In my first year running Music Nonstop Today – an online music magazine, I was wearing many hats at once in our compact team of 4 at the beginning: product owner, project manager, editor, and founder. Our small startup operated at a fast pace during its initial digital business period, delivering new features, building the online magazine structure from multiple perspectives, writing content, and making strategic investments before we started generating revenue. The website disappeared from view during one afternoon. The domain system was compromised when an attacker took control of it to sell the domain name. I was lucky that when that happened, I was writing an article on the WordPress instance or the magazine’s CMS, so I saw what happened and had a chance to react promptly. The loss of the initial ~€20K investment became apparent when I discovered that the basic security mistake could cause the entire amount to disappear. The experience taught me to handle security risk assessment differently for businesses that depend on software as their main operational tool. The system started requiring passwords that needed to be at least 15 characters long, and all systems enforced 2FA as their standard security measure.
My twenty years of experience working with businesses to build and sustain their software infrastructure have proven that SMEs and especially startups face cybersecurity failures because they lack fundamental security measures, instead of dealing with complex technological problems. And that’s understandable because, in most cases, startups and small teams focus more on functional aspects than on non-functional ones, which include the security perspective.
That’s why this interview with Bozidar Spirovski, Chief Information Security Officer at Blue Dot and Sourcico and founder of BeyondMachines, is worth your time. Bozidar describes his work through actual implementation terminology, which he uses instead of academic concepts. He emphasizes discipline and leadership behavior and basic control systems, which work best for organizations of small to medium size. The interview provides digital business owners who do not have technical skills with brief instructions about security protocols, which they need to understand before security incidents become operational problems.
Vasil Buraliev: What are the first three actions every SME should take today to protect themselves against the most common cyber threats?
It’s about consistency and discipline, not about high tech. Think of cybersecurity essentials as basic hygiene. We all wash our hands, brush our teeth, try to eat healthy, and exercise. None of those things are advanced, but they help a lot if we are disciplined.
Same with the essential cybersecurity controls.1. The absolute first action is to activate MFA on EVERYTHING. It reduces your attack surface immensely, since even if your password is compromised, the MFA code will stop most attacks.
2. Be very conscious of social engineering. Most incidents are caused by someone being persuaded to click a link, open a file, pay an invoice, respond to a fake message from their boss. Always be wary of unexpected messages. Ask yourself – should I be getting this? Especially if it implies urgency of any kind or something too good to be true. Never open attached files, respond to such messages, click on links or call numbers in such messages. Instead, verify independently, through a well known channel. Be mindful that social engineering can also arrive as a phone call, or a message on any instant message platform. Same rules apply – do not engage, verify independently.
3. Patch your browsers, systems and install adblockers. Your next layer of protection are the devices you are using. Hackers start exploiting vulnerabilities in operating systems, browsers and office packages within hours of public reporting, sometimes even earlier. So accept the inconvenience of waiting for an update, and patch. Especially your browser, they are your window into the internet, and will be touching servers which may be malicious. For extra protection, install multiple adblocker tools, they are very good at blocking a lot of malicious content. I recommend Ublock Origin and Privacy Badger. For Chrome, which hates Ublock Origin, use Ublock Lite. And add Privacy Badger.
Bozidar Spirovski
VB: How can a small or medium-sized business build a culture of cybersecurity without a large budget
It’s all about communication and examples. Much like our attention being focused on what we see in the news cycle, an organization should communicate issues and trends, especially any phishing attempts that have targeted the organization. A monthly or even bi-weekly example is very valuable, especially if you frame it “close to home”, how will such an incident affect the people as individuals.
BS
Ask them, “how would you feel if you clicked on this and someone took your Instagram password”?
VB: As ransomware and phishing attacks evolve, what basic protections should every company have in place by default in 2026?
I think I already covered this one, so a very quick recap – do not trust messages and files. Check and double/triple verify independently. Nothing is that urgent as they try to frame it, nobody wants to give you the secret to infinite money and you are not that pretty for that gorgeous person to want to talk to you.
BS
VB: What’s your advice for CEOs or COOs who don’t come from a tech background but want to ensure their company is secure?
Be just as disciplined as you expect your people to be. “Do as I say, don’t do as I do” doesn’t work. If you start ignoring the rules that should apply to the entire organization, it’s a clear signal that the rules are suggestions. Also, embrace no-blame culture. Encourage everyone to speak out when they see an incident, when they make a mistake. The faster, the better. Thank them privately, don’t name them publicly, but definitely share and apply the lessons learned. An organization that shares its issues and learns from them grows and helps each other. If the organization fears reprisals, nobody will speak out, and a lot of incidents will simply be reported too late.
BS
VB: Many SMEs outsource IT. What should leaders look for when choosing a security-minded MSP or IT partner?
MSPs and IT partners come in all shapes and sizes. Look for people who can connect to your internal teams and will establish good communication longer term. At the end of the day, the technology will change, but you need a partner that can and does talk to you regularly. That way the partner hears your challenges, and is able to be proactive, which is always better than just opening tickets. Avoid ticket pushers. Also check if your contact person and team are replaced with an AI chatbot. That’s a sure way not to get anything more than a basic response to your issues.
BS
Be the first to comment