There's a slightly uncomfortable truth about small-business security: most of your real risk surface isn't external attackers trying to break in. It's the vendors you've already granted access to. Your accountant has your bank credentials. Your contractor agency has your shared drive. Your marketing automation tool has your customer database. Each of these vendors has their own security posture (good or bad), their own employees (some of whom will leave), and their own incident history (which you're rarely informed about).
Vendor onboarding done seriously is the single highest-leverage security move most small businesses can make, and almost nobody does it. The questions to ask before granting access to a new vendor are short and useful. Where do they store your data, and is it encrypted at rest? Who at the vendor has access to it? How do they handle their own employees leaving — do they revoke access immediately? Have they had a security incident in the last 24 months, and if so, what changed? Are they SOC 2 or ISO 27001 audited, and can you see the report?
None of these questions requires you to be a security expert. They require you to ask. The answers separate the vendors who've thought about security from the ones who haven't, and the second group is much larger than people expect. The act of asking the questions also has a useful secondary effect: it builds a paper trail. When something goes wrong later — and it will, somewhere in your vendor chain — you'll be able to say which vendors you had verified and which ones you hadn't, and that distinction matters for insurance and for accountability.
The closing move is a quarterly vendor access review. Once a quarter, you list every vendor that has access to a system, every credential or API key they hold, and you confirm — to the actual person at the vendor — that the people on their side who have those credentials are still the right people. This takes an hour. It catches the third-party contractor who hasn't been at your vendor's company for eight months but whose token is still active in your system. That contractor isn't a hostile actor. They just exist somewhere, on a laptop, with a credential nobody remembered to revoke.