Sorry, I wasn't trying to claim that small businesses don't need any safeguards. For example, small businesses also need backups, they need TLS certificates, lots of industry-standard stuff. What they don't necessarily need are everything required by the checklists that are thousands of items long where every box must be checked to pass SOC 2, ISO 27001, FedRAMP, etc.