Saturday

    When something does go wrong — and statistically, eventually something will — the question is how fast you can get help. Most small businesses discover their website has been defacing itself for three days, or their email has been forwarding to an attacker for two weeks, because nobody was watching and they didn't know who to call.

    You don't need a 24/7 SOC. You need a name, a number, and an agreement that if you text that number on a Saturday because your site is hosting porn pop-ups, someone responds within a few hours. That's it. Even an informal relationship with a security consultant who knows your environment is worth more than a $50,000/year monitoring contract you'll never read alerts from.

    What you don't need yet

    This is where the marketing gets aggressive. Here's what you can almost certainly skip if you're under 50 employees and not in a regulated industry:

    • SIEM (Security Information and Event Management). Splunk, Sentinel, Sumo Logic. These tools collect and correlate logs from across an enterprise. You don't have an enterprise. You'll get thousands of alerts you can't action, and pay $1,500–$10,000+/month for the privilege.
    • 24/7 Managed SOC. Same problem. Unless you have continuous compliance requirements or genuinely sensitive customer data at scale, paying for around-the-clock human eyes is overkill. The basics above prevent the things a SOC would catch anyway.
    • CMMC compliance. Unless you're a DoD contractor or subcontractor, this doesn't apply to you. If you are DoD-adjacent (some San Diego defense contractors and aerospace suppliers around Miramar and Kearny Mesa) then yes, you need to start that conversation now. Otherwise, ignore the noise.
    • Penetration testing. Useful eventually, but if you haven't done the basics, a pentest will just produce a report telling you to do the basics. Skip until you've done items 1–5 above.
    • Cyber insurance without the basics first. You can buy a policy, but most modern cyber insurers won't pay out — or won't even underwrite you — without MFA, backups, and email auth in place. Do the work first, then buy the policy.

    San Diego context: what's actually getting hit locally

    A few patterns I've seen in San Diego specifically:

    Contractors and trades: Heavy email-based billing. Big invoices. Lots of subcontractor communication. Prime target for Business Email Compromise. Wire fraud schemes against contractors are a known and ongoing problem in California. MFA on email and a strict "we verify wire changes by phone using a number we already have" policy are the two best controls.

    Biotech and life sciences (Sorrento Valley, Torrey Pines): Higher-value IP. Often international collaborators. The attack profile shifts toward targeted phishing and credential theft. If you're handling research data with any partner contracts, you may already have contractual security requirements you haven't read carefully. [TODO: Sebastian — add specific NIH/grant flow-down requirement example if you have one.]

    Professional services (law, accounting, financial advisory): Client data is the crown jewels. State bar and licensing requirements may apply. Client trust accounts are a target. Backup discipline matters here more than most, because a ransomware event that loses client files is a malpractice issue, not just an IT issue.

    E-commerce and DTC brands: Site uptime and customer payment data drive the threat model. PCI scope, fraudulent order patterns, account takeover of customer accounts.

    The common thread: it's almost never the dramatic nation-state attack the news talks about. It's an unpatched plugin, a phished email password, or a backup that didn't work when it was needed.

    Realistic budget bands

    Here's what this actually costs, so you can plan.

    $0–$500/month — the basics, done yourself:

    • Free MFA via authenticator apps
    • $5–$15/user/month for SaaS backup
    • $10/month for WordPress backup
    • Cloudflare free tier in front of the site
    • A few hours of your time, quarterly, for test restores and reviews

    This tier covers maybe 80% of the realistic risk for most sub-20-employee shops. You can absolutely do this yourself if you're technical, or have someone walk you through it once.

    $500–$2,000/month — proper posture with help:

    • Everything above
    • A security retainer with a consultant (a few hours a month for monitoring, patching review, advisory, and on-call IR)
    • Premium WordPress security (Wordfence Premium, BlogVault, or managed hosting at the Kinsta/WP Engine level)
    • Email security beyond the basics (advanced phishing protection in Microsoft 365 or Google Workspace)
    • DMARC monitoring tooling (Postmark DMARC, EasyDMARC, dmarcian)
    • Endpoint protection on company laptops (Bitdefender GravityZone, SentinelOne, or similar)

    This tier is what I'd recommend for most 20–50 employee shops, especially professional services and anyone handling client funds or sensitive data.

    Project-based: incident response and one-time hardening. When something has already happened — your site is infected, your email got compromised, an attacker is in your account — that's a fixed-scope IR engagement. Typical range: $1,500 for a clean WordPress malware case to $10,000+ for a full business email compromise investigation. Pricing depends on scope, not panic.

    The honest bottom line

    Small business cybersecurity is mostly five boring things done consistently. MFA. Backups. Email auth. Web hardening. Knowing who to call. Do those, and you've prevented the overwhelming majority of incidents that actually happen to businesses your size in San Diego.

    The fear-marketing industry wants to sell you a SIEM. You probably need an afternoon of DNS work, a YubiKey, and a backup test.

    If you want a second set of eyes on where you actually stand, I run a security retainer specifically for San Diego small businesses — monthly check-ins, patching review, DMARC monitoring, and on-call incident response when something breaks. See the security services page or send a note through the contact form and we'll talk about what makes sense for your setup. No enterprise upsell.

    Need help with what this post covers? I do this for a living.

    Book a free 15-min site audit