Agree or disagree SMBs deal with various types of information to perform their business, whether its personal, tax information, banking information, or information relating to the businesses they communicate and work with. Most often these smaller businesses do not have a good security program in place or one at all due to resources, or negligence. An attacker is not always looking for a large financial profit, at times they are doing so out of revenge, fun, or simply to create a web of botnets to attack a higher profile. There are several items SMBs can address like establishing a cybersecurity plan and training all employees in information security. Information security training: This is a very important step in mitigating risk posture because the proper information provides tools for employees to use. This will mitigate social engineering (phishing, Vishing, etc.), Introduction of malware from malicious sites or email attachments, and shoulder surfing to name a few. I worked with a dentist that privately owned three practices, no one had the proper information security training. Majority of the knowledge was common sense or given by other teammates. One example I can briefly provide deals with HIPPA; computers were often unlocked and displaying patient charts, this was very common and yet no training was implemented. NISTIR provides various examples of where training can be obtained from, the Small Business Development Center, the Federal Trade Commission, and Small Business Administration are just some of the most prominent ones. Installation of Anti-Virus Software (AV). This software should be installed on all host and updated daily to update the newest and most recent signatures that have been found. Installing one AV is a good step but often having two from different vendors is recommended to improve the chances of viruses to be detected. AV will assist devices and software by scanning, detection, quarantine and remediation of malware (worms, viruses, etc.). Identity management. This is in a smaller scale of course, by simply using the user role systems, maybe a small AD server. This will lock computers and allow only authorized people to have access to the systems. Using the identity management provided by whatever software they use. This establishes simple least privilege, allow employees to access only those systems and only the specific information that they need to do their jobs. (Paulsen, & Toth, 2016, p 18). Paulsen, C., & Toth, P. (2016). Small business information security: The fundamentals. NISTIR 7621 Rev 1. Retrieved from https://doi.org/10.6028/NIST.IR.7621r1 .