5 Free Security Wins for Small Business | Cybersecurityratings.com

The Good News for Small Businesses

In our analysis of 500+ security assessments, we found that the average small business (under 50 employees) could recover 15–30 points on their security grade by fixing just these five issues — all of which are free to address. The most common reason small businesses have poor grades isn't lack of effort; it's that no one told them what to fix.

Whether your business is a law firm, dental practice, retail shop, or consulting agency — a weak cybersecurity rating can cost you clients, raise your insurance premiums, and expose you to avoidable breaches. Here are five things you can fix this week, for free.

~30 minutes | Up to +18 points

Set Up DMARC on Your Domain

Email authentication is the single largest scoring factor — and the most commonly missing. If your domain doesn't have a DMARC record, attackers can send phishing emails that look exactly like they came from you. That harms your customers and tanks your score.

How to do it (free):

1.Go to your domain registrar (GoDaddy, Namecheap, etc.) and open your DNS editor.
2.Add a new TXT record on _dmarc.yourdomain.com
3.Set the value to: v=DMARC1; p=quarantine; rua=mailto:[email protected]
4.Save and wait 24 hours for DNS propagation.

Start with p=quarantine rather than p=reject until you've confirmed all your legitimate email is authenticated.

Free tools: MXToolbox DMARC Check, Google Postmaster Tools

~15 minutes | Up to +8 points

Check & Renew Your SSL Certificate

An expired or missing HTTPS certificate is immediately visible to rating platforms and sends a strong negative signal. Visitors also see browser warnings that destroy trust. The good news: SSL certificates are free via Let's Encrypt, and most web hosts renew them automatically.

How to check right now (free):

1.Visit https://www.ssllabs.com/ssltest/ and enter your domain.
2.Look for your expiration date and grade. Anything below A is a problem.
3.If expired: log into your web host's control panel and renew (usually one click). Most hosts use Let's Encrypt for free.
4.Enable auto-renewal so this never lapses again.

Free tools: SSL Labs, Let's Encrypt, your hosting control panel

~20 minutes | Up to +6 points

Scan for Dark Web Credential Leaks

If any of your employees' work email addresses and passwords have appeared in data breaches, those credentials are likely for sale on criminal forums. Rating platforms detect this and it directly hurts your score — and makes you a target for credential stuffing attacks.

Steps to take right now:

1.Go to haveibeenpwned.com and check every employee email address.
2.For business domains, use the free domain-level search to see all affected accounts at once.
3.Force a password reset for every account that has been compromised — today.
4.Enable multi-factor authentication (MFA) on all accounts — especially email, banking, and cloud storage.

Free tools: HaveIBeenPwned.com, Google Workspace breach alerts, Microsoft 365 leaked credentials

~45 minutes | Up to +5 points

Update All Software & Enable Auto-Updates

Outdated software running on your website, servers, or office computers that has known vulnerabilities (CVEs) is visible to security scanners — and directly reduces your score. This is especially common with WordPress plugins, outdated CMS versions, and unpatched Windows machines.

Where to focus:

WordPress: Update core, all plugins, and all themes. Delete any inactive plugins — they're still a vulnerability even when disabled.

Windows: Run Windows Update and enable automatic updates. Apply any pending "critical" or "important" patches immediately.

Web server: If you manage your own hosting, ensure Apache, Nginx, and PHP are on their latest stable versions.

Free tools: WPScan (WordPress), Windows Update, Wordfence (free tier)

~20 minutes | Up to +4 points

Remove Exposed Admin Panels & Open Ports

If your website's admin login page is publicly accessible at a predictable URL (like /wp-admin or /admin), it's being scanned by automated bots right now. Hiding or restricting admin access is a quick win that improves both your score and your real-world security.

Quick actions:

1.Change your WordPress or CMS admin URL to something non-standard (free plugins like WPS Hide Login do this).
2.Add IP allowlisting to your admin panel — only your office IP and home IP should access it.
3.Use shodan.io (free account) to search your IP address and see what ports are visible to the public internet.
4.Ask your hosting provider to close any open ports you don't actively use.

Free tools: Shodan.io, WPS Hide Login, Cloudflare (free tier firewall rules)

Your Potential Score Impact This Week

Set up DMARC

+up to 18 pts

Fix SSL certificate

+up to 8 pts

Clear dark web credential leaks

+up to 6 pts

Update software & enable auto-updates

+up to 5 pts

Restrict admin access & close open ports

+up to 4 pts

Total potential improvement

+up to 41 pts

What to Do After These 5 Wins

These five actions address the low-hanging fruit. But if you're still below a B grade after completing them — or if you need to meet a specific compliance standard (HIPAA, PCI-DSS, SOC 2) — our team can provide a full technical assessment and guided remediation roadmap tailored to your business size and budget.

Free Assessment

See every issue affecting your grade in 48 hours

Remediation Roadmap

Prioritized fix list built around your budget

Guided Support

Our team handles the technical fixes for you

Find Out Your Current Grade — Free

Get a full A–F security assessment for your business domain. No system access needed, no obligation — just a clear picture of where you stand and what to fix next.

Get My Free Assessment Talk to a Consultant

No system access required · Results in 48 hours · 100% confidential

Back to all articles

The 5 Free Things Any Small Business Can Do This Week to Improve Their Security Grade