Profile: small business owner
This is not a base profile but a context profile. If you work as a freelancer or in a small organisation, you are responsible for client data, invoices and business continuity.
Profile: small business owner
Who this guide is for
This profile is for freelancers and small-business owners who are responsible for client data, invoices, contracts, cloud tools, and business continuity without a mature internal IT team.
As a freelancer or small business owner, you are often your own IT department, or you work in a team without a mature security structure. You do have client data, invoices, contracts, and sometimes sensitive business information on your devices.
Small businesses are not attacked any less than large ones — they are often easier targets because the security is less professional.
Use this profile on top of your base profile.
In most cases this is not a separate threat level, but a business context layer on top of your normal situation.
- For most freelancers, the normal baseline is the practical starting point.
- If you are already privacy-conscious and want to harden business tooling, combine it with Profile: privacy conscious.
- If you work in healthcare, law or IT, this profile sits on top of your professional profile instead of replacing it.
The core issue here is: business continuity, client trust and legal responsibility.
The main question is not which tool sounds most privacy-friendly. The main question is: which choices keep your business running, protect client data, and remain workable when you have no IT team?
When this is overkill
If you do not handle client data, business accounts, or continuity risk beyond your own personal setup, this profile is probably not the right layer yet. It matters when one laptop, inbox, or cloud account failure can harm both you and the people relying on your business.
What are your real threats?
Ransomware Malicious software that encrypts your files and demands payment. It hits small businesses every day. One wrongly opened attachment can make your entire administration inaccessible.
Invoice phishing (CEO fraud) A fake email appearing to come from a client or supplier with a changed bank account number. You pay the wrong party. This costs businesses millions every year.
Account takeovers If your accounting software, email, or cloud storage is compromised, an attacker gains access to client data and financial information.
GDPR violations You are legally required to protect client data. Reporting a data breach to the Data Protection Authority (AP) is mandatory within 72 hours. Failing to do so can result in fines.
Business continuity A hard drive that crashes, a laptop that gets stolen, an account that gets locked — without a backup, you lose everything.
What you gain, and what it costs
If you apply this profile seriously, you typically gain:
- less chance that a single mistake takes down your administration, client contact or invoicing
- clearer separation between convenient tools and defensible business choices
- less risk of GDPR problems from careless data storage or account management
- more peace of mind because your critical systems and recovery path are clearly defined
But it costs something:
- more discipline around backups, account management and access control
- sometimes extra costs for reliable storage, 2FA or hardware
- less room to pick free or quick tools that don’t match your actual risk
For this profile that is usually a reasonable trade. Cheap improvisation tends to be more expensive once something goes wrong.
GDPR for freelancers and small organisations
If you process client data — and you almost certainly do — GDPR applies to you.
What that means:
- You may only collect data you need for your service
- You must be able to demonstrate that clients have given consent (or have another lawful basis)
- You must report data breaches to the AP within 72 hours
- Clients have the right to access their data and the right to deletion
Practical minimum:
- Don’t use free tools that use your client data for advertising (many “free” CRM tools do this)
- Store client data in the EU or with a provider covered by an adequacy decision
- Document what data you process and why (a simple spreadsheet is sufficient as a processing register)
If there are three business basics to remember, let them be these: use separate business accounts, maintain a recoverable backup, and know where your client data ends up — legally and practically.
Behaviour checklist
Account security
- Which password manager should you choose? — choose your route first, then use unique passwords per account
- 2FA on everything: email, accounting software, cloud storage, bank — 2FA guide →
- Separate email for business use — never your personal email for work
- Two-person verification for invoice changes: always call back when a bank account number changes
Backup strategy (3-2-1 rule)
- 3 copies of your data
- On 2 different media
- Of which 1 is offsite (not in the same building)
In practice: local hard drive + encrypted cloud backup — start with the backup implementation guide and then choose between Proton Drive or a self-hosted Nextcloud setup. Simplest starting point without technical knowledge: Proton Drive (€4/month, 200 GB, end-to-end encrypted).
For most small organisations this is also the right order:
- start with a simple backup you will actually use
- only then decide whether you want more control via a technical solution like Nextcloud
Device security
- Full-disk encryption on laptop and desktop
- Automatic lock after 5 minutes of inactivity
- Lock screen when leaving your office
- Encrypted before disposal: wipe drives before throwing them away
Network
- Separate wifi for visitors (guest network)
- Router firmware up to date
- No default router passwords
Client data
- Only keep client data as long as necessary
- Delete data after contract end (or set a retention period)
- Use encrypted storage for sensitive documents
Tools that help
| Problem | Tool | Cost |
|---|---|---|
| Passwords | Which password manager should you choose? | Free / ~€4p/m |
| Encrypted backup | Backup implementation guide | €4/m, 200 GB or technical alternative |
| 2FA | Two-factor authentication guide | Free |
| VPN at the office | VPN comparison | One-time €85–110 + €5/m |
| Hardware security key | YubiKey 5 NFC | ~€60 |
| Secure client communication | Signal setup guide / Choosing secure email without overkill | Free |
Don’t treat this table as a day-one shopping list. For most freelancers, passwords, 2FA and backup matter more than a router VPN or hardware key right away.
Sector-specific risks
Healthcare / therapists / lawyers Special categories of personal data (health, legal matters) require extra protection. Data processing agreements with every tool you use are mandatory — see data processing agreement explained. Consider a privacy audit.
Financial service providers Stricter oversight on data protection. Phishing attacks target invoice flows. Two-person verification for large payments is not overkill.
Creative service providers / photographers Client photos, contracts, work files — losing these is catastrophic. Good backups are priority number one.
Insurance
Cyber risk coverage exists as a standalone policy or add-on. It covers costs from ransomware (ransom + recovery), liability from a data breach, and business interruption.
If you process client data or are fully dependent on digital continuity: look into this.
Don’t treat insurance as a replacement for basic security. It is a financial safety net, not a substitute for good account hygiene or a working backup.
How to use this profile
Use this profile as the business layer on top of your base profile:
- Which accounts and tools are business-critical?
- Where is your biggest continuity risk: email, invoicing, client files or backup?
- Which data are you legally or contractually not allowed to leak?
If that is not clear yet, start there. Extra tooling only matters once you know what absolutely must keep working.
Next step
Start here
- Security without buying anything — if your basic account and device discipline is still loose
- Backup implementation guide — if continuity is your biggest immediate risk
- Which network setup fits your profile? — after that, if your network is the next logical layer
Also relevant
- PGP: encrypted communication with clients — only if you have a concrete reason and counterpart for it
- VPN: what it does and what it doesn’t — to avoid overestimating what a VPN solves for business use
- App hardening guide — once the basics are in place and you want to go further
- The normal baseline — practical starting point for most freelancers
- Profile: privacy conscious — if you also want to work more privacy-consciously
Reviews and further reading
- Bitwarden review — team management available
- YubiKey vs Nitrokey review — hardware authentication
- Choosing secure email without overkill — decide when business email, a portal, or a provider switch makes sense
- Proton Drive review — encrypted file storage
- Nextcloud review — self-hosted alternative (technical)