Minimum Viable Audit for Solopreneurs: Quick checks that massively reduce risk

Most solopreneurs do not need an annual compliance exercise. They need a repeatable 30 to 45 minute review of the systems that can actually break the business: primary email, domain and DNS, website admin, payment tools, cloud storage, and any vendor or contractor with privileged access.

That is the right scale for a minimum viable audit. NIST's small business guidance frames cybersecurity as a continuous process and recommends basics like multi-factor authentication, strong passwords, and backups that are both protected and tested. CISA's Cyber Essentials makes a similar point for small organizations: start with access control, backups, and timely updates before you worry about more elaborate controls. (NIST: Cybersecurity Basics, CISA: Cyber Essentials)

The practical takeaway is simple: if you are a team of one, audit the few things that can lock you out, leak customer information, or stop sales. Do that consistently, and you will reduce a surprising amount of risk.

What Belongs in a Minimum Viable Audit

Your audit should focus on the systems with outsized blast radius:

• the email account that resets every other password
• the domain registrar and DNS provider that keep your site and email reachable
• the payment processor, ecommerce admin, or invoicing system that handles revenue
• the website or CMS accounts that can publish code, content, or redirects
• the cloud storage, accounting, and file-sharing tools that hold business records
• the contractors, plugins, integrations, and vendors connected to any of the above

If one of those systems fails or gets hijacked, you do not have a minor tech problem. You have an operating problem.

1. Review Who Can Lock You Out or Move Money

CISA recommends maintaining inventories of user accounts, vendors, and business partners on your network, using MFA for all users starting with privileged access, and granting permissions based on need-to-know and least privilege. FTC guidance says the same thing in plainer business terms: not everyone needs unrestricted access, and vendors should only get the data or systems access they actually need. (CISA: Cyber Essentials, FTC: Start with Security)

For a solopreneur, this first check is usually the biggest win:

• open your registrar, DNS, email, payment processor, website admin, cloud storage, and accounting tools
• list every admin, owner, collaborator, integration, and API key
• remove old contractors, former employees, test accounts, and duplicate logins
• replace shared credentials with individual accounts wherever possible
• make sure the recovery email and phone number on each critical account still belong to you

This sounds basic because it is basic. It is also where many preventable incidents start.

2. Enforce MFA on the Accounts That Matter Most

NIST's small business MFA guidance is blunt: passwords alone are not effective for securing your most sensitive assets, and enabling MFA on all accounts that offer it is essential. CISA goes further by noting that phishing-resistant MFA is the standard organizations should aim for, while also emphasizing that any MFA is better than none. (NIST: Multi-Factor Authentication, CISA: More than a Password)

In a minimum viable audit, do not spread your attention evenly across every login. Start with:

• primary email
• domain registrar and DNS
• payment processor
• website hosting and CMS admin
• password manager
• banking and accounting tools

If passkeys, security keys, or other phishing-resistant options are available on those accounts, use them there first. If they are not, enable app-based MFA rather than leaving the account on password-only access.

3. Confirm You Can Restore, Not Just Back Up

NIST advises small businesses to back up data regularly and to establish measures to protect and test those backups. CISA similarly recommends regular automated backups, protections for backup copies, and disaster recovery planning that is tested often. (NIST: Cybersecurity Basics, CISA: Cyber Essentials)

This is where many "responsible" businesses fool themselves. They have backups in theory, but they have never restored one under pressure.

Your audit should answer three questions:

• what exactly is being backed up
• where those backups live
• whether you have successfully restored a critical file, database, or site recently

For a solo business, a single restore test is often enough to expose reality. Restore one important file. Export one important system. Confirm the backup is recent, readable, and usable without heroic effort. If you cannot restore quickly, your backup is closer to a hope than a control.

4. Patch the Small Stack Attackers Actually Hit

CISA recommends enabling automatic updates whenever possible, removing unsupported software, and replacing systems that no longer receive security support. It also maintains the Known Exploited Vulnerabilities Catalog as a living list of flaws that have already been exploited in the wild and recommends organizations prioritize remediation of those issues. (CISA: Cyber Essentials, CISA: Known Exploited Vulnerabilities)

For solopreneurs, this usually means looking at a much smaller attack surface than you think:

• CMS core
• plugins, extensions, themes, and form builders
• hosting control panels
• ecommerce or booking add-ons
• automation tools and embedded scripts

A useful audit habit is to prune before you patch. Delete unused plugins. Remove abandoned integrations. Replace anything unsupported. Then turn on automatic updates for the parts of the stack that are stable enough to update safely without manual intervention.

5. Audit Vendors and Contractors Like They Are Part of Your Stack

FTC guidance warns that service providers should not be treated as a security blind spot. Businesses are expected to set security expectations, put them in writing, and verify that providers handling sensitive information are following through. (FTC: Start with Security, FTC: Make sure your service providers implement reasonable security measures)

This matters for solopreneurs because "my contractor handled that" is often how risk disappears from view.

During your audit:

• list the vendors and freelancers that can access customer data, analytics, ads, billing, hosting, or site administration
• confirm which accounts they still use and whether that access is still necessary
• revoke stale invites, OAuth connections, and API keys
• note where security expectations live, even if that is just a short written standard in the contract or statement of work

If a provider has broad access and no clear expectations, you have outsourced work but kept the risk.

6. Delete Data and Access You No Longer Need

FTC's security guidance starts with a deceptively strong idea: do not collect or retain sensitive information without a legitimate business need. That principle applies to solopreneurs as much as larger companies. The easiest data to secure is the data you never kept, and the easiest account to defend is the account you already removed. (FTC: Start with Security)

Minimum viable audit questions:

• do you still need those old customer exports in a local downloads folder
• are there dormant admin accounts from past redesigns or launches
• are old integrations still pulling data into tools you no longer use
• are you keeping personal information longer than your workflow requires

Solopreneurs tend to accumulate risk by convenience. Old CSVs, old plugins, old collaborators, and old automations all become part of the exposure surface unless someone removes them on purpose.

A 12-Point Audit You Can Run in Under an Hour

Use a simple tracker like this:

System | Owner | Admins Reviewed | MFA On | Backups Verified | Vendors Reviewed | Last Checked
Email
Registrar / DNS
Website / CMS
Payment Processor
Cloud Storage
Accounting / Invoicing

Then run this checklist:

• critical account owners and recovery methods confirmed
• all privileged users reviewed
• stale users and contractor access removed
• MFA enabled on high-impact accounts
• one restore test completed
• backup location and recency confirmed
• unsupported software identified
• unused plugins or integrations removed
• auto updates checked
• high-risk vendors and contractors reviewed
• stale exports or unnecessary sensitive files deleted
• next review date scheduled

The Real Goal

A minimum viable audit is not about looking sophisticated. It is about catching the boring failures that cause disproportionate damage in small businesses: the forgotten contractor account, the expired recovery email, the plugin nobody patched, the backup nobody tested, the customer export sitting in the wrong folder.

That is why this kind of audit works. It is small enough to repeat, concrete enough to finish, and focused enough to reduce real operational risk instead of creating paperwork. For a solopreneur, that is the right standard.

Sources

• NIST: Cybersecurity Basics
• NIST: Multi-Factor Authentication
• CISA: Cyber Essentials
• CISA: More than a Password
• CISA: Known Exploited Vulnerabilities
• FTC: Start with Security
• FTC: Make sure your service providers implement reasonable security measures