What is included in the price?

The price includes full development, design, testing, and launch of the project. You also get the specified support period after launch.

How long does development take?

A simple website usually takes 2–4 weeks, while more complex solutions can take 2–6 months. We provide clear milestones and weekly updates.

Do I get ownership of the source code?

Yes. You get full ownership of all code and design we deliver. There are no hidden fees or license restrictions.

What kind of support do you offer?

We offer email and phone support during the support period. Enterprise customers also get access to our 24/7 emergency hotline.

Can I upgrade my plan later?

Yes, you can upgrade to a higher plan at any time. We will calculate the difference and add the new features.

Can I get a custom solution?

Absolutely. Contact us to discuss your specific needs and we will create a custom offer for you.

Back to blog

Article · Security

Cybersecurity for SMBs: A Practical Checklist

Small businesses are the prime target for modern cyber attacks, not large corporations. A concrete guide to what you need in place — without spending a fortune.

Inovix TeamDecember 28, 20259 min

The myth that cyber attacks only hit large corporations is exactly that — a myth. Figures from national security agencies show 6 out of 10 Norwegian SMBs were hit by a targeted attack in 2025, and the average breach cost was around 870,000 NOK. Enough to put a mid-sized business out of operation.

Why SMBs are the preferred target

Attackers have done the maths: a large corporation has a security department, SOC, and crisis plan. An SMB has one IT person (maybe) and an accountant who says no to extra budget. The cost/return ratio for the attacker is better with SMBs, particularly for ransomware.

The most common pattern we see: phishing email to the finance department, compromised account, access to Microsoft 365 / Google Workspace, and then either data theft or ransomware with bitcoin demand.

Checklist: minimum you need in place

1. Two-factor authentication on everything

This is the simplest measure with the biggest effect. Microsoft has estimated 2FA stops 99.9 % of account compromise. Use it on email, accounting systems, CRM, banking, and any service with sensitive data.

Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) — not SMS, which can be SIM-swapped. For admin accounts: hardware security keys (YubiKey) are the gold standard.

2. Password management — not in a spreadsheet

Most SMB breaches start with a reused or weak password. Roll out a password manager (1Password, Bitwarden) for the whole company, and require unique 20+ character passwords for all services.

3. Backup that can't be encrypted

Ransomware encrypts everything it can reach — including network backups. The 3-2-1 rule still holds: 3 copies, 2 different media, 1 offsite. That offsite copy must be offline or immutable (S3 Object Lock, Backblaze B2 immutable). If ransomware can reach the backup, you have no backup.

4. Endpoint protection, not "antivirus"

Traditional antivirus isn't enough against modern threats. Use EDR (Endpoint Detection & Response) — Microsoft Defender for Business, CrowdStrike Falcon Go, or SentinelOne. These also detect behaviour, not just known files.

5. Updated software

Patch everything. Operating system, browsers, plug-ins, router firmware, NAS, anything connected to the network. Most ransomware outbreaks exploit vulnerabilities for which a patch was released months ago.

6. Email security

Enable SPF, DKIM, and DMARC on your domain — this stops others from impersonating you. Also enable anti-phishing policies in Microsoft 365 / Google Workspace (they're off by default in many tenants).

Training: the weakest link

All the technology in the world doesn't help if employees click on phishing links. Concretely:

Run monthly (brief) phishing simulations — 5-minute training afterwards for those who click
Build a culture where "I'm unsure" is always the right answer — better to call than click
Have a concrete procedure for "someone is asking me to transfer money quickly" (CEO fraud)

What you don't need (yet)

For a typical SMB with 5–50 employees, you do not need:

A dedicated SOC (Security Operations Center)
A full-time CISO
Zero-trust architecture with micro-segmentation
Quarterly penetration testing

These are overkill for most SMBs and cost more than they return. Focus on the foundation first.

When something goes wrong: an incident plan

When (not if) something happens, you need to know what to do in the first 60 minutes:

Isolate — physically disconnect the infected machine from the network
Assess scope — what does the attacker have access to? Which accounts are compromised?
Contact national CERT if it's ransomware or a major data breach
Reset passwords for all affected accounts, including service accounts
Restore from clean backup — never pay ransomware, particularly if you have backups
Report to police — it's free and gives you documentation for insurance

Write this plan down, rehearse it once a year. It's the difference between 4 hours of downtime and 4 weeks of downtime.

Our recommendation

Cybersecurity for SMBs in 2026 doesn't need to be complex. 80 % of attacks can be stopped with 6 simple measures: 2FA, password manager, EDR, updated systems, immutable backup, and employee training.

The investment is typically 30,000 – 80,000 NOK in the first year for a business with 10–30 employees. Compared to 870,000 NOK average damage, it's good ROI.

If you want a review of where you stand, we do a 20-minute security assessment for free. We tell you where you're vulnerable — no sales pitch.

Explore more articles.

We write about practical technology, digital strategy and what actually works for Norwegian businesses.

View all articles