The Good News: The Basics Are Free
Small businesses get breached through the same handful of doors every time: reused passwords, no 2FA, over-privileged accounts, and staff falling for phishing. None of those cost money to fix. Attackers aren't running exotic hacks against your five-person company; they're replaying leaked passwords and sending fake invoices. Close the common doors and you've done more than most businesses ten times your size. Here's the zero-budget playbook, in priority order.
1. Enforce 2FA Everywhere (Free)
The single highest-impact move. Every business account (email, accounting, payment processors, social, cloud storage) should require two-factor authentication, ideally an authenticator app rather than SMS (our 2FA guide).
- Make it mandatory, not optional: one unprotected employee account is the whole company's weak point.
- Google Workspace and Microsoft 365 let admins enforce 2FA org-wide for free: turn it on.
- The owner and anyone with financial or admin access should use the strongest methods (consider a hardware key for those, a small one-time cost).
2. Use SSO to Reduce the Attack Surface (Free)
If you use Google Workspace or Microsoft 365, use "Sign in with Google/Microsoft" for other business tools where possible (our SSO explainer). One well-protected identity provider means fewer passwords floating around and one place to disable an employee's access when they leave. Offboarding becomes "disable one account" instead of hunting down twenty.
3. A Password Manager for the Team (Free or Cheap)
Shared passwords in spreadsheets and chat messages are a breach waiting to happen. A password manager with team features (Bitwarden's free and low-cost tiers are excellent, per our comparison) gives you:
- Unique strong passwords for every account (kills credential stuffing).
- Secure sharing of the accounts that genuinely must be shared, with per-person access you can revoke.
- No more "what was the WiFi/Canva/Instagram password" messages leaving credentials in chat history.
4. Least Privilege and Offboarding (Free)
- Give each person only the access they need. The intern doesn't need admin on the payment processor.
- Remove access the day someone leaves. Ex-employee accounts are a top breach vector. Keep a simple list of what each person can access so offboarding is complete.
- Separate admin from daily accounts for owners: use admin rights only when needed.
5. Train Against Phishing (Free)
Your team is the target. A fifteen-minute conversation covers most of it:
- Fake invoices and "update our payment details" emails are the top small-business scam (Business Email Compromise). Verify any payment change by phone, using a known number, never one from the email.
- Never log in through email links: go to the site directly.
- Urgency plus a money request equals a red flag. Our phishing guide is a good team read.
The scam that actually drains small businesses isn't a movie hack, it's a convincing email asking finance to pay a fake invoice or redirect a real one. Two-factor authentication plus a "verify payment changes by phone" rule blocks the bulk of real losses.
6. Back Up, and Test the Backup (Free/Cheap)
Ransomware and simple accidents both ruin unprepared businesses. Cloud services often include version history (free); use it. For critical data, keep an additional backup that isn't connected to your main systems. And actually test that you can restore, an untested backup is a hope, not a plan.
The One-Hour Starter Plan
- Enforce 2FA on your email/Workspace and payment accounts (app-based).
- Sign up for a team password manager; move shared passwords into it.
- Make a list of who can access what; remove anyone who shouldn't.
- Send the team the "verify payment changes by phone" rule in writing.
That hour addresses the breaches that actually happen to businesses your size.
Frequently Asked Questions
We're tiny. Are we really a target?
Yes, precisely because attackers assume small businesses have weak defences and real money. Most attacks are automated and opportunistic (leaked-password replays, mass phishing), not targeted, which means basic hygiene deflects them. You don't have to be secure against a nation-state, just harder than the automated sweep.
What's the most important single thing?
Enforced 2FA on business email. Email is the master key (password resets, invoice communication, the lot), and enforcing app-based 2FA on it blocks the most common and damaging attacks. If you do one thing this week, do that.
Can we do this without hiring anyone?
For the essentials here, yes. Google Workspace and Microsoft 365 admin consoles, a password manager, and a team conversation cover the high-impact items with no specialist needed. Bring in help only for anything beyond this baseline (compliance, custom systems).
How do we handle shared social media accounts?
Use the platform's proper team/business access features where they exist (so each person logs in as themselves), and where you must share a login, keep it in the password manager with 2FA enabled and revoke on offboarding. Our platform guides (Facebook, Instagram) cover the setup.
What about our website and hosting?
Those deserve the same treatment: 2FA on the CMS admin and hosting panel, unique passwords, and least-privilege user accounts. Our WordPress and hosting guides apply directly.