Russell Mickler Russell Mickler

What “Due Care” Means for Small Business Owners — And Why Ignoring It Can Cost You Everything

Is your small business safe from a data breach? Many owners assume outsourcing their IT abdicates their legal responsibilities. In reality, cybersecurity is a management obligation tied to "due care." Learn a simple 5-step framework to actively oversee your technology, satisfy legal standards, and protect your business from devastating liabilities.

Most small business owners treat cybersecurity, data protection, and IT compliance as technical headaches. They hand off the keys to an internal "tech person" or an outside vendor and assume the responsibility is off their plate.

Whew! The Easy Button. That Was Easy.

In reality, cybersecurity is fundamentally a management obligation governed by a critical legal and operational concept: due care.

Understanding "Due Care" in Plain English

In the business world, due care is the legal standard that dictates leadership must take reasonable, prudent steps to protect company assets, customer data, and operational systems. Think of it as the business equivalent of wearing a seatbelt or maintaining the brakes on a delivery truck. It is the baseline level of care required to avoid allegations of negligence.

If your business suffers a data breach, courts, insurance companies, and regulatory bodies will not ask if your security was impenetrable. Instead, they will evaluate whether management actively exercised due care before and after the incident.

They’ll ask, did management manage their IT infrastructure?

If you cannot prove that you took reasonable steps to secure your environment, your cyber insurance claim could be denied, regulatory fines can skyrocket, and your business could face devastating legal liabilities.

The 5-Step Due Care Framework for Leadership

Exercising due care does not require an enterprise-level budget or a flawless, un-hackable infrastructure. It requires consistent, documented managerial oversight.

You can fulfill your management obligations by executing this simple five-step framework:

  1. Identify Risks: Regularly assess where your sensitive data lives (e.g., customer credit cards, employee tax records, proprietary workflows) and pinpoint potential vulnerabilities.

  2. Establish Expectations: Define clear security behaviors for your team. This includes implementing strong password requirements, mandating multi-factor authentication (MFA), and outlining acceptable technology use policies.

  3. Implement Controls: Put basic safeguards in place. Ensure you deploy reliable data backups, manage vendor access strictly, keep software updated, and provide ongoing security awareness training to your staff.

  4. Verify Performance: Do not assume everything is working just because nobody is complaining. Conduct routine reviews of your security posture, test your data restoration capabilities, and audit user permissions.

  5. Document Oversight: If it isn't documented, it didn't happen. Maintain written records of your security policies, employee training logs, vendor agreements, and management reviews. This documentation serves as your legal shield if a breach occurs.

Assumptions

In the context of due care obligations, assumption is a small business owner's greatest vulnerability. Many leaders fall into the trap of assuming that because they have outsourced their IT to a third-party vendor or an internal tech person, their management responsibilities are fully covered. Or, internally, they just assume everything is being managed appropriately and everything us hunky-dorey.

However, under the legal standard of due care, outsourced operations do not mean abdicated responsibility. Courts and insurance providers evaluate whether management actively monitored, verified, and documented their security safeguards—not just whether they hired help. Relying on the assumption that "everything is fine because no one is complaining" creates a dangerous gap in oversight that can invalidate cyber insurance claims and leave a business legally exposed if a breach occurs.

The Bottom Line

Due care is not optional. Managing is a core responsibility of running a modern company. When you actively supervise your IT strategy and clearly communicate expectations, your operational risk decreases, technology costs stabilize, and organizational accountability becomes clear.

Ultimately, outsourced IT does not mean abdicated responsibility. Stay in control of your technology to protect your business, your clients, and your bottom line.

If you’ve got questions, I’ve got answers.

R

Read More
Russell Mickler Russell Mickler

Defending Against Social Engineering Attacks

Is your small business safe from social engineering? Cybercriminals frequently bypass complex firewalls by targeting your employees instead. To protect your business from costly manipulation tactics, implement this practical, four-step playbook designed to help your team recognize the signs, protect critical data, verify unusual requests, and report threats immediately.

Small business owners and managers are highly sought-after targets. You’ve got access to your company’s most valuable assets: financial accounts, proprietary data, and employee information. Cybercriminals know this, and instead of hacking your firewall — which is technically difficult — they often try to "hack" your people through social engineering.

Protecting your business requires a practical, structured approach to spot and stop these manipulative tactics. Use this four-step playbook to train your team and secure your operations.

Step 1: Recognize the Signs

Social engineering relies on deception, but attackers almost always leave clues. Train your team to look out for:

  • Urgency: Demands for immediate action or threats of severe consequences (e.g., "Pay this invoice now or your service will be terminated").

  • High-Value Requests: Sudden solicitations for sensitive credentials, employee tax forms, or wire transfers.

  • Odd Anomalies: Unexpected or out-of-character emails from known vendors, clients, or even executive leadership.

Step 2: Protect Personal & Business Information

Attackers research your company online to make their scams look authentic. Implement a strict "need-to-know" culture. Employees should never share financial data or passwords over email or phone. Additionally, caution your staff about oversharing operational details on social media, as bad actors use these details to craft highly targeted phishing lures.

Step 3: Verify Before Trusting

Never take a high-stakes digital communication at face value. If an email looks suspicious — or requests an unusual financial transaction — verify the sender’s identity using an alternative, trusted channel. Call the client or vendor using a phone number you already have on file, not the number listed in the suspicious email. Check carefully for misspellings, slightly altered domain names, or incorrect logos.

Step 4: Report and Alert

If an employee spots a threat, train them to act immediately. Establish a clear internal protocol: gather all information about the incident, report it to your IT support team right away, and alert colleagues so they don't fall for the same scam.

Don’t have an IT support team? I’m just a click away.

R

Read More
Russell Mickler Russell Mickler

Fingerprinting — the Ghost in the Machine

Think your "Incognito" mode is keeping your business research private? Think again. Learn about browser fingerprinting—the forensic tracking method that identifies your business devices even without cookies. Discover practical steps to harden Chrome, Edge, and Safari to protect your competitive intelligence and data privacy.

As a small business owner, you likely value discretion.

Whether you’re researching a competitor, scouting new locations, or looking into sensitive financial tools, you might rely on "Incognito" or "Private" browsing modes to keep your activities under wraps.

However, as Android Police recently highlighted, there is a much more persistent tracking method at play, and today we’re going to explore a concept called Browser Fingerprinting.

What is Fingerprinting?

Unlike traditional cookies which are like digital ID cards stored on your computer, fingerprinting is more like a forensic analysis. When you visit a website, your browser shares a wealth of technical data to help the site load correctly. This includes your screen resolution, installed fonts, battery level, time zone, and even the specific version of your operating system.

When combined, these unique data points create a "fingerprint" so specific that it can identify you with staggering accuracy, even if you’ve cleared your cookies or are using a private window.

How to Protect Your Business

Standard private browsing won’t stop a fingerprint. To fight back, you can harden the tools you already use:

  • Tighten Edge & Safari Settings: In Edge, set Tracking Prevention to "Strict" in your Privacy settings. In Safari, ensure "Hide IP address from trackers" is enabled to break the primary link trackers use to build your profile.

  • Standardize Your Hardware: One of the best ways to hide is in plain sight. If everyone in your office uses the same laptop model and OS version, you share a nearly identical fingerprint, making it much harder for scripts to pick out an individual user.

  • The "Incognito" Rule: In all three browsers, continue using Incognito/Private mode. While it doesn't stop fingerprinting, it prevents the combination of your fingerprint with your long-term browsing history.

  • Enable "Shields Up" in Edge: Go to Settings > Privacy, search, and services. Set your "Tracking prevention" to Strict. This blocks a majority of fingerprinting scripts by default.

  • Leverage Safari’s Intelligence: Safari automatically uses Intelligent Tracking Prevention (ITP). To go further, ensure "Hide IP address from trackers" is enabled in your Privacy settings; this prevents trackers from using your IP as a key part of your fingerprint.

  • Chrome’s Privacy Sandbox: Chrome is moving away from cookies toward a "Privacy Sandbox." While controversial, you can go to Settings > Privacy and security > Ad privacy and turn off these features to prevent Chrome from sharing your "interests" with sites, which is a form of profiling.

Why It’s a Business Risk

For a business owner, fingerprinting isn't just about targeted ads; it’s about data silhouettes.

  • Competitive Intelligence: If you are researching a niche market, fingerprinting allows data brokers to link those searches back to your specific device and location.

  • Security & Profiling: Constant tracking builds a profile of your business habits, which can be sold to third parties, potentially affecting anything from the software prices you’re quoted to the insurance risk profiles generated for your company.

How to Protect Your Business

Standard private browsing won’t stop a fingerprint. To fight back, consider these steps:

  • Use Privacy-First Browsers: Browsers like Brave or Firefox have built-in "anti-fingerprinting" protections that randomize the data your browser sends out.

  • Limit Extensions: Every browser extension you add makes your "fingerprint" more unique. Keep your business machines lean.

  • VPNs are Only Half the Battle: A VPN hides your IP address, but the fingerprint of your actual device remains the same.

In the digital age, being "invisible" takes more than a single click. It requires understanding that your hardware speaks even when you aren't.

Pro-Tip: want to audit your own business devices? You can see what your browser is leaking by visiting a tool like Cover Your Tracks.

Got questions? I’ve got answers.

R

Read More