Security doesn't start with firewalls and penetration tests. It starts with knowing what's open.
This checklist takes ten minutes. Each item is something you can verify right now, without a technical background. Some will take a minute to check. Some will take ten minutes to fix. All of them matter.
1. Can someone send emails pretending to be you? (2 minutes)
This is the one that surprises most business owners. An attacker can send an email from [email protected] to every member of your staff — and if you don't have the right DNS records, there's nothing stopping them.
How to check: Use a free DNS lookup tool to run an SPF lookup and a DMARC lookup on your domain. If either says "not found" or "no record", you have a problem.
What to do: Ask your email provider or developer to add an SPF record and a DMARC record to your DNS. Most email providers (Google Workspace, Microsoft 365) have a guide for this that takes under ten minutes to implement.
Why it matters: Email impersonation is used in invoice fraud, phishing attacks against your customers, and supplier scams. It's one of the most common attacks against small businesses — and one of the easiest to prevent.
2. Are your staff's passwords in a breach database? (2 minutes)
Billions of username/password combinations have been stolen from hacked websites and leaked online. Attackers run these against every login page they can find.
How to check: Go to haveibeenpwned.com and enter your work email address. Do the same for any staff members you're responsible for.
What to do: If any email appears in a breach, assume that password is compromised. Change it everywhere it was used and enable multi-factor authentication.
Why it matters: Credential stuffing is the most common form of account takeover. If a staff member reused a password from an old breach, an attacker already has it.
3. Does your website use HTTPS everywhere? (1 minute)
How to check: Visit your website. Look for the padlock icon in the browser address bar. Also check that http:// automatically redirects to https://.
What to do: If you don't have HTTPS, contact your hosting provider — it's usually free with Let's Encrypt. If you have HTTPS but it doesn't redirect from HTTP, add a redirect rule.
Why it matters: Without HTTPS, any data submitted through your site — including login details and contact forms — can be intercepted.
4. Is your website software up to date? (1 minute)
How to check: Log in to your CMS (WordPress, Wix, Shopify, etc.) and check for any update notifications. For WordPress: Dashboard → Updates.
What to do: Install all available updates — core, themes, and plugins.
Why it matters: The majority of WordPress hacks exploit known vulnerabilities in outdated plugins or themes. Updates take minutes; breaches take months to recover from.
5. Do you have an exposed admin panel? (1 minute)
How to check: Try visiting common admin URLs on your site: /wp-admin, /admin, /login, /administrator, /cpanel.
What to do: If any of these are accessible, ensure they require strong passwords and MFA. Consider restricting access to specific IP addresses if you always log in from the same location.
Why it matters: Exposed admin panels are targeted by automated brute-force tools constantly. A strong password plus MFA eliminates this risk almost entirely.
6. Is your domain expiry date more than 60 days away? (30 seconds)
How to check: Look up your domain in WHOIS (your registrar's website will show this). Or search "WHOIS yourcompany.com".
What to do: If your domain expires in the next 90 days, renew it now. Enable auto-renewal.
Why it matters: Domain expiry is a surprisingly common entry point. If your domain lapses, someone can register it immediately and use it for phishing, email fraud, or brand impersonation.
7. Are you running software you no longer use? (1 minute)
How to check: Log in to your CMS and check for inactive or deactivated plugins. Check your hosting control panel for any installed applications you haven't used recently.
What to do: Uninstall anything you don't actively use. A deactivated plugin can still be vulnerable.
Why it matters: Every piece of installed software is a potential attack surface. Less is safer.
8. Do you have any public S3 buckets or cloud storage? (1 minute)
How to check: If you use AWS S3, Azure Blob Storage, or Google Cloud Storage, log in to your cloud provider's console and check the access settings on each bucket/container.
What to do: Any bucket containing business or customer data should be private. Public access should only be enabled for buckets specifically intended for public file hosting (like images for your website).
Why it matters: Publicly accessible cloud storage is one of the most common causes of data breaches. Buckets containing internal documents, customer records, and backups are discovered and exposed regularly.
9. Have you googled your company recently? (1 minute)
How to check: Search for your company name and domain on Google. Look at all results — especially those you didn't create.
What to do: If you find any pages, accounts, or content that shouldn't exist under your brand, investigate and take down where possible.
Why it matters: Brand impersonation via fake websites, fake social media accounts, and fake Google Business profiles is a growing problem. Catching it early is much easier than recovering from it.
10. Run a full external security scan (2 minutes to start)
Everything above is a manual spot-check. An automated external scan runs all 57 checks in parallel, produces a full risk report, and tells you exactly what to fix in priority order.
How to do it: Enter your domain at app.kayvrn.com and click Run Scan. It's free, takes no installation, and produces a full report in under 30 minutes.
---
None of these steps require a security background. They require ten minutes and the decision to know what you're dealing with.
The businesses that get breached aren't unlucky — they're uninformed. The information is available. The tools are free. The question is whether you look before someone else does.