SMALL BUSINESS CYBERSECURITY

Fixing Security Configuration Gaps

A practical, budget-conscious guide for businesses without a dedicated IT security team

Who this guide is for

This guide is written for small business owners, office managers, or whoever looks after IT in your organisation, with little to no dedicated cybersecurity budget. Every recommendation here is either free or low-cost, and prioritised by impact so you can start making improvements today.

The Problem in Plain Terms

Most small businesses assume that cyberattacks are aimed at large corporations. That assumption is wrong — and costly. Attackers increasingly target smaller organisations precisely because they tend to have weaker defences. The good news is that one of the most common attack vectors, security configuration gaps, is also one of the most fixable.

Security configuration gaps are not exotic technical failures. They are mundane oversights: a website missing basic protective settings, an email domain that anyone can impersonate, an old encryption protocol left enabled because nobody thought to disable it. These gaps cost attackers very little to exploit. They cost you very little to close — if you know where to look.

Step 1: Understand What You Are Protecting

Before making any changes, take 30 minutes to list your digital assets. You cannot protect what you cannot see. Your list should include:

1. Your website domain(s): the main address customers use to find you, plus any other domains you own.
2. Your business email domain: the @yourbusiness.com address your staff sends from.
3. Any web-facing systems: booking tools, online shops, client portals, or payment systems.
4. Cloud services: Google Workspace, Microsoft 365, Dropbox, accounting software, and so on.

This list becomes the scope for everything that follows. If an asset is not on the list, it will not get checked.

Step 2: Check Your Website’s Security Headers (Free, 30 Minutes)

HTTP security headers are invisible instructions your website sends to visitors’ browsers, telling them how to handle your content safely. Missing headers are one of the most common configuration gaps, and one of the easiest to fix.

How to check

Go to securityheaders.com and enter your website address. The tool is free and takes about ten seconds to run. It will give you a grade from A+ to F and show you exactly which headers are missing.

What to look for

1. 1. Content-Security-Policy (CSP): Tells browsers which scripts are allowed to run on your site. Missing this makes it easier for attackers to inject malicious code.
   2. X-Frame-Options: Prevents your website from being loaded inside another site’s frame, blocking a common trick used in phishing.
   3. Strict-Transport-Security (HSTS): Forces browsers to always use the secure (HTTPS) version of your site.
   4. X-Content-Type-Options: Stops browsers from guessing what type of file they are handling, reducing the risk of certain injection attacks.

How to fix it

If your website is hosted on a managed platform (WordPress, Squarespace, Wix, Shopify), search your platform’s help centre for “security headers” — most have built-in options or free plugins. If you have a developer or technical contact, share your securityheaders.com report with them; adding these headers is typically a 30-minute task.

Cost & effort

Free to check. Free or minimal developer time to fix. Impact: high. If your site scores below a C, this is your first priority.

Step 3: Protect Your Email Domain Against Impersonation (Free, 1-2 Hours)

Email impersonation is one of the most common ways attackers target small businesses and their customers. If your email domain is not properly configured, anyone can send emails that appear to come from your business address. This is used to run phishing attacks, commit fraud, and damage your reputation.

Three technical standards protect against this. All three are free to implement:

1. SPF (Sender Policy Framework)
   SPF tells the world which mail servers are allowed to send email on your domain’s behalf. Without it, any server can claim to be you.
   How to check: Go to mxtoolbox.com/spf.aspx and enter your domain. If SPF is missing or misconfigured, the tool will tell you.
2. DKIM (DomainKeys Identified Mail)
   DKIM adds a digital signature to outgoing emails, allowing receiving mail servers to verify they were genuinely sent by you and not altered in transit.
   How to check: Your email provider (Google Workspace, Microsoft 365, or others) will have a DKIM setup guide in their help centre. Most modern providers enable it by default, but it is worth confirming.
3. DMARC (Domain-based Message Authentication)
   DMARC is the policy layer that tells receiving mail servers what to do when an email fails the SPF or DKIM checks — quarantine it, reject it, or let it through. Without DMARC enforcement, the SPF and DKIM checks exist but have no teeth.
   How to check: Go to mxtoolbox.com/dmarc.aspx. Many businesses have no DMARC record at all, or have one set to ‘none’ (monitoring only), which provides no real protection.

How to fix: Start with a DMARC policy of ‘p=none’ to monitor without blocking, then move to ‘p=quarantine’ and eventually ‘p=reject’ once you have confirmed your legitimate email is passing checks. Guides for setting up DMARC with Google Workspace and Microsoft 365 are freely available in each provider’s documentation.

Cost & effort

Free. Requires access to your domain’s DNS settings (usually via your domain registrar or web host). Estimated time: 1-2 hours, including reading the relevant guide for your provider. Impact: very high — this directly prevents domain impersonation.

Step 4: Check Your SSL Certificate and HTTPS Configuration (Free, 20 Minutes)

Your website should use HTTPS — the padlock in the browser address bar. But having HTTPS is not enough on its own. The underlying configuration can still be weak if old, insecure encryption settings are left enabled.

How to check

Go to ssllabs.com/ssltest and enter your domain. This free tool performs a comprehensive check of your HTTPS configuration and grades it from A+ to F. It will flag specific issues including:

1. Whether your certificate is valid and not close to expiry
2. Whether old protocols like TLS 1.0 and TLS 1.1 are still enabled (they should not be)
3. Whether weak cheaper suites are being offered to visitors
4. Whether your certificate chain is correctly configured

What to do with the results

If you score below a B, share the report with your web host or developer. Most hosting providers now offer control panel options to disable old TLS versions with a single click — this is no longer a specialist task.

If your certificate is expiring soon, renew it immediately. Many hosting providers now offer free certificates through Let’s Encrypt, and renewal can often be automated so it never expires.

Cost & effort

Free to check. Fixes are usually free through your existing host. Estimated time: 20 minutes to check, plus any time needed to contact your host. Impact: high — old protocols are actively exploited.

Step 5: Lock Down Your Domain Registrar Account (Free, 30 Minutes)

Your domain name is the foundation of your online presence. If an attacker gains access to your domain registrar account, they can redirect your website and email to their own servers — one of the most damaging attacks a small business can face.

Enable domain locking

Most registrars offer a ‘domain lock’ or ‘transfer lock’ setting. When enabled, this prevents your domain from being transferred away without explicit authorisation. Check your registrar’s control panel and make sure this is switched on.

Enable two-factor authentication (2FA) on your registrar account

This is the single most impactful account security measure you can take. With 2FA enabled, an attacker who obtains your password cannot access your account without also having your phone or authentication app. Every major registrar supports this — enable it today if you have not already.

Review who has access

Check how many people have login access to your domain registrar account. Remove anyone who no longer needs it. If a former employee or contractor had access, change the password immediately.

Cost & effort

Free. Takes 30 minutes. Impact: critical — domain hijacking can take your entire online presence offline and redirect your customers to fraudulent sites.

Step 6: Audit Your Cloud Service Accounts (Free, 1 Hour)

Most small businesses use cloud services for email, file storage, accounting, and communication. Each of these is a potential entry point if not properly configured.

The core checklist for each service

1. 2FA enabled: Turn on two-factor authentication for every cloud service your business uses, especially email, file storage, and finance tools. This single step prevents the majority of account takeover attacks.
2. Review active users: Remove accounts for staff who have left. Dormant accounts are a common way attackers gain entry.
   Review third-party app permissions: In Google Workspace or Microsoft 365, check which third-party apps have been granted access to your accounts. Remove anything unfamiliar or no longer in use.
3. Check admin accounts: Limit the number of accounts with administrator-level access. Administrators should not use their admin accounts for day-to-day work.

Free tools to help

Both Google Workspace and Microsoft 365 have built-in security dashboards at no extra cost. Google’s Security Checkup (myaccount.google.com/security) and Microsoft’s Secure Score (found in the Microsoft 365 admin centre) will walk you through the most important settings for your account.

Cost & effort

Free — you already pay for these services. Estimated time: 1 hour across your main services. Impact: high — account takeover is one of the most common causes of data breaches in small businesses.

Summary: What Everything Costs

The table below summarises every action in this guide, along with its approximate cost and effort level.

Building Good Habits: Ongoing Maintenance

Security is not a one-time fix. The following habits, each requiring minimal time, will keep your configuration secure as your business evolves.

• Monthly (10 minutes): Check that your SSL certificate has not expired and review any security alerts from your cloud providers.
• Quarterly (30 minutes): Re-run the securityheaders.com and ssllabs.com checks. Review who has access to your key accounts and remove anyone who no longer needs it.
• When staff leave: Immediately disable or remove their accounts from all business systems, change shared passwords, and review any credentials they had access to.
• When you change web hosting or platforms: Re-check your security headers and HTTPS configuration — these settings often reset during migrations.

When to Get Professional Help

This guide covers the most impactful, self-service steps available to small businesses. Some situations call for professional support:

Your ssllabs.com or securityheaders.com scores remain low after attempting fixes, and you cannot identify why
You handle sensitive customer data such as payment details, medical records, or personal information in volume
You are subject to regulatory requirements such as PCI DSS (for card payments) or are working toward Cyber Essentials certification
You have experienced a suspected breach or noticed unusual account activity

In the UK, the National Cyber Security Centre (NCSC) offers free guidance and resources specifically aimed at small businesses at ncsc.gov.uk/section/small-organisations. Many local enterprise partnerships and Chambers of Commerce also offer subsidised cybersecurity advice.

The most dangerous assumption is that you are too small to be a target.

Most of the fixes in this guide are free and take less than an hour. The cost of a breach is far higher than the time it takes to prevent one.