Five Security Quick Wins That Cost Less Than a Data Breach
There's a question I hear in almost every first conversation with a business owner: “What can we do without spending a fortune?”
Fair question. Most small and medium businesses don't have a security budget in any meaningful sense. They have an IT budget, and security is whatever's left over after the laptops, the licences, and the support contract.
But the five changes below don't need a budget line. Most are free. All of them can be done in less than a day. And any one of them would have prevented real incidents I've seen in UK businesses in the past twelve months.
43% of all cyberattacks target small businesses. 60% of the ones that get hit go out of business within six months. Those numbers aren't theoretical. The maths is not complicated: the cost of doing nothing is higher than the cost of doing something.
Here are five somethings.
1. Set up DMARC, SPF, and DKIM on your email domain
Nine out of ten cyberattacks start with an email. If your domain doesn't have email authentication configured, anyone on the internet can send emails that look like they came from you. Not “similar to” you. From you. Your exact domain, your exact display name, landing in your clients' inboxes with nothing to flag it as fake.
SPF tells receiving mail servers which systems are allowed to send on your behalf. DKIM adds a cryptographic signature proving the message hasn't been tampered with in transit. DMARC ties the two together and tells the receiving server what to do when something fails: ignore it, quarantine it, or reject it outright.
Without these three records, you're relying on the recipient's spam filter to guess. That's not a security strategy. That's hope.
One UK firm I'm aware of nearly lost £20,000 to a single spoofed email that appeared to come from the CEO. The attacker had no access to any internal system. They just sent an email from the company's domain, because nobody had told the internet they couldn't.
The honest caveat.
Setting DMARC up properly isn't a five-minute job if you do it manually. SPF has a 10-lookup limit that breaks easily when your business uses a CRM, a marketing platform, and an invoicing system that all send email on your behalf. DMARC reports arrive as XML that's about as readable as a tin of alphabetti spaghetti. And if you jump straight to a “reject” policy without monitoring first, you'll block your own legitimate email.
Start with p=none to monitor. Move to quarantine once you're confident. Then reject. Tools like PowerDMARC or EasyDMARC automate the hard parts and turn the XML into something a human can actually use. With the right tooling, this is a genuine quick win. Without it, it's a week of DNS headaches.
Worth doing either way. As of 2025, Microsoft requires email authentication for high-volume senders to reach Outlook and Hotmail inboxes. This isn't just security any more. It's deliverability.
2. Clean up your admin accounts
Admin accounts are the number one target for attackers. Not because they're hard to find, but because they're the keys to everything. Once an attacker has Global Admin rights in your Microsoft 365 tenant, they can disable your security tools, create new accounts, read anyone's email, and sit there quietly for as long as they like.
The problem in most small businesses isn't that admin accounts exist. It's that too many people have admin rights they don't need, and the accounts they use for admin work are the same ones they use to check their email and click links in Teams.
Microsoft's own environment was breached by the Midnight Blizzard group using a password spray against a development tenant that had no MFA. If Microsoft can get caught out by the basics, the rest of us should probably pay attention.
Every person who needs admin access should have two accounts. A standard account for daily work, email, Teams, browsing. A separate admin account used only for administrative tasks. This single change matters more than it sounds. A phished standard account can't instantly escalate into a full tenant compromise if the admin credentials live on a completely separate identity.
Beyond that: audit how many Global Admins you have. Microsoft and the CIS benchmarks recommend two to four. Most SME tenants we review have more. Cut back to the minimum. Make sure every admin account has MFA, preferably phishing-resistant MFA like a FIDO2 key rather than SMS codes. And set up two break-glass emergency accounts stored securely offline, so you don't lock yourself out of your own tenant while tightening things up.
If you have the licensing for it, Privileged Identity Management lets admin roles activate only when needed. No standing privileges. A compromised admin account that isn't currently elevated is just another standard account.
3. Test your backups (not just check they ran)
Every business I speak to has backups. Almost none of them have tested a full restore.
There's a difference between a backup job that completed successfully and a backup you can actually recover your business from. The backup log says “completed.” But can you restore your accounting system to a usable state within four hours? Have you tried? Do you know how long it takes?
Backups fail in predictable ways. The backup server sits on the same hardware as the production server, so a single failure takes out both. The backups are network-attached, so ransomware encrypts them along with everything else. The backup schedule hasn't been updated in a year and doesn't cover the new system the business now depends on. The restore process has never been tested, and the first time anyone tries it is during an active incident when the pressure is highest and the margin for error is zero.
The 3-2-1 rule still works: three copies of your data, on two different types of media, with one copy off-site. But the part people skip is the air gap. At least one backup needs to be physically disconnected from your network. A drive in a fireproof safe. An offline vault. Something ransomware cannot reach because it is not plugged in.
Then test the restore. Quarterly at minimum. Not “verify the backup completed.” Actually restore something and confirm it works. Time how long it takes. If your business loses revenue for every hour it's down, you need to know whether your recovery takes two hours or two days.
This costs nothing. You already have the backups. You're just proving they work.
4. Disable legacy authentication protocols
This one is specific to Microsoft 365, but given that M365 is in virtually every UK SME, it applies to most of you reading this.
Legacy authentication protocols — Basic Auth, POP3, IMAP, SMTP AUTH — were designed before multi-factor authentication existed. They don't support MFA. If any of them are still enabled in your tenant, an attacker with a stolen password can log in and skip MFA entirely. Your security policy says MFA is enforced. The legacy protocol doesn't care.
Password spraying attacks, where attackers try common passwords against thousands of accounts, specifically target legacy authentication endpoints because they're quieter in the logs and less likely to trigger identity protection alerts. One security researcher demonstrated on camera that an account could authenticate and send emails via SMTP even while the sign-in logs showed “MFA requirement failure.” The two systems weren't talking to each other.
The reason legacy auth is still enabled in most SME tenants is mundane: nobody turned it off. It was on by default. The business got set up, MFA got enforced through the front door, and nobody checked whether the back door was still open.
The other reason is the SMTP trap. Your office printer probably scans to email via SMTP AUTH. Your backup tool might use it. A line-of-business application from 2019 might depend on it. These are solvable problems, not reasons to leave the whole tenant exposed.
Check your Entra sign-in logs. Filter by client app. See if anything legitimate is still using legacy protocols. Then apply the pre-built Conditional Access template that Microsoft provides specifically for blocking legacy authentication. If the printer needs SMTP, create a Conditional Access exception that restricts that service account to a single known IP address. Everything else gets modern authentication or nothing.
This takes less than an hour. It closes one of the most exploited gaps in M365 security.
5. Turn on DNS filtering
DNS filtering is the security equivalent of fitting a smoke alarm. It's cheap, it's simple, it protects you while you sleep, and not having one is hard to justify once you know it exists.
Every time someone in your business visits a website, clicks a link in an email, or opens an application that phones home, a DNS lookup happens first. DNS filtering intercepts that lookup and checks the destination against a database of known-malicious domains. If the site is flagged, the connection gets blocked before the page even loads. The malware never downloads. The phishing form never appears.
It's a safety net for the inevitable moment when someone clicks something they shouldn't. Awareness training helps. Policies help. But people are people, and DNS filtering catches the ones that get through.
Cloudflare's 1.1.1.1 for Families and Quad9 are both free — genuinely free, not free-trial free. They block known malicious domains at the DNS level and require nothing more than changing your network's DNS server settings. If you have a firewall from Fortinet, Palo Alto, or even an open-source pfSense box, DNS filtering is probably already built in and just needs switching on.
Once configured at the network level, it covers every device on that network. You don't need to install software on individual laptops or touch each device separately. Change the DNS settings once and everything behind that network is covered.
The running total
| Quick win | Effort | Cost | What it prevents |
|---|---|---|---|
| Email authentication | Half a day (with tooling) | Free to £50/month | Domain spoofing, phishing via your brand, deliverability failure |
| Admin account cleanup | A few hours | Free (within M365 licence) | Full tenant compromise after a single phished account |
| Backup restore test | Half a day, quarterly | Free | Discovering your backups don't work during a live incident |
| Disable legacy auth | Under an hour | Free | MFA bypass via SMTP, POP3, IMAP |
| DNS filtering | 30 minutes | Free (Cloudflare/Quad9) | Phishing clicks, malware downloads, command-and-control callbacks |
None of these require a procurement process or new hardware. You don't need a consultant either, although having someone who's done it before does make it faster.
The average cost of a data breach for a small business comfortably exceeds what most SMEs spend on IT in a year. These five changes won't make you bulletproof. Nothing will. But they close the gaps that attackers actually use, and they cost less than a bad afternoon.
If you're not sure where you stand on any of these, start with your email domain. Run a DMARC check. See what comes back. That ten-minute exercise will tell you more about your current exposure than any sales pitch.
Bluestone Cyber helps UK businesses close the gaps that actually get exploited. If you want a second pair of eyes on your Microsoft 365 tenant, your email authentication, or your backup strategy, get in touch. We'll tell you where you stand and what to fix first.