From the team
Cybersecurity basics every High Country business should know
Why this matters here
Small businesses from West Jefferson to Boone — and shops along the North Carolina Blue Ridge Parkway corridor — get targeted because attackers assume there’s no dedicated IT. They’re often right.
We’re not talking about Hollywood hackers. It’s automated scans, phishing kits, and “your package failed delivery” emails that land in a busy inbox on a Friday. A typical pattern: a real estate or title office with a dozen staff, M365 in the cloud, and a part-time bookkeeper who’s sharp at closings but has never seen a BEC (business email compromise) thread. Someone spoofs the owner’s email, changes wiring instructions, and suddenly you’re on the phone with the bank asking where Friday’s deposit went.
You don’t need fear. You need a short list you can actually maintain.
Five basics to put in place
1. Identity & MFA
Default stack for most clients: Microsoft 365 with multi-factor authentication on every licensed user — email, Teams, SharePoint, and admin roles. Passwords alone aren’t enough; stolen credentials are sold by the million.
Also: separate admin accounts (no daily email in Global Admin), and conditional access where licensing allows (block legacy auth, require MFA from new locations).
2. Backups you’ve actually restored
“Backup runs” is not a strategy. Good looks like:
- Workloads identified (files, M365 if needed, line-of-business DB).
- Backups off-network or immutable — ransomware hunts connected drives.
- Quarterly restore test documented — “we restored these files in X minutes.”
We’re flexible on vendor; we’re inflexible on proof.
3. Patching cadence
- Windows endpoints and servers: monthly maintenance window minimum; critical CVEs faster when exploit code is public.
- Line-of-business apps: inventory who owns updates (vendor vs you). We see QuickBooks, dental imaging, and vertical tools fall behind because “the vendor has to do it.” Put dates on the calendar anyway.
Patching without monitoring is half a job — managed IT includes RMM so failed patches don’t sit silent for weeks.
4. Email security
Phishing is still the front door. At minimum:
- Filtering on Microsoft 365 (Defender for Office 365 or equivalent tier).
- SPF, DKIM, DMARC on your domain so spoofing is harder.
- Phishing simulations twice a year — short, practical, no shaming. People learn what your inbox attacks look like.
Read more context in why small businesses are the real target.
5. Incident plan on one page
When something smells wrong, nobody should be googling “what do we do.” One page:
| Step | Action |
|---|---|
| 1 | Stop the bleed — disconnect affected PC from network; don’t power off if ransomware is suspected (preserve memory if counsel advises). |
| 2 | Call your IT partner — NRT: contact during business hours; after-hours per your agreement. |
| 3 | Preserve evidence — headers from suspicious email, screenshots, who clicked what. |
| 4 | Notify leadership & counsel — especially if PHI, financial, or client data may be involved. |
| 5 | Communicate carefully — no social posts; one voice for staff and clients. |
Keep printed copies. The internet might be the thing that’s down.
What we do beyond the checklist
For clients on cybersecurity engagements we add EDR, dark web monitoring for domain credentials, policy templates, and restore drills — scaled to your risk, not a 200-page binder.
Need help prioritizing?
Contact NRT for a consult. We’ll walk your setup and tell you what to fix first based on risk and budget — not a scare slide deck.