Your email password was in a breach last month. You just don’t know it yet.

That’s not a scare tactic - it’s statistics. The Have I Been Pwned database has over 14 billion compromised credentials. Somewhere in that pile is probably an email address you’ve used, linked to a password you might still be using somewhere.

Small businesses in Fargo-Moorhead get hit every week. Not because attackers are specifically targeting them - but because when you cast a wide enough net, the businesses with gaps get caught. Here are the five gaps I see most often.

1. Weak or reused passwords

Spring2024! is not a password. Neither is your business name followed by a number. When any site you’ve ever used gets breached - and they do, constantly - those username/password combinations get tested against everything else automatically. It takes minutes. If you’ve reused a password, your other accounts are exposed.

Use a password manager. Bitwarden is free, open-source, and security-audited. It takes about an hour to roll out across a small team, and it removes the single biggest entry point in most small business security. Every account gets a unique, random password. You remember one master password. Done.

2. Skipping software updates

Those update notifications aren’t a nuisance - they’re patching security holes that attackers already know about. The gap between “patch released” and “exploit in the wild” is sometimes measured in hours, not weeks.

Enable automatic updates for Windows, your browsers, and your main business applications. If you’re running network equipment or servers without auto-update, make sure someone owns that process and actually does it. An unpatched router sitting in your back office is a door you didn’t know you left open.

3. Backups you’ve never tested

Ransomware attackers go after your backups first. If they can delete or encrypt your backups before locking you out, you’re stuck. And here’s what most people don’t realize: a backup you’ve never tested isn’t really a backup. It’s hope.

Back up to at least two locations - one local, one cloud (Azure Backup, Backblaze, whatever fits your setup). Then actually restore something from it. Pull a real file. Confirm it works. Do this quarterly. I’ve had clients discover their backup hadn’t been running for six months - right after a ransomware hit. Don’t learn that lesson the hard way.

4. No phishing training for your team

Phishing is how most breaches start. Not through sophisticated zero-day exploits - through an email that looked legitimate enough that someone clicked. In 2025, phishing emails have gotten convincing enough to fool experienced people. AI-generated phishing messages now mimic writing styles and reference real context pulled from LinkedIn.

Run a simulated phishing test at least once a year. KnowBe4 is the standard tool; there are also free options for very small teams. The goal isn’t to punish anyone who clicks - it’s to build the habit of pausing before acting. One hour of training can prevent a $50,000 recovery.

5. No multi-factor authentication (MFA)

MFA means that even if an attacker has your password, they still can’t get in without the second factor - a code from your phone, a push notification, a hardware key. It’s the single highest-ROI security measure you can implement.

Turn it on for everything that supports it, starting with email, Microsoft 365 or Google Workspace, banking, and remote access tools. Use an authenticator app (Microsoft Authenticator or Google Authenticator) rather than SMS codes when you can - SMS can be intercepted. Takes 15 minutes to set up per account. Do it this week.

Where to start if this feels like a lot

It is a lot. But you don’t have to do it all at once. Prioritize in this order:

  1. Password manager - roll out to your whole team this week
  2. MFA on email and Microsoft 365 / Google Workspace - also this week
  3. Test a backup restore - before the end of the month
  4. Schedule phishing training - this quarter

If you want someone to walk through your current setup and tell you exactly where the gaps are - no jargon, no pressure - reach out to DarkHorse IT. We serve the Fargo-Moorhead area and we’ll give you a straight answer.