Threat profile: small business owner
As a freelancer or small business owner, you're responsible for client data, invoices, and business continuity. What are your obligations and how do you protect yourself?
Threat profile: small business owner
As a freelancer or small business owner, you are your own IT department. You have no security team behind you. And you do have client data, invoices, contracts, and sometimes sensitive business information on your devices.
Small businesses are not attacked any less than large ones — they’re often easier targets because the security is less professional.
What are your real threats?
Ransomware Malicious software that encrypts your files and demands payment. It hits small businesses every day. One wrongly opened attachment can make your entire administration inaccessible.
Invoice phishing (CEO fraud) A fake email appearing to come from a client or supplier with a changed bank account number. You pay the wrong party. This costs businesses millions every year.
Account takeovers If your accounting software, email, or cloud storage is compromised, an attacker gains access to client data and financial information.
GDPR violations You are legally required to protect client data. Reporting a data breach to the Data Protection Authority (AP) is mandatory within 72 hours. Failing to do so can result in fines.
Business continuity A hard drive that crashes, a laptop that gets stolen, an account that gets locked — without a backup, you lose everything.
GDPR for small business owners
If you process client data — and you almost certainly do — GDPR applies to you.
What that means:
- You may only collect data you need for your service
- You must be able to demonstrate that clients have given consent (or have another lawful basis)
- You must report data breaches to the AP within 72 hours
- Clients have the right to access their data and the right to deletion
Practical minimum:
- Don’t use free tools that use your client data for advertising (many “free” CRM tools do this)
- Store client data in the EU or with a provider covered by an adequacy decision
- Document what data you process and why (a simple spreadsheet is sufficient as a processing register)
Behaviour checklist
Account security
- Password manager with unique passwords per account
- 2FA on everything: email, accounting software, cloud storage, bank
- Separate email for business use — never your personal email for work
- Two-person verification for invoice changes: always call back when a bank account number changes
Backup strategy (3-2-1 rule)
- 3 copies of your data
- On 2 different media
- Of which 1 is offsite (not in the same building)
In practice: local hard drive + encrypted cloud backup (Tresorit, Proton Drive, or self-hosted Nextcloud).
Device security
- Full-disk encryption on laptop and desktop
- Automatic lock after 5 minutes of inactivity
- Lock screen when leaving your office
- Encrypted before disposal: wipe drives before throwing them away
Network
- Separate wifi for visitors (guest network)
- Router firmware up to date
- No default router passwords
Client data
- Only keep client data as long as necessary
- Delete data after contract end (or set a retention period)
- Use encrypted storage for sensitive documents
Tools that help
| Problem | Tool | Cost |
|---|---|---|
| Passwords | Bitwarden Teams / KeePassXC | Free / €3p/m |
| Encrypted backup | Tresorit / Proton Drive | €10–15/m |
| 2FA | Aegis (Android) / Yubico Authenticator | Free |
| VPN at the office | GL.iNet router + Mullvad | One-time €85–110 + €5/m |
| Hardware security key | YubiKey 5 NFC | ~€55 |
| Secure client communication | Signal / ProtonMail | Free |
Sector-specific risks
Healthcare / therapists / lawyers Special categories of personal data (health, legal matters) require extra protection. Data processing agreements with every tool you use are mandatory. Consider a privacy audit.
Financial service providers Stricter oversight on data protection. Phishing attacks target invoice flows. Two-person verification for large payments is not overkill.
Creative service providers / photographers Client photos, contracts, work files — losing these is catastrophic. Good backups are priority number one.
Insurance
Cyber risk coverage exists as a standalone policy or add-on. It covers costs from ransomware (ransom + recovery), liability from a data breach, and business interruption.
If you process client data or are fully dependent on digital continuity: look into this.
Next step
- Security without buying anything — free basics in order
- VPN: what it does and what it doesn’t
- PGP: encrypted communication with clients
- App hardening guide
- Which network setup fits your threat profile? — network security for your business
- All security guides — overview of all security guides
Reviews: