The 5 Cybersecurity Fixes Every Small Business Can Do in a Week

Small business cybersecurity advice usually sounds like this: “Implement a comprehensive security program with layered defenses, regular risk assessments, security awareness training, incident response planning, and continuous monitoring.”

Great. That’ll take six months, cost $50,000, and require expertise you don’t have.

Meanwhile, attackers are targeting your business right now. They’re not waiting for you to build the perfect security program. They’re looking for the easy vulnerabilities that most small businesses leave wide open.

Here’s the good news: you can close the most common attack paths in less than a week. These aren’t theoretical security improvements or nice-to-haves. These are the specific fixes that stop the majority of attacks targeting small businesses.

No consultants required and no massive budget. Just five concrete actions you can take this week that dramatically reduce your risk.

Fix #1: Turn On Multi-Factor Authentication Everywhere That Matters (Day 1)

Most breaches start with stolen passwords. An employee clicks a phishing link. Someone reuses a password that was leaked in another company’s breach. A weak password is guessed through brute force.

Multi-factor authentication (MFA) stops these attacks cold. Even if attackers have your password, they can’t get in without the second factor, which is usually a code sent to your phone.

What to do today:

Enable MFA on every system that contains important data or provides necessary access:

• Email (Microsoft 365, Google Workspace, etc.)
• Financial systems (accounting software, banking, payroll)
• Cloud storage (Dropbox, OneDrive, Google Drive)
• Admin access to any system
• Remote access (VPN, remote desktop)
• Any system with customer data

Most services make this easy. Microsoft 365, Google Workspace, and major cloud platforms have built-in MFA. Turn it on in settings, usually under “Security” or “Authentication.”

For your team: Yes, they’ll complain that it’s inconvenient. Tell them it’s less inconvenient than explaining to customers why their data was stolen because someone guessed your password.

Time required: 2-4 hours to enable across your main systems and help employees set it up.

Cost: Usually free (built into services you’re already paying for).

What this stops: credential stuffing, password spraying, phishing, and brute-force attacks, which are the most common ways attackers gain initial access.

Fix #2: Patch Your Three Most Critical Systems (Day 2)

You probably have dozens of systems that need updates. Trying to patch everything at once is overwhelming, so nothing gets patched.

Instead, focus on the three systems that would hurt most if compromised. These are typically:

1. Your operating systems (Windows, macOS, Linux servers)
2. Your web browser and browser plugins
3. Your most critical business application (whatever you absolutely cannot operate without)

What to do today:

For workstations: Turn on automatic updates, if you don’t have anyone specific handling your IT requirements, for Windows or macOS. This should have been done already, but many businesses disable it because “updates break things.” They do sometimes, but breaches break things worse.

For servers: Check for available updates and schedule deployment. If you have an IT provider, ask them to prioritize patching your most critical systems this week.

For business applications: Check for updates in the software itself or on the vendor’s website. Many applications have automatic update features you can enable.

The critical mindset shift: Updates sometimes cause minor issues. Unpatched systems cause major breaches. The risk calculation isn’t even close.

Time required: 2-3 hours to enable automatic updates and manually patch critical systems.

Cost: Free (you’re already paying for the software).

What this stops: Exploitation of known vulnerabilities. Attackers love finding unpatched systems because the exploits are public, well-documented, and easy to use.

Fix #3: Lock Down Admin Access (Day 3)

Here’s a common scenario in small businesses: everyone has admin rights on their computers because it’s easier. Someone needs to install software? They have admin rights. Need to change a setting? Admin rights. It’s just simpler.

Until someone clicks a malicious link, and the malware has admin rights to do whatever it wants to your entire system.

What to do today:

Remove admin rights from daily-use accounts. Employees should work from standard user accounts. When they need to install software or make system changes, they temporarily use admin credentials or call IT.

Create separate admin accounts for people who actually need them. IT staff and system administrators need admin accounts, but those should be separate from their daily-use accounts. Use the admin account only when doing admin tasks.

Audit who has access to what. Pull up your user lists for critical systems. Does the person who left three months ago still have access? Does the intern have access to financial systems? Clean it up.

The quick wins:

• Remove admin rights from employee workstations
• Delete accounts for people who no longer work there
• Change any shared passwords (see Fix #4)
• Limit who can access your most sensitive systems

Time required: 3-5 hours, depending on how messy your access controls are.

Cost: Free (this is configuration, not new tools).

What this stops: Privilege escalation, lateral movement, insider threats (accidental or intentional), and malware that needs admin rights to spread.

Fix #4: Eliminate Shared Passwords and Default Credentials (Day 4)

Walk through your office and check: how many systems are protected by passwords that multiple people know? The WiFi password is written on a whiteboard. The “admin/admin” login for the printer. The shared “office” account for your project management tool.

Every shared password is a security hole. You can’t track who accessed what. You can’t revoke access when someone leaves. And if that password gets compromised, you don’t know who to blame or how to contain it.

What to do today:

Find your shared passwords. Walk through your systems and identify everywhere you’re using shared credentials:

• WiFi password
• Printer/copier admin login
• Shared software accounts
• Default credentials on network devices
• “Admin” accounts that multiple people use

Replace them with individual accounts. Most modern systems support multiple user accounts. Create individual logins for each person who needs access.

Change default credentials. That printer, router, or network device that still has “admin/admin” or “admin/password”? Change it today. Attackers have lists of default credentials for thousands of devices and automatically scan for them.

Use a password manager for shared passwords. If you truly need shared access (like a social media account), use a business password manager like 1Password, LastPass, or ProtonPass. At least you’ll have audit logs and can revoke access easily.

Time required: 3-4 hours to identify shared passwords and set up individual accounts.

Cost: $5-10 per user monthly for a business password manager (if you choose to use one).

What this stops: Unauthorized access, inability to revoke access when people leave, credential exposure through departing employees, and exploitation of default credentials.

Fix #5: Set Up Automatic Backups and Test One Restore (Day 5)

Ransomware works because businesses can’t recover their data. Attackers encrypt everything, demand payment, and companies have no choice but to pay because they either don’t have backups or the ones they do don’t work.

What to do today:

Identify what absolutely must be backed up:

• Customer data and databases
• Financial records and accounting data
• Employee information
• Critical business documents
• Email (if not already backed up by your provider)
• Configuration settings for critical systems

Set up automatic backups using the 3-2-1 rule:

• 3 copies of your data (original plus two backups)
• 2 different types of media (local backup and cloud backup)
• 1 copy offsite (cloud storage or physical backup in another location)

Practical implementation:

• Use your cloud provider’s built-in backup (Microsoft 365 and Google Workspace have retention features)
• Set up cloud backup services like Backblaze, Carbonite, or IDrive for workstations
• Use external hard drives for weekly full backups stored offsite
• For servers, use backup software with cloud replication

The critical step everyone skips: Test a restore.

Having backups doesn’t matter if you can’t actually restore from them. Pick a non-critical file or folder and actually restore it. Make sure you know how to do it. Then, make sure it works, and it’s not corrupted.

Time required: 4-6 hours to set up automated backups and test a restore.

Cost: $10-50 per computer monthly for cloud backup services, plus any external drives ($100-200).

What this stops: Ransomware becomes an inconvenience instead of a business-ending crisis. Accidental deletion doesn’t lose critical data. Hardware failure doesn’t destroy everything.

Why These Five?

You might notice what’s not on this list: security awareness training, incident response plans, network segmentation, threat monitoring, vulnerability scanning.

Those things matter. But they’re not what you can realistically implement in a week, and they’re not what stops the most common attacks against small businesses.

These five fixes address the actual attack patterns targeting small businesses right now:

• Stolen credentials (stopped by MFA and eliminating shared passwords)
• Known vulnerabilities (stopped by patching)
• Privilege escalation (stopped by removing unnecessary admin access)
• Ransomware (survived through backups)

These aren’t comprehensive security. They’re the high-impact basics that most small businesses skip because they seem too simple to matter or too hard to implement.

They matter, and you can implement them this week.

The Bottom Line

Cybersecurity for small businesses doesn’t have to be complicated or expensive. Most attacks succeed not because of sophisticated techniques, but because basic protections are missing.

Multi-factor authentication stops stolen passwords. Patching stops exploitation of known vulnerabilities. Limited admin access contains the damage when something gets through. Individual accounts instead of shared passwords improve accountability and control. Backups ensure you can recover from attacks.

Five fixes in one week dramatically reduce risk.

You don’t need a comprehensive security program to start protecting your business. You need to stop procrastinating on the basics and take action this week.

The attackers aren’t waiting for you to build the perfect security program. Don’t wait to protect yourself.

MainNerve: Find What You’re Still Missing

After you’ve implemented these five fixes, the next step is finding out what vulnerabilities remain in your environment.

MainNerve provides penetration testing for small businesses, not enterprise-level assessments that cost tens of thousands of dollars, but right-sized testing that fits your environment and budget.

We’ll test your defenses after you’ve implemented these basics and show you what gaps remain. Real attack paths and real risks, with practical remediation guidance you can actually implement.

Ready to move beyond the basics? Contact MainNerve to discuss penetration testing that helps you understand what you’re still exposed to, so you can fix it before attackers exploit it.

Because the best time to find vulnerabilities is before they become breaches.