Finally: The Only Cybersecurity Setup Guide Small Business Owners Actually Need
You Don’t Need to Be a Tech Genius. You Just Need to Stop Being an Easy Target.
Most small business owners think cybersecurity is someone else’s problem. It isn’t. And the moment you realize that, everything changes.
Introduction: Why Small Businesses Are Getting Crushed by Cyber Threats Right Now
Here’s a scenario that plays out hundreds of times every day across the country. A small restaurant owner gets an email that looks exactly like it came from her bank. She clicks the link, enters her credentials, and within 72 hours, $47,000 is gone from her business account. She did nothing “wrong” in the traditional sense. She was just unprepared.
That’s not a horror story pulled from a thriller novel. That’s a Tuesday in 2025.
The cybersecurity landscape has shifted dramatically in the last two years, and small businesses are bearing the brunt of it. According to a 2024 Verizon Data Breach Investigations Report, 46% of all data breaches now target small and medium-sized businesses. Nearly half. And the average cost of a single data breach for a small business runs between $120,000 and $1.24 million when you factor in downtime, legal exposure, customer notification, and reputation damage.
Think about that like this. If your physical store had a 46% chance of being robbed this year, you’d have a state-of-the-art alarm system, reinforced locks, and a security camera before the week was out. But your digital front door? Most small businesses leave it wide open, with a welcome mat and the lights on.
The “how did we get here?” story is actually pretty simple. Cybercriminals have industrialized. They now operate like SaaS companies, with subscription-based hacking tools, customer support channels, and profit-sharing models. What used to require nation-state resources now costs a bad actor about $50 a month on the dark web. At the same time, the explosive growth of remote work since 2020 created thousands of new entry points into business networks. Home Wi-Fi networks, personal devices, and cloud apps opened gaps that most small businesses never closed.
Meanwhile, the tools available to protect yourself have never been better or more affordable. This is genuinely good news. A small business owner with zero technical background can now set up enterprise-grade cybersecurity for a few hundred dollars a year. The problem isn’t access to protection. The problem is knowing where to start.
“Small businesses represent 99.9% of all U.S. businesses, yet most operate with little to no formal cybersecurity strategy. The gap between threat level and preparedness has never been wider.” — U.S. Small Business Administration, 2024 Cybersecurity Resources Overview
The World Economic Forum’s Global Cybersecurity Outlook 2025 found that cyber inequity is growing, meaning large enterprises are pulling further ahead in their defenses while smaller organizations fall further behind. That gap is exactly what cybercriminals are exploiting.
This guide closes that gap. No jargon. No $50,000 consulting fees. No assumption that you have an IT department. Just the exact cybersecurity setup a small business needs to stop being low-hanging fruit.
Section 1: Understanding the Real Cybersecurity Threats Facing Small Businesses Today
Before you buy a single tool or change a single setting, you need to know what you’re actually defending against. This is where most generic cybersecurity advice fails small business owners. It throws solutions at problems without explaining the problems first.
The threats targeting small businesses in 2025 fall into four major categories, and understanding each one helps you prioritize your defenses intelligently.
Phishing attacks are the number one entry point for breaches. These are fraudulent emails, texts, or even phone calls designed to trick your employees into giving up passwords, clicking malicious links, or transferring money. Modern phishing emails are terrifyingly convincing. AI has made it trivially easy for criminals to write perfect, grammatically flawless impersonations of your bank, your software vendors, or even your own CEO.
Ransomware is the threat that gets the headlines. A criminal gains access to your systems, encrypts all your files, and demands payment, usually in cryptocurrency, to restore access. The average ransom demand for a small business is now $116,000. Many businesses pay it. Fewer than half get all their data back even after paying.
Credential stuffing and password attacks happen when criminals take lists of usernames and passwords leaked from other data breaches and try them on your accounts. If your employee uses the same password for their Netflix account and their work email, you have a problem. These attacks are automated and run at scale. A criminal can test 100,000 password combinations overnight without breaking a sweat.
Insider threats and human error round out the picture. This doesn’t mean your employees are malicious. It means humans make mistakes. Sending a file to the wrong person, clicking a suspicious link out of curiosity, or misconfiguring a cloud storage bucket so it’s publicly accessible. These errors cause a significant portion of breaches.
Here are the four attack types and how they typically enter your business:
- Phishing enters through email, SMS, or voice calls targeting employees
- Ransomware enters through phishing links, unpatched software, or compromised remote access
- Credential attacks enter through reused or weak passwords across multiple platforms
- Human error enters through misconfigured systems, accidental sharing, or lack of training
Knowing this, your cybersecurity setup isn’t about building a single wall. It’s about creating multiple layers of protection so that when one layer fails, and at some point, one will, the others hold.
Section 2: Password Management — The Foundation of Small Business Cybersecurity
If there’s one single change that gives you the most protection for the least effort, it’s switching every person in your business to a dedicated password manager. Full stop.
Most small businesses run on a chaotic mix of shared spreadsheets with passwords, sticky notes, and employees who use “Company2024!” across fifteen different accounts. This is not a small vulnerability. It’s an open invitation.
A password manager generates unique, complex passwords for every account, stores them securely with military-grade encryption, and fills them in automatically when your team logs in. Nobody needs to remember anything except one master password. The result is that every single account your business uses gets its own unguessable, unique password. A breach at one platform doesn’t cascade into a breach everywhere else.
The top password managers for small businesses right now:
- 1Password Teams — Widely considered the gold standard for small business use. Clean interface, strong admin controls, and a business dashboard that lets you see which employees are using strong or weak passwords. Costs around $19.95 per month for up to 10 users. Saves approximately 3 to 5 hours per week in password-related friction and account recovery across a team.
- Bitwarden Business — The open-source champion. More affordable than 1Password, fully audited code, and an excellent option if you want transparency in your security tools. Starts at $3 per user per month.
- Dashlane Business — Includes a dark web monitoring feature that alerts you if any of your business credentials appear in known data breaches. Slightly pricier but the proactive monitoring adds real value.
The business case here is simple. A single account compromise can cost your business tens of thousands of dollars. A password manager costs less than a decent office coffee maker per month. The math isn’t hard.
Estimated time saved per week: 3 to 5 hours across a team of 5 to 10 people, in reduced password resets, login friction, and IT support requests.
Who benefits most: Any business with more than one employee who accesses shared accounts, client portals, software subscriptions, or banking platforms.
Section 3: Multi-Factor Authentication — The Cybersecurity Seatbelt Your Small Business Isn’t Wearing
Even the best password manager can’t save you if someone tricks an employee into revealing their master password. That’s where multi-factor authentication, or MFA, comes in. Think of MFA as a second lock on your door. Even if someone has your key, they still can’t get in without a second piece of proof.
MFA requires a user to verify their identity with at least two factors: something they know, like a password, and something they have, like a phone that generates a temporary code. Some systems also use something they are, like a fingerprint or face scan. When MFA is enabled, a stolen password alone is useless. The attacker would also need physical access to your employee’s phone or device.
Microsoft’s own security data shows that MFA blocks more than 99.9% of automated credential attacks. That statistic deserves to be read twice.
Setting up MFA across your small business:
- Start with your email platform, whether that’s Google Workspace or Microsoft 365. These are your highest-value targets.
- Enable MFA on your banking and financial platforms immediately. Most banks offer this free.
- Turn it on for every SaaS tool your business uses, project management, accounting software, CRM systems.
- Use an authenticator app rather than SMS text messages when possible. SMS codes can be intercepted through a technique called SIM swapping. Google Authenticator, Microsoft Authenticator, and Duo Security are all excellent options.
- Set a company policy that MFA is mandatory for all business accounts. Make it non-negotiable.
Duo Security deserves special mention here. It’s the enterprise-grade MFA solution that scales beautifully for small businesses. It integrates with hundreds of apps, offers a clean dashboard for managing your whole team’s authentication, and has a free tier for up to 10 users. Once you grow beyond that, paid plans start at $3 per user per month.
Estimated time saved per week: MFA doesn’t save time. It saves your business. But in terms of incident prevention, businesses with MFA enabled spend dramatically less time and money recovering from breaches. Consider it an insurance policy, not a productivity tool.
Who benefits most: Every single business with employees, contractors, or remote workers accessing company accounts from any device.
Section 4: Network Security — Locking Down Your Business Wi-Fi and Remote Access
Your business network is the highway that all your data travels on. If that highway has no guardrails and no traffic cameras, anything can drive down it. Setting up proper network security is less complicated than it sounds, and it’s not optional.
The biggest network vulnerabilities for small businesses cluster around three areas: unsecured Wi-Fi, outdated routers, and unmanaged remote access. Let’s tackle each one directly.
Your business Wi-Fi setup should follow these rules:
- Never share your main business network with customers or guests. Set up a separate guest network for any visitor Wi-Fi access. Modern routers from brands like Cisco Meraki, Eero Pro, or Netgear Orbi make this a two-minute setup.
- Change your router’s default admin username and password immediately. Hundreds of thousands of routers are compromised every year simply because owners never changed “admin/admin” after plugging them in.
- Use WPA3 encryption on your business Wi-Fi network. This is now the standard and significantly harder to crack than older WPA2 encryption.
- Enable automatic firmware updates on your router. Outdated router firmware is one of the most exploited vulnerabilities in small business networks, and most business owners don’t know their router’s firmware exists, let alone that it needs updating.
For remote access, a Virtual Private Network, or VPN, is your best friend. A business VPN creates an encrypted tunnel between your remote employees and your company network, so even if they’re working from a coffee shop on public Wi-Fi, their connection is protected. NordLayer (previously NordVPN Teams) and Perimeter81 are both excellent business VPN solutions designed specifically for small business use, with simple admin dashboards and affordable per-user pricing.
Estimated time saved per week: Network security isn’t about saving time. It’s about avoiding catastrophic downtime. The average ransomware attack keeps a small business offline for 21 days. That’s the number you want to avoid.
Who benefits most: Businesses with remote employees, customer-facing Wi-Fi, or any team members accessing company data from outside the office.
Section 5: Endpoint Protection — Cybersecurity for Every Device Your Team Uses
Every laptop, phone, and tablet that connects to your business network is an endpoint. Every endpoint is a potential entry point for an attacker. Endpoint protection, which used to be called antivirus software before the threat landscape evolved, is now a sophisticated layer of your security stack.
Modern endpoint protection does far more than scan for known viruses. It monitors behavior in real time, detects anomalies, blocks ransomware from encrypting files, and gives your business visibility into what’s happening on every device.
For small businesses, the two platforms that consistently stand out are CrowdStrike Falcon Go and Malwarebytes for Teams. CrowdStrike is used by Fortune 500 companies but has launched accessible tiers specifically for small and medium businesses. Malwarebytes is more affordable and easier to set up without IT support, making it the more practical choice for most small business owners managing their own tech.
What good endpoint protection does for your business:
- Detects and blocks malware, ransomware, and spyware in real time
- Monitors unusual behavior on devices, like an employee device suddenly trying to access files it never touches
- Provides centralized visibility so you can see the security status of every device from one dashboard
- Enforces device policies, like requiring screen lock after inactivity or blocking access from unmanaged personal devices
Estimated time saved per week: Endpoint protection doesn’t save hours. It prevents the hours, days, and weeks of work that follow a successful malware attack. But the centralized management dashboard alone typically saves business owners 1 to 2 hours per week compared to manually managing device security.
Who benefits most: Any business where employees use laptops, work from home, or connect personal devices to company accounts.
Section 6: Email Security — Stopping Phishing Before It Reaches Your Team
Email is where most cyberattacks start, and it’s where your first line of active defense needs to be. The built-in spam filters in standard email platforms like Gmail and Outlook are better than they were five years ago, but they’re not designed to stop sophisticated, targeted phishing attacks.
Dedicated email security tools sit in front of your inbox and evaluate every incoming message before it arrives. They check the sender’s reputation, scan attachments for malicious code, analyze links for known phishing patterns, and flag or quarantine anything suspicious. This happens in milliseconds and is completely invisible to your team unless something gets flagged.
Proofpoint Essentials is the small business version of the enterprise email security platform used by thousands of large corporations. It catches phishing emails, business email compromise attempts (where criminals impersonate your CEO or CFO to authorize fraudulent transfers), and malware-laced attachments with impressive accuracy. Pricing starts at around $2.95 per user per month.
Mimecast is another strong option with a particularly good reputation for business email compromise protection and email continuity, meaning you can still send and receive email even if your main server goes down.
Beyond tools, your team’s behavior matters enormously. The three most important email security habits to train into your organization:
- Never click a link in an email to log into an account. Always type the website address directly into your browser.
- Verify any email requesting a wire transfer, gift card purchase, or urgent financial action via a separate communication channel, like a phone call, before acting on it.
- Hover over any hyperlink before clicking to see the actual destination URL. If it doesn’t match what it claims to be, don’t click.
Estimated time saved per week: Email security tools reduce the mental overhead of evaluating suspicious emails, saving employees 30 to 60 minutes per week in cautious email triage. More importantly, they remove the human judgment requirement from the first line of defense.
Who benefits most: Every business with employees who have email addresses. Which is every business.
Section 7: Data Backup and Recovery — Your Cybersecurity Safety Net
Here’s the uncomfortable truth that every small business owner needs to internalize. No security system is 100% foolproof. Attackers evolve faster than defenses. Employees make mistakes. Systems have zero-day vulnerabilities that nobody knows about yet. A complete cybersecurity setup accepts this reality and builds a recovery plan for when, not if, something goes wrong.
Data backup is your last line of defense and your most underappreciated one. If a ransomware attack encrypts all your files but you have clean, recent backups stored separately, the attacker’s leverage disappears. You restore your data, you wipe the compromised system, and you’re back in business within hours instead of weeks.
The gold standard for small business backup follows the 3-2-1 rule. Three copies of your data, on two different types of storage media, with one copy stored offsite or in the cloud. This redundancy means no single event, whether that’s ransomware, a fire, a hardware failure, or theft, can destroy all your data at once.
The best backup solutions for small businesses:
- Backblaze for Business — Incredibly affordable at $9 per computer per month, automatic continuous backup, and a proven track record. The restore process is simple enough that you don’t need an IT person to execute it.
- Acronis Cyber Protect — Goes beyond basic backup by combining backup with active ransomware protection. If it detects a process trying to encrypt files, it stops the process and restores the affected files from the most recent backup automatically. This is particularly valuable for businesses that want backup and endpoint protection in one platform.
- Microsoft Azure Backup — If your business already uses Microsoft 365, Azure Backup integrates cleanly and offers enterprise-grade reliability at small business pricing.
Estimated time saved per week: Backup tools run automatically in the background and require almost no active management. The time savings come in a crisis. A business with proper backups recovers in hours. A business without them averages 21 days of downtime after a ransomware attack.
Who benefits most: Every business storing any digital data. Which, in 2025, is every business on earth.
Section 8: Employee Cybersecurity Training — Your Human Firewall
Technology can only protect you so far. According to IBM’s Cost of a Data Breach Report, human error contributes to 74% of all security breaches. That means the person clicking the link, responding to the fake invoice, or plugging in the found USB drive is your biggest risk factor, and your biggest opportunity for improvement.
Security awareness training transforms your employees from your weakest link into an active layer of defense. When your team knows what phishing emails look like, understands why MFA matters, and knows exactly who to call if they suspect something is wrong, your overall security posture improves dramatically.
KnowBe4 is the industry leader in security awareness training for small and mid-sized businesses. It runs automated simulated phishing campaigns, meaning it sends fake phishing emails to your employees to see who clicks. When someone clicks, instead of a breach, they get immediate training. Over time, click rates on real phishing attempts drop significantly. KnowBe4’s data shows organizations reduce their phishing click rates by an average of 82% after 12 months of training.
Proofpoint Security Awareness Training is another strong option with a particularly content-rich library of training modules covering everything from social engineering to safe remote work practices.
Your employee training program doesn’t need to be elaborate to be effective. The core elements every small business should implement:
- Run simulated phishing tests quarterly using a platform like KnowBe4
- Require all employees to complete a 30-minute cybersecurity basics training when they’re hired
- Send a monthly security tip via email, something brief and practical, like how to spot a fake login page
- Create a clear, written policy for reporting suspicious emails or activities, and make sure everyone knows it exists
- Run an annual review of who has access to what in your systems, and revoke access for anyone who no longer needs it
Estimated time saved per week: Training takes time upfront, but the payoff is a team that catches threats before they become incidents. The ROI here is measured in breaches avoided, not hours saved.
Who benefits most: Every business with two or more people. If you have employees, you have human risk. Training reduces it.
Comparison Table: Small Business Cybersecurity Tools at a Glance
| Tool | Category | Time/Risk Saved | Best Use Case | Starting Price |
|---|---|---|---|---|
| 1Password Teams | Password Management | 3–5 hrs/week | Teams sharing multiple account credentials | $19.95/month (10 users) |
| Bitwarden Business | Password Management | 3–5 hrs/week | Budget-conscious businesses wanting open-source security | $3/user/month |
| Duo Security | Multi-Factor Authentication | Breach prevention | Protecting all business app logins | Free up to 10 users |
| Google Authenticator | MFA App | Breach prevention | Individual employee MFA on personal devices | Free |
| NordLayer | Business VPN | Network protection | Remote teams accessing company data | $8/user/month |
| Malwarebytes for Teams | Endpoint Protection | 1–2 hrs/week | SMBs managing device security without IT staff | $6.67/device/month |
| CrowdStrike Falcon Go | Endpoint Protection | Breach prevention | Businesses wanting enterprise-grade endpoint security | $59.99/device/year |
| Proofpoint Essentials | Email Security | 30–60 min/week | Blocking phishing and business email compromise | $2.95/user/month |
| Mimecast | Email Security | 30–60 min/week | Email continuity and advanced threat protection | Custom pricing |
| Backblaze for Business | Data Backup | 21 days downtime avoided | Automatic continuous backup for all business computers | $9/computer/month |
| Acronis Cyber Protect | Backup + Endpoint | Combined protection | Businesses wanting backup and ransomware defense in one | $89/device/year |
| KnowBe4 | Security Awareness Training | 82% phishing click reduction | Training employees to recognize and report threats | Custom pricing |
Your Complete Small Business Cybersecurity Action Plan
Bookmark this section. Come back to it. Work through it systematically. This is the exact sequence a cybersecurity professional would walk you through, translated into plain language.
- Deploy a password manager for your entire team this week. Set up 1Password Teams or Bitwarden Business, invite every employee, and establish a company policy that all business accounts must use unique, manager-generated passwords. If you skip this, every other security investment you make is sitting on a cracked foundation. One reused password can undo everything else on this list.
- Enable MFA on your email platform before you do anything else tomorrow. Log into your Google Workspace or Microsoft 365 admin console and turn on mandatory MFA for all users. This single step blocks 99.9% of automated credential attacks. Skipping this is like installing a security camera but leaving the front door unlocked.
- Audit who has access to what in your business systems right now. List every platform your business uses. List who has access. Remove access for any former employees, contractors, or vendors who no longer need it. Orphaned accounts are a gift to attackers and most businesses have dozens they’ve forgotten about.
- Set up a dedicated guest Wi-Fi network separate from your main business network. Log into your router’s admin panel (typically at 192.168.1.1 or 192.168.0.1), and create a guest network. This takes about 10 minutes. Skipping it means every customer, delivery person, or visitor sharing your Wi-Fi has potential visibility into your business network traffic.
- Install endpoint protection on every business device. Deploy Malwarebytes for Teams or CrowdStrike Falcon Go on every laptop and desktop used for business purposes. WARNING: Skipping employee personal devices is a critical mistake. If your remote employee handles business data on their personal laptop without endpoint protection, that device is an unmonitored entry point into your business.
- Implement the 3-2-1 backup rule immediately using Backblaze or Acronis. Set up automatic continuous backup for every computer that stores business data. Test your restore process before you need it. A backup you’ve never tested is a backup you can’t trust. Verify your restore process quarterly.
- Add an email security tool like Proofpoint Essentials to your email platform. The setup typically takes less than an hour and requires a DNS record change, which your domain registrar can walk you through. Once it’s active, it evaluates every incoming email before it hits your team’s inbox.
- Run your first employee cybersecurity training session within the next 30 days. Use KnowBe4’s free trial to send a simulated phishing email to your team. Use the results as a conversation starter, not a punishment tool. The goal is awareness, not blame. Teams that learn together build a security culture together.
- Create a written Incident Response Plan and share it with everyone. This doesn’t need to be complicated. It needs to answer three questions: Who do you call if you think you’ve been hacked? What do you do first? Who is authorized to make decisions? A one-page document covering these three points can save you hours of panicked, uncoordinated chaos during an actual incident.
- Schedule a quarterly cybersecurity review on your calendar right now. Set a recurring reminder for the last week of every quarter. Review your access lists, test your backups, check for any software that needs updating, and review any new threats your industry is facing. Cybersecurity isn’t a one-time setup. It’s an ongoing practice. The businesses that get complacent after the initial setup are the ones who end up in the breach statistics.
Case Study: How One Mistake Nearly Ended a 12-Year-Old Family Business
This scenario is illustrative but representative of thousands of real incidents documented by cybersecurity firms and insurance companies annually.
Consider a family-owned accounting firm with 11 employees that had operated successfully for over a decade. The firm had decent antivirus software, a firewall, and a general awareness of cybersecurity as a concept. What it didn’t have was MFA on its email accounts or a formal policy about wire transfer verification.
In March 2024, a criminal spent several weeks monitoring the firm’s email traffic after compromising the owner’s email credentials through a phishing attack that occurred six months earlier. The attacker learned the names, roles, and communication patterns of key personnel. Then they sent a perfectly crafted email, appearing to come from a senior partner’s account, instructing the office manager to wire $78,000 to a new vendor account for an “urgent client payment.”
The office manager, under deadline pressure and seeing the email come from a trusted name she’d worked with for years, processed the transfer. By the time anyone realized what had happened, the money was gone. Bank fraud recovery attempts recovered less than $11,000.
The total cost wasn’t just the $67,000 net loss. It included the two weeks of operational disruption, the legal consultation fees, the client notifications required under applicable data protection regulations, and the reputational damage that led three long-term clients to take their accounts elsewhere. The total estimated impact exceeded $140,000.
The mistake: No MFA on email, no wire transfer verification policy, and no employee training on business email compromise.
The resolution: After the incident, the firm implemented Duo Security for all email and financial platform logins, deployed Proofpoint Essentials for email filtering, and established a written policy requiring phone verification for any wire transfer over $5,000.
The lesson: The attack didn’t work because the technology failed. The technology wasn’t there. Every single protective measure the firm implemented after the breach costs less than $300 per month to maintain. They were paying $140,000 a year for the privilege of not spending $300 a month.
As cybersecurity educator and author Roger Grimes often emphasizes in his work with KnowBe4, “The vast majority of cyberattacks succeed not because hackers are sophisticated but because defenders are unprepared.” The tools to prevent this exact scenario exist, they’re affordable, and they work. The only variable is whether you implement them before the attack or after.
Conclusion: The Setup That Changes Everything
Cybersecurity for small businesses isn’t about building an impenetrable fortress. It’s about making yourself enough of a difficult target that attackers move on to someone easier. Most criminals are opportunists, not specialists. The businesses that get hit are the ones that look like an easy score.
The three things that matter most are deceptively simple: make sure every account uses a unique, strong password managed by a dedicated tool, make sure every login requires a second factor of authentication, and make sure your data is backed up somewhere an attacker can’t reach it. Everything else on this list builds on those three foundations.
Here’s what’s actually at stake if you close this guide and do nothing. The average small business that suffers a significant cyberattack loses between 6% and 9% of its annual revenue in direct and indirect costs. For a business generating $500,000 a year, that’s $30,000 to $45,000 gone. Many businesses never fully recover. Not because the technology failed, but because the owners believed that cybersecurity was someone else’s problem, or a problem they’d get to eventually.
Eventually has a way of arriving when you’re least prepared for it. The setup this guide describes takes a few weekends to implement and a few hundred dollars a month to maintain. That’s the trade. A few weekends of focused effort now, or weeks of crisis management later. The choice is yours, but at least now you know exactly what to do.
Take Action Now
Primary CTA: Start with step one today. Head over to 1Password Teams or Bitwarden Business and sign up for a free trial. Get your password management foundation in place before this week is over. Every hour you wait is another hour your business accounts are running on reused, guessable passwords.
Secondary CTA: What’s the one cybersecurity area where you know your business is most vulnerable right now? Drop it in the comments below. Whether it’s employee training, backup practices, or just not knowing where to start, you’re not alone, and the answer is probably somewhere in this guide.
And if you’re building out your broader business protection strategy, check out our related post on cyber liability insurance for small businesses, where we break down exactly what policies cover, what they don’t, and how to avoid the coverage gaps that leave most small businesses exposed even when they think they’re protected.
This guide was written for informational purposes. Pricing and product features referenced reflect publicly available information as of early 2025 and are subject to change. Always verify current pricing directly with vendors before making purchasing decisions
