Playbook: Your First 90 Days of Cybersecurity (For Businesses With No IT Team)
If you have no IT team and a long to-do list, “improve cybersecurity” feels impossibly vague. So here’s a concrete 90-day plan in three 30-day sprints. Do them in order; each one buys down the most risk for the least effort.
Days 1 to 30: Lock the front doors
- Turn on MFA for email, banking, and admin accounts.
- Get every team member a password manager.
- Turn on automatic updates on every device.
Days 31 to 60: Make a bad day survivable
- Set up automatic backups with at least one copy that’s offline or immutable.
- Write a one-page “who do I call” incident sheet.
- Test that you can actually restore a file from backup.
Days 61 to 90: Reduce the attack surface
- Inventory your SaaS tools and revoke unused access.
- Remove admin rights from day-to-day user accounts.
- Run a 30-minute phishing refresher with the team.
Ninety days, no IT team, no big budget, and you’ll have closed the gaps behind the majority of small-business breaches. Want to know which step matters most for your business? Start with an assessment.