← Back to Blog
Cybersecurity

The £0 Security Checklist Every Small Business Should Do Today

9 March 2026

You don't need a security budget to fix the biggest risks. Most of the things that leave small businesses vulnerable aren't complicated problems — they're simple things that nobody's gotten around to doing. All of the items on this list are free, take less than an hour each, and make a genuine difference.

1. Turn On Multi-Factor Authentication

If you do nothing else on this list, do this. MFA (multi-factor authentication) means that even if someone steals a password, they can't log in without a second factor — usually a code from an app on your phone.

Microsoft 365 and Google Workspace both support MFA for free. Turn it on for every account, starting with anyone who has admin access.

99.9%of automated attacks blocked by MFA (Microsoft's own data)
99.9%of automated attacks blocked by MFA (Microsoft data)

There is no single security measure with a better return on effort.

2. Check Who Has Admin Access

Open your Microsoft 365 or Google Workspace admin panel and look at who has admin rights. In most small businesses, there are far more admins than there should be. Often the person who set up the account two years ago made everyone an admin because it was easier.

Every admin account is a high-value target. Reduce admin access to the absolute minimum — ideally two people. Everyone else should be a standard user. This takes five minutes and significantly reduces your attack surface.

3. Kill Shared Passwords

If your team shares passwords — whether that's a single login for social media, a shared email account password, or a sticky note on the monitor with the "company password" — stop. Every shared password is a password you can't rotate when someone leaves, can't trace when something goes wrong, and can't protect with MFA.

Set up individual accounts with unique passwords. Use a password manager if the team needs access to shared services — they can share access without sharing the actual password.

4. Check Your Email Authentication

SPF, DKIM, and DMARC are three protocols that prove your emails are really from you — and prevent attackers from sending emails that look like they're from your domain. You can check whether these are configured by searching "DMARC checker" and entering your domain.

If any of these are missing, you're leaving your domain open to spoofing. Setting them up is free — it's a DNS record change that your domain provider can help with.

5. Verify Your Backups Actually Work

"We use OneDrive" is not a backup strategy if nobody's checked whether it's actually syncing. "We have backups" means nothing if you've never tested a restore.

See our guide on how to back up business data properly for more on getting this right.

Check that your important files are actually being backed up. Then test a restore — pick a file, delete it, and recover it. If you can't, your backup isn't working.

6. Review Who Has Access to What

Open your shared drives, SharePoint sites, or Google Drive shared folders. Look at who has access. You'll almost certainly find former employees, old freelancers, or people who don't need access to the things they can see.

Remove anyone who shouldn't be there. This is especially important for sensitive folders — finance, HR, client data. Access should be based on need, not convenience.

What Comes Next

Key takeaway

None of these steps require a security product, a consultant, or a budget. They're the foundations that everything else builds on — and you've spent nothing but time.

Want to talk about this?

Book a free 15-minute call and we'll discuss how this applies to your business.

Book a Free Call

Get IT tips in your inbox

Practical advice for small businesses. No spam.