---
id: "framework-dobrygowski-smb-cyber-defense"
type: "framework"
source_timestamps: ["¶8", "¶9", "¶10", "¶11", "¶12", "¶13", "¶14", "¶15"]
tags: ["smb-strategy", "cyber-hygiene", "action-plan"]
related: ["concept-relative-cybersecurity", "action-implement-mfa-passkeys", "action-inventory-systems", "action-architect-data", "action-use-llm-to-attack", "action-vet-vendors"]
speakers: ["Daniel Dobrygowski"]
steps: ["Do the basics: implement multifactor authentication (MFA) and upgrade from passwords to passkey systems.", "\\\"Take inventory: scan systems to identify all connected software/hardware", "ensure firewalls are updated", "and remove non-crucial connections.\\\"", "\\\"Architect your data: back everything up to defeat ransomware", "inventory/tag data", "and limit employee access to only necessary data sets.\\\"", "Use AI to test your defenses: employ an LLM to 'attack' the network to unearth vulnerabilities.", "\\\"Vet your vendors: evaluate vendor security responses critically", "using government guidance to know what to look for.\\\"", "Follow the regulations: leverage jurisdictional cyber requirements and take advantage of government subsidies or provided software.", "\\\"Talk the talk: CEOs and senior teams must prioritize cybersecurity", "mandating employee training and periodic readiness tests.\\\""]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Dobrygowski's 7-Step SMB Cyber Defense Plan

A practical, affordable framework designed by [[entity-daniel-dobrygowski|Daniel Dobrygowski]] (author of *[[entity-technology-governance-book|Technology Governance]]*) to dramatically reduce an SMB's cyber exposure *without* enterprise-level budgets. It operationalizes the strategic posture of [[concept-relative-cybersecurity]] — every step raises the relative cost of attacking you.

**The seven steps:**

1. **Do the basics** → [[action-implement-mfa-passkeys]]. Implement multifactor authentication (MFA) everywhere and upgrade from passwords to passkey systems, which offer considerably higher security. (Rationale: [[claim-mfa-blocks-common-attacks]].)
2. **Take inventory** → [[action-inventory-systems]]. Scan systems to identify all connected software/hardware, ensure firewalls and legacy software have current security upgrades, and remove connections that are no longer crucial to reduce the attack surface.
3. **Architect your data** → [[action-architect-data]]. Back everything up to defeat ransomware ([[claim-backups-defeat-ransomware]]), inventory and tag data with software tools, and apply least-privilege access. See [[concept-data-architecture-for-security]].
4. **Use AI to test your defenses** → [[action-use-llm-to-attack]]. Employ an LLM to "attack" your own network to unearth vulnerabilities — [[concept-ai-assisted-penetration-testing]]. (Open implementation questions: [[question-llm-attack-methodology]].)
5. **Vet your vendors** → [[action-vet-vendors]]. Don't just collect vendor security forms — evaluate the responses, using government guidance to know what to look for. (Open question: [[question-government-vendor-guidance]].)
6. **Follow the regulations.** Leverage jurisdictional cyber requirements and take advantage of government subsidies or provided software. (No dedicated action note — treat as a policy-leverage step.)
7. **Talk the talk.** CEOs and senior teams must prioritize cybersecurity from the top down, mandating employee training and periodic readiness tests — cultivating a security culture, not just buying tools.

> [!tip] How to read this framework
> Steps 1–3 are foundational hygiene (highest ROI, do first). Step 4 is the AI-native twist (do with caution — see enrichment on [[concept-ai-assisted-penetration-testing]]). Steps 5–6 address supply-chain and regulatory leverage. Step 7 is the cultural multiplier that makes the other six stick.
