Cyberattacks aren’t just a “big-company problem.” In Sri Lanka, small and medium businesses (SMEs) run lean teams, rely on cloud tools, and often work from shared laptops and mobile devices. That mix is productive—and attractive to attackers. The good news: you can build strong protection with simple, affordable controls and a clear checklist.

This guide focuses on high-impact steps you can implement this week, and a practical roadmap for the next 90 days.

The 80/20 Security Plan (Focus on the basics first)

Security is a stack. Start with the controls that prevent the most common incidents: weak passwords, phishing, lost devices, unpatched software, and missing backups.

Quick Wins You Can Do in 1–3 Days

  • Turn on MFA (multi-factor authentication) everywhere (email, accounting, banking, CRM, cloud storage).
  • Use a password manager (e.g., Bitwarden/1Password) to create unique, strong passwords.
  • Enable automatic updates for Windows/macOS, browsers, and mobile apps.
  • Backups with 3-2-1 rule: 3 copies, 2 different media, 1 offsite/offline.
  • Lock screens + device encryption (BitLocker on Windows, FileVault on macOS; PIN/biometric on phones).
  • Replace default router passwords and disable WPS on Wi-Fi routers.
  • Create a 1-page incident plan: who to call, how to isolate a PC, where backups live, how to keep the business running.

Passwords & MFA: Your cheapest superpower

  • Policy: Unique passwords for every account, minimum 12 characters (passphrases encouraged).
  • Manager: Use a company-managed vault (teams feature) to share credentials safely.
  • MFA: Prefer authenticator apps (TOTP) or hardware keys over SMS when possible.
  • Access hygiene: Remove old staff accounts the same day they leave; review admin roles monthly.

Pro Tip: Make one vault per role (Sales, Finance, Ops). Apply least privilege by default.

Backup Strategy: 3-2-1 or bust

  • 3 copies of your data: production + 2 backups
  • 2 media types: local NAS/external drive and cloud
  • 1 offsite/offline: a copy not reachable from your main network (protects from ransomware)

What to back up

  • Finance (accounting, invoices), customer records, project files, key email/mailboxes, website/database.

Test restores monthly. A backup you can’t restore is just a placebo.

Email Security: Stop phishing at the front door

Human layer (simple and effective)

  • 5-minute monthly drill: show a fake invoice/urgent payment email; ask team to flag and explain why.
  • Teach “hover to preview” links and to verify bank-detail changes by calling a known number.

Technical layer (DNS & mail)

  • Publish SPF (allowed senders), DKIM (signed mail), DMARC (reject/quarantine spoofed mail).
Example DMARC record (replace domain):
Type: TXT
Host/Name: _dmarc.yourdomain.lk
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.lk; fo=1; sp=quarantine; adkim=s; aspf=s
  • Turn on attachment/link scanning and safe links features in your email suite.
  • Create a mailbox like security@yourdomain.lk for staff to forward suspicious emails.

Wi-Fi & Network: Keep guests and staff separate

  • Two networks: Staff (WPA2/WPA3) and Guest (internet-only).
  • Change default SSID, set a strong Wi-Fi password, disable WPS.
  • On routers/firewalls: block remote admin from the internet, auto-update firmware, and back up configs.
  • Consider DNS filtering (e.g., Quad9, Cloudflare) to block known malicious domains.

Device Security: Laptops, Desktops, and Phones

  • Full-disk encryption (BitLocker/FileVault) + auto-lock after 5–10 minutes.
  • Built-in endpoint protection (Windows Defender / macOS XProtect) is solid when kept updated.
  • USB policy: scan external drives; avoid unknown USB sticks.
  • BYOD rules: if staff use personal phones for work, require screen lock, OS updates, and remote wipe for work apps.

Patching & Software Hygiene

  • Automatic OS updates on PCs and phones.
  • Browser updates (Chrome/Edge/Firefox auto-update by default).
  • Remove unused software and admin tools you don’t need.
  • For servers/NAS: schedule a monthly patch window.

Data Handling: Classify, restrict, and encrypt

  • Classify: Public • Internal • Confidential (customer data, payroll).
  • Restrict: Share Confidential data only via access-controlled folders (Google Workspace / Microsoft 365).
  • Encrypt: Use encrypted sharing links; avoid sending sensitive files over WhatsApp unless zipped with a password and shared separately.

Minimal records rule: Collect only what you need; keep it only as long as necessary.

Affordable “Starter Stack” (SME-friendly)

  • Identity & Email: Google Workspace or Microsoft 365 (with MFA enforced)
  • Password Manager: Bitwarden (Teams), 1Password, or similar
  • Backups: Local NAS + cloud backup (e.g., Backblaze/Wasabi); versioning enabled
  • Endpoint: Windows Defender + automatic updates; macOS built-ins
  • DNS Filtering: Quad9 or Cloudflare for Teams (free tiers available)
  • Docs & Storage: Shared Drives/SharePoint with least-privilege access
  • Awareness: Short monthly phishing drills + a 1-page policy

Simple Policies That Actually Work

  • Acceptable Use: No unknown software, no sharing logins by chat, report suspicious emails immediately.
  • Access Control: Least privilege, quarterly review of who has access to which folders/applications.
  • Off-boarding: Disable accounts, revoke tokens, transfer documents the same day.
  • Mobile/WhatsApp: No sharing of passwords or card/bank images. Mask sensitive customer info.

Keep each policy one page, readable, and pinned in your team chat.

Incident Response: A one-page runbook

If a laptop is infected or lost:

  1. Disconnect from Wi-Fi/mobile data.
  2. Inform the response lead (name + phone).
  3. Preserve: Don’t wipe—note what happened, take photos of the screen if needed.
  4. Contain: Disable accounts/tokens from another device (email, VPN, SaaS).
  5. Recover: Reimage device; restore data from backup.
  6. Report & learn: What failed? Fix the gap (e.g., add MFA, adjust filters).

If you suspect email compromise:

  • Force password reset + revoke sessions, rotate app passwords.
  • Review mail forwarding rules; check sent items for fraud threads.

90-Day Roadmap (Lightweight & realistic)

Week 1

  • Enforce MFA on email, banking, and critical apps.
  • Deploy password manager to all staff.
  • Set up staff/guest Wi-Fi split; change router defaults.
  • Start daily automatic backups (local + cloud).

Weeks 2–4

  • Publish SPF, DKIM, and DMARC; enable DNS filtering.
  • Turn on device encryption; set auto-lock.
  • Draft 1-page policies (Acceptable Use, Off-boarding, Incident Plan).

Months 2–3

  • Run a restore test from backups.
  • Do a simulated phishing drill and a 30-minute team refresher.
  • Review access permissions; remove excess privileges.
  • Patch all routers/NAS/servers; document versions and dates.

Budgeting (ballpark, keep it lean)

  • Initial (one-time): Password manager seats, a decent NAS or external drives, spare router, labeling & documentation.
  • Monthly: Email suite seats, cloud backup storage, domain/DNS costs.
  • Training: 30–60 minutes per month of in-house awareness is often enough.

Spending a few thousand rupees per user per month on these basics is typically far cheaper than even a minor breach.

Final Word

You don’t need enterprise tools to be secure. With MFA, strong passwords, reliable backups, basic email protections, and clear habits, Sri Lankan SMEs can block the vast majority of common attacks and recover quickly from incidents.

If you’d like help auditing your current setup or implementing this 90-day plan, our team can assist with practical, budget-friendly options tailored to your business.

Contact Orikmo to get a quick security check and a prioritized action list.