What cybersecurity steps should you take immediately after an acquisition?

Day 1-7: Change all admin passwords, enable MFA on email and critical systems, verify backup integrity. Day 7-30: Conduct a vulnerability scan, review firewall rules, audit user access permissions (especially departing employees), and purchase cyber insurance if not already in place. These basics prevent 80%+ of common attacks.

How much should an SME spend on cybersecurity?

Budget 5-10% of total IT spend for cybersecurity, or $15K-$50K/year for a $5M-$20M revenue business. This covers: endpoint protection ($5-$15/device/month), cyber insurance ($2K-$10K/year), employee training ($1K-$5K/year), and managed security services ($1K-$5K/month). The cost of a breach averages $120K-$200K for SMEs - prevention is dramatically cheaper.

Cybersecurity for Acquired Businesses: A CEO’s Priority List

11 min read

When you acquire a small or mid-sized business, you inherit its cybersecurity posture, or, more often, the absence of one. Most SMEs targeted by search funds have invested little to nothing in information security. Passwords are shared, backups are untested, software is unpatched, and no one has thought about what happens when , not if, a breach occurs. As the new CEO, cybersecurity is your responsibility, and the consequences of neglecting it range from operational disruption to regulatory fines to complete business failure. The good news is that protecting an SME does not require an enterprise-grade budget. It requires a disciplined, prioritized approach that starts on day one.

Why SMEs are prime cybersecurity targets

There is a persistent myth that cybercriminals only go after large corporations. The reality is exactly the opposite. According to Verizon’s Data Breach Investigations Report, over 40% of cyberattacks target small businesses. The reason is straightforward: SMEs have valuable data, customer records, payment information, employee Social Security numbers, bank account details, but lack the security infrastructure to protect it. They are soft targets.

Ransomware gangs operate at scale. Automated tools scan millions of IP addresses looking for unpatched systems and weak credentials. They do not care whether the target is a Fortune 500 company or a 30-person HVAC business. If the door is unlocked, they walk in.
Supply chain attacks are rising. Attackers increasingly target smaller companies as entry points into larger ones. If your acquired business is a vendor or subcontractor to larger enterprises, a breach at your company can cascade upstream, destroying relationships and triggering liability.
Business email compromise (BEC) is the top threat. BEC attacks, where criminals impersonate executives or vendors to trick employees into wiring money or sharing credentials cost businesses over $2.7 billion annually. SMEs without email security controls or employee training are especially vulnerable.
Post-acquisition is a high-risk period. Ownership transitions create confusion about who is responsible for IT systems, passwords, and access controls. Former employees or contractors may retain access. New integrations between systems create attack surface. Attackers know this.

The first 30 days: your cybersecurity checklist

During your first 100 days as CEO, cybersecurity should be addressed in the first 30. The items below are not aspirational, they are urgent. A single ransomware attack during the transition period can cripple a business you have not yet had time to understand.

1. Conduct a technology and access audit

Before you can secure the business, you need to know what you are protecting. Your post-acquisition technology audit should include a full inventory of every system, application, device, and cloud service the business uses. Document who has access to each system and at what privilege level. Identify any former employees, contractors, or the previous owner’s family members who still have active credentials. Revoke access immediately for anyone who no longer needs it.

2. Enforce multi-factor authentication (MFA)

MFA is the single most impactful security control you can deploy. Enable it on every business-critical account: email, banking, CRM, ERP, cloud storage, accounting software, and any system containing customer or financial data. Use authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware keys (YubiKey) rather than SMS-based codes, which are vulnerable to SIM-swapping attacks. MFA alone blocks over 99% of automated credential attacks.

3. Reset and enforce password policies

In most acquired SMEs, you will find passwords written on sticky notes, shared across teams, reused across systems, and unchanged for years. Implement a password policy immediately: minimum 14 characters, unique per account, managed through a business password manager such as 1Password Business ($7.99 per user per month) or Dashlane Business ($8 per user per month). Force a password reset across all critical systems during the first week.

4. Verify backup integrity

Do not assume backups exist or work. Verify that critical data financial records, customer databases, operational systems, email archives, is being backed up automatically, encrypted, and stored offsite or in the cloud. Then test a restore. A backup that has never been tested is not a backup; it is a hope. Implement the 3-2-1 rule: three copies of your data, on two different types of media, with one copy offsite. Solutions like Veeam, Datto, or cloud-native backups (AWS Backup, Azure Backup) cost $200-$1,000 per month for a typical SME.

5. Deploy endpoint protection

Every company device, laptops, desktops, servers, and mobile devices used for business, needs managed endpoint protection. This goes beyond traditional antivirus: modern endpoint detection and response (EDR) tools monitor for suspicious behavior, contain threats automatically, and provide forensic data after incidents. CrowdStrike Falcon Go, SentinelOne, and Microsoft Defender for Business are all suitable for SMEs, costing $5-$12 per endpoint per month. Deploy within the first two weeks and ensure every device is enrolled.

Cyber insurance: a non-negotiable

Cyber insurance is not a substitute for security controls, but it is an essential backstop. A standalone cyber insurance policy covers incident response costs, forensic investigation, legal fees, notification expenses, business interruption losses, and ransom payments (though paying ransoms is controversial and increasingly discouraged). For most SMEs, premiums range from $1,000 to $7,500 per year depending on industry, revenue, and security posture.

Apply before you need it. Insurers increasingly require MFA, endpoint protection, and backup verification before issuing policies. Completing the first-30-days checklist above makes you insurable, and lowers your premiums.
Understand the exclusions. Read the policy carefully. Common exclusions include acts of war (which insurers have used to deny claims for state-sponsored attacks), failure to patch known vulnerabilities, and pre-existing breaches discovered after policy inception.
Use the insurer’s resources. Many cyber insurance carriers provide free or discounted security tools, incident response hotlines, and tabletop exercise facilitation. These resources alone can be worth the premium.
Factor it into your acquisition budget. If the target business had no cyber insurance, the cost of a new policy should be included in your post-close operating budget alongside other infrastructure investments.

Employee training: your strongest, or weakest, link

Technology can block many attacks, but employees remain the primary attack vector. Phishing emails, social engineering calls, and credential theft all exploit human behavior. A security-aware workforce is your best defense; an untrained one is your biggest vulnerability.

Launch security awareness training immediately. Platforms like KnowBe4, Proofpoint Security Awareness, or Ninjio provide automated training modules, simulated phishing campaigns, and compliance tracking. Costs range from $15-$25 per user per year. Deploy within the first 60 days.
Run simulated phishing exercises quarterly. These tests identify employees who are most susceptible and provide targeted coaching. Track click rates over time, you should see them decline from a typical baseline of 20-30% to under 5% within six months.
Establish clear reporting procedures. Employees should know exactly what to do when they receive a suspicious email, notice unusual system behavior, or accidentally click a malicious link. Make reporting easy (a dedicated email address or Slack channel) and reward it. Never punish employees for reporting potential incidents.
Tailor training to roles. The finance team needs specific training on BEC and wire fraud. Employees with administrative access need elevated awareness about privilege escalation. Customer-facing staff need training on social engineering. One-size-fits-all training misses the highest-risk scenarios.

Vendor and third-party risk management

Your security is only as strong as your weakest vendor. Most SMEs share data with dozens of third parties, accounting firms, payroll processors, IT consultants, cloud service providers, payment processors, and rarely assess those vendors’ security posture.

Inventory all third-party access. Document every vendor, contractor, and service provider that has access to your systems or data. Include their access level, what data they can reach, and whether their access is monitored.
Assess critical vendors. For vendors handling sensitive data (payroll, payments, customer PII), request their SOC 2 report or security questionnaire responses. If a critical vendor cannot demonstrate basic security controls, that is a risk you need to manage, either through contractual requirements, additional monitoring, or replacing the vendor.
Review contracts for security clauses. Ensure vendor agreements include data protection requirements, breach notification obligations, and indemnification provisions. Many legacy vendor contracts at acquired SMEs contain no security language whatsoever.
Limit vendor access. Apply the principle of least privilege: vendors should have access only to the specific systems and data they need, for only as long as they need it. Disable vendor accounts when engagements end.

Incident response planning

An incident response plan is not something you create during a crisis, it is something you create so you can function during one. Without a plan, a ransomware attack at 2 a.m. on a Friday becomes a week of chaos, bad decisions, and preventable damage.

Define roles and responsibilities. Who leads the response? Who communicates with customers? Who contacts the insurer? Who handles law enforcement? In an SME, these roles often fall to just two or three people, make sure they know it before an incident occurs.
Document escalation procedures.Create a clear escalation path: what constitutes a potential incident, who gets notified first, and at what point external resources (legal counsel, forensic investigators, the cyber insurer’s hotline) are engaged.
Maintain an emergency contact list. Keep a printed (not just digital) list of critical contacts: your IT provider or MSP, cyber insurance carrier, legal counsel, law enforcement cyber unit, and key internal stakeholders. If your systems are encrypted by ransomware, you will not be able to look up these contacts on your computer.
Run tabletop exercises annually. Walk through a realistic scenario, a ransomware attack, a BEC wire fraud, or a data breach, with your leadership team. Identify gaps in the plan and fix them. Many cyber insurance carriers will facilitate these exercises at no additional cost.
Establish communication templates. Pre-draft notification letters for customers, employees, and regulators. During a live incident, you will not have time to wordsmith a breach notification from scratch while simultaneously trying to contain the attack.

Compliance requirements: HIPAA, PCI-DSS, and GDPR

Depending on your industry and geography, your acquired business may be subject to specific cybersecurity and data protection regulations. Non-compliance creates legal liability, regulatory fines, and reputational damage. Understanding your obligations is part of the first 100 days assessment.

HIPAA (healthcare).If the business handles protected health information (PHI), common in healthcare services, dental practices, home health, and medical billing you must comply with HIPAA’s Security Rule. This includes encryption of PHI at rest and in transit, access controls, audit logging, workforce training, and a documented risk assessment. Penalties for non-compliance range from $100 to $50,000 per violation, with annual maximums of $1.5 million per category.
PCI-DSS (payment card data). Any business that accepts credit card payments must comply with the Payment Card Industry Data Security Standard. For most SMEs, this means completing an annual Self-Assessment Questionnaire (SAQ), maintaining a secure network, protecting cardholder data, implementing access controls, and conducting quarterly vulnerability scans. Non-compliance can result in fines of $5,000-$100,000 per month from payment processors.
GDPR (European data).If the business collects or processes personal data of EU residents, even if the business is based outside Europe, GDPR applies. Key requirements include lawful basis for data processing, data minimization, breach notification within 72 hours, and the right to erasure. Fines can reach 4% of annual global revenue or €20 million, whichever is higher.
State privacy laws. In the US, an increasing number of states have enacted privacy legislation (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, and others). If the business serves customers in these states, compliance obligations may apply.
Industry-specific regulations. Financial services (GLBA, SOX), government contractors (CMMC/NIST 800-171), and education (FERPA) each have their own cybersecurity requirements. Identify applicable regulations during your technology audit.

Budgeting for cybersecurity

A common question from new search fund CEOs is: how much should I spend on cybersecurity? The answer depends on business size, industry, regulatory requirements, and current maturity, but here are practical guidelines.

Benchmark: plan to allocate 3-7% of your IT budget to security, or roughly $500-$2,000 per employee per year for a typical SME. For businesses in regulated industries (healthcare, financial services), budget toward the higher end.
Year one costs for a 30-person company. A realistic first-year cybersecurity budget includes: password manager ($2,400/year), endpoint protection ($3,600/year), backup solution ($6,000/year), security awareness training ($600/year), cyber insurance ($3,000-$5,000/year), and MSP security services or consultant time ($12,000-$24,000/year). Total: approximately $28,000-$42,000, or roughly $1,000-$1,400 per employee.
Integrate with broader technology spending. Your cybersecurity budget should not exist in isolation. It is a component of your overall digital transformation investment. Many security improvements, moving to cloud platforms, implementing modern ERP systems, upgrading email infrastructure, deliver both operational and security benefits simultaneously.
Frame it as risk management, not cost. When presenting cybersecurity spending to your board and investors, frame it in terms of risk reduction. The average cost of a data breach for an SME exceeds $120,000, and that figure does not include reputational damage, customer attrition, or the management time consumed by incident response. A $30,000 annual investment in prevention is cheap insurance.

MSP vs. in-house security: the right model for SMEs

Most search fund acquisitions involve businesses with fewer than 100 employees, which means a full-time Chief Information Security Officer (CISO) or even a dedicated IT security person is not economically justified. You have two primary options.

Managed Security Service Provider (MSP/MSSP)

What they provide: 24/7 monitoring, endpoint management, patch management, firewall administration, email security, backup management, vulnerability scanning, and incident response support.
Cost: $100-$250 per endpoint per month for a full managed security stack, or $1,000-$3,000 per month for a 20-30 person company with basic coverage.
Best for: businesses under 50 employees without internal IT staff. The MSP model provides professional-grade security at a fraction of the cost of hiring even one full-time security professional.
Selecting a provider: look for SOC 2 Type II certification, experience with your industry, transparent pricing, defined SLAs for response times, and references from businesses of similar size. Avoid providers that lock you into proprietary tools or long-term contracts.

In-house IT with fractional CISO

What this looks like: a full-time IT manager or systems administrator who handles day-to-day technology operations, supplemented by a fractional CISO who provides strategic security leadership for 8-16 hours per month.
Cost: the IT manager costs $60,000-$90,000 per year in salary and benefits; a fractional CISO costs $3,000-$8,000 per month depending on scope and seniority.
Best for: businesses with 50-150 employees, regulated industries requiring deeper compliance expertise, or companies executing a major ERP implementation that demands ongoing technical oversight.

Board reporting on cyber risk

As CEO of a search fund portfolio company, you report to a board that expects visibility into material risks, and cyber risk is now firmly in that category. Integrate cybersecurity into your regular board reporting alongside financial performance, operational metrics, and strategic initiatives. Your KPI dashboard should include security metrics.

Report quarterly at minimum. Include a cybersecurity summary in every board package: current risk posture, incidents (if any), key metrics (phishing simulation results, patch compliance rates, backup success rates), and planned improvements.
Use a maturity framework. Frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls provide a structured way to assess and communicate your security maturity. Start by scoring your current state, define a target state, and report progress at each board meeting.
Quantify risk in business terms. Do not present cybersecurity as a technical issue. Present it as a business risk: potential financial impact, probability of occurrence, and cost of mitigation. Boards understand risk-reward tradeoffs; they do not understand firewall configurations.
Disclose material incidents promptly. If a security incident occurs that could affect business operations, financial results, or customer relationships, notify the board immediately, do not wait for the next scheduled meeting. Transparency builds trust; surprises destroy it.

A phased roadmap for the first year

Cybersecurity is not a one-time project. It is an ongoing program that matures over time. Here is a realistic phased approach for a newly acquired SME.

Days 1-30: Foundation

Complete technology and access audit.
Enable MFA on all critical accounts.
Enforce password policy and deploy password manager.
Verify and test backup integrity.
Deploy endpoint protection on all devices.
Revoke access for former employees and unneeded accounts.
Apply for cyber insurance.

Days 30-90: Hardening

Launch employee security awareness training.
Conduct first simulated phishing exercise.
Engage MSP or fractional CISO for ongoing support.
Implement email security (SPF, DKIM, DMARC).
Review and update vendor contracts with security clauses.
Begin compliance gap assessment for applicable regulations.

Days 90-180: Maturation

Develop and test incident response plan.
Conduct first tabletop exercise with leadership team.
Implement network segmentation for critical systems.
Deploy vulnerability scanning on a regular cadence.
Begin board-level cybersecurity reporting.

Days 180-365: Optimization

Achieve compliance with applicable regulatory requirements.
Implement security monitoring and log aggregation.
Establish vendor risk management program.
Refine security budget based on first-year learnings.
Integrate security metrics into the broader KPI dashboard.

Cybersecurity in an acquired SME is not about achieving perfection it is about systematically reducing risk to a level that protects the business, satisfies regulators, and gives your board confidence. The companies that treat cybersecurity as a strategic priority rather than a back-office cost center are the ones that avoid the headline-making breaches that destroy value overnight. Start with the fundamentals, build discipline into the process, and invest consistently. Your future self, and your investors will thank you.

Frequently asked questions

How much should an acquired SME spend on cybersecurity annually?

According to Gartner’s IT spending benchmarks, SMEs should allocate 3-7% of their IT budget to security, which translates to roughly $500-$2,000 per employee per year. For a typical 30-person company acquired through a search fund, a realistic first-year cybersecurity budget includes: password manager ($2,400/year), endpoint protection ($3,600/year), backup solution ($6,000/year), security awareness training ($600/year), cyber insurance ($3,000-$5,000/year), and MSP security services ($12,000-$24,000/year), totaling approximately $28,000-$42,000, or roughly $1,000-$1,400 per employee. When presenting this to your board, frame it as risk management: the average cost of a data breach for an SME exceeds $120,000, making the annual prevention investment compelling.

What is the single most impactful cybersecurity control I can deploy immediately?

Multi-factor authentication (MFA). According to Microsoft’s security research, MFA blocks over 99.9% of automated credential-stuffing attacks, making it the highest-impact, lowest-cost security control available. Enable MFA on every business-critical account within the first week of ownership: email, banking, CRM, ERP, cloud storage, and accounting software. Use authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware keys (YubiKey) rather than SMS-based codes, which are vulnerable to SIM-swapping attacks. MFA is free or included with most business software platforms, making it the rare security control that costs nothing to deploy and prevents the majority of common attacks.

Does my acquired business need cyber insurance?

Yes. According to the Insurance Information Institute, standalone cyber insurance is a non-negotiable for any business handling customer data, financial information, or regulated data (HIPAA, PCI-DSS, GDPR). Many general commercial liability policies explicitly exclude cyber incidents, leaving the business fully exposed. Standalone cyber policies cost $1,000-$7,500 per year for most SMEs and cover incident response costs, forensic investigation, legal fees, notification expenses, business interruption losses, and potentially ransom payments. Insurers increasingly require MFA, endpoint protection, and verified backups before issuing policies, completing the first-30-days technology audit checklist makes your business insurable and lowers premiums. Apply within the first 30 days of ownership.

Sources

Verizon — Data Breach Investigations Report (DBIR), 2024. Thorough analysis of cyberattack patterns, SME vulnerability data, and threat actor methodologies across 10,000+ incidents.
Gartner — IT Key Metrics Data: Security Spending Benchmarks, 2024. Industry-standard IT and cybersecurity spending benchmarks by company size, industry, and maturity level.
Microsoft Security — Cyber Signals: MFA Effectiveness Data, 2024. Research demonstrating multi-factor authentication’s effectiveness at blocking automated credential attacks.