You don’t need a six-figure budget or a full-time security team to protect your small business. Most cyber incidents hit the same weak spots—email accounts, unpatched devices, weak passwords, and missing backups. The good news: a handful of low-cost, high-impact moves can cut your risk dramatically. Think of this as a practical playbook you can start today, with tools you likely already have and free services that punch well above their weight.
Start with a one-hour risk snapshot
Spend 60 minutes listing your “crown jewels”—the data and systems that would truly hurt if lost or leaked: customer records, invoicing, your website, payroll, and email. Note where they live (laptops, Google Workspace, Microsoft 365, QuickBooks, your web host) and who has access. Then name the top threats: account takeover via phishing, ransomware, and payment fraud. This quick inventory tells you where to focus first and helps you avoid buying tools you don’t need.
Lock accounts and devices first
Attackers usually start with your identity (email logins) or your endpoints (laptops and phones). Strengthen these and you remove the easiest paths into your business.
Strong authentication everywhere
Turn on multi-factor authentication (MFA) for email, banking, payroll, and any admin panels. Use an authenticator app (Microsoft Authenticator, Google Authenticator, or built-in phone prompts) instead of SMS when possible. In Microsoft 365, enable Security Defaults; in Google Workspace, enforce 2-Step Verification—both are included at no extra cost. Eliminate shared logins and assign unique accounts so you can revoke access quickly if something goes wrong.
Upgrade when ready
If you handle sensitive payments or vendor portals, consider adding a couple of hardware security keys for owners or admins. They’re a one-time purchase and drastically cut phishing risk.
Patch and device baseline
Enable automatic updates for operating systems, browsers, and major apps. Update routers and printers quarterly. Turn on full-disk encryption (BitLocker on Windows, FileVault on macOS) and require a screen lock after a few minutes of inactivity. For mobile devices, enable remote-wipe (Find My for Apple, Find My Device for Android). Use the built-in antivirus you already own (Microsoft Defender on Windows is excellent) and avoid sideloading untrusted software.
Password hygiene on a budget
Adopt a password manager so every site gets a unique, long password. Bitwarden offers a generous free tier and low-cost business plans; other reputable options work too. Require at least 12 characters, disable password reuse, and keep admin accounts separate from daily use. Apply the minimum necessary privileges—most staff don’t need administrator rights on their laptops.
Shield your network and email for pennies
A few configuration tweaks and free services can block common attacks before they reach users.
DNS filtering and safer Wi‑Fi
Use free DNS filtering to block known malicious domains (Cloudflare Gateway free tier or Quad9). On your Wi‑Fi, create a separate guest network for visitors and smart devices, change the router’s default password, and disable WPS/UPnP. Use WPA2 at a minimum (WPA3 if available). These steps cost nothing and stop many drive-by infections.
Email protections that stop fraud
Publish SPF and DKIM, then enforce DMARC with a “quarantine” or “reject” policy once you’ve reviewed reports for a couple of weeks. Most domain registrars and email platforms provide wizards to help. Train staff to verify any bank detail or gift card request with a callback to a known number—no exceptions. Add an easy way to report suspicious emails (a shared “report phishing” mailbox or your provider’s add-in) so potential attacks are surfaced fast.
Backups and recovery that actually work
Backups aren’t about storage—they’re about a fast, clean recovery when you need it most.
3‑2‑1 made simple
Keep three copies of critical data, on two different types of storage, with one offline or offsite. Automate daily, versioned backups for laptops to an external drive that’s unplugged after backup, plus a low-cost cloud option (Backblaze, OneDrive, or Google Drive with version history). Test restoring a file every month. If you live in SaaS (Microsoft 365 or Google Workspace), ensure versioning is on and consider a low-cost third-party backup for email and Drive if your retention needs are longer.
Visibility and response without a SOC
You don’t need a security operations center to catch the obvious signals and react quickly.
Simple logging and alerts
Turn on sign-in alerts for new locations and admin changes in Microsoft 365 or Google Workspace, and send notifications to a shared mailbox owners can monitor. Keep at least 90 days of logs (built-in is fine). In your bank and accounting tools, enable transaction alerts so unusual payments get immediate attention.
A one‑page incident plan
Write a single page that lists: who you call (IT helper, bank, lawyer, cyber insurer if you have one), how to isolate a device (pull the network cable or disable Wi‑Fi), where backups live, and who can reset passwords. Keep printed copies. Run a 20‑minute table-top drill each quarter so everyone knows their role. Preparation reduces panic—and mistakes—when minutes matter.
A realistic 30/60/90‑day roadmap
Next 30 days: turn on MFA everywhere, enforce screen locks and encryption, enable auto-updates, set up DNS filtering, and publish SPF/DKIM/DMARC at “none” to start monitoring. Document your one-page incident plan and test a file restore. Next 60 days: move DMARC to “quarantine,” roll out a password manager to staff, separate admin and user accounts, and segment Wi‑Fi. Next 90 days: shift DMARC to “reject,” add hardware keys for owners/admins, and rehearse your incident drill with a realistic phishing scenario.
What this really costs
Many essentials are free: MFA, encryption, built-in antivirus, DNS filtering, and email authentication. Expect modest spend for a password manager (often a few dollars per user per month) and cloud backup for laptops. Compared to the cost of a single wire-fraud incident or week-long outage, these are some of the highest ROI investments you can make.
Security is a habit, not a product. Start with the controls that remove the easiest wins for attackers, automate what you can, and practice your response like a fire drill. Small, steady improvements compound—protecting your customers, your cash flow, and your reputation without breaking the budget.
