Strategy - July 3, 2026 - 9 min read
The 7-Day Lockdown: The AI-Era Security Checklist for Business Owners
Now that hacking a business costs $50 and a machine does it, becoming "hard" stopped being optional. This is a working document: map your business against the five lockdown layers, find your gaps, and connect them into one system.
Todd & Naty Ross - Co-founders, Hub365
Most businesses don't have a "we don't know tech" problem. They have an open-doors problem nobody reviewed. Two-factor not turned on, a misconfigured domain, an ex-employee who still has access. None of that is sophisticated - and it's exactly where an automated attack walks in.
This is a working document. Map your business against the five layers. Time to map: 30-45 minutes. Result: a blueprint of the five layers that make you hard to attack, and a plan to connect them into one system.
01 - Layer 1 - Access (the doors)
Nothing matters if you leave the door open. This layer stops 90% of automated attacks, and nearly all of it is free.
title: What the Access layer needs
- Two-factor (2FA) on everything. Email, banking, CRM, social, hosting. It's the single measure that, alone, stops most automated attempts.
- Unique passwords in a manager. No reuse. A manager (1Password, Bitwarden) generates and stores a different one per site.
- Access review. Who gets into what. "Least access possible": each person only what they need.
- Immediate offboarding. When an employee or vendor leaves, access is cut the same day.
icon: 🔑 type: key title: The access rule body: 2FA is not optional and not "for later." It's the difference between a failed attempt and a breach. If you do one thing from this guide this week, turn on two-factor for your email and banking.
<!-- /widget:callout -->02 - Layer 2 - Domain and email (your identity)
A misconfigured domain lets people spoof your email, scam your customers in your name, and send your legitimate emails to spam - all silently.
title: What the Domain layer needs
- SPF, DKIM, and DMARC configured. The three records that tell the world which emails are really yours.
- Spoofing monitoring. Alerts if someone tries to send as you.
- Certificate and HTTPS current. Your site with the lock, no "not secure" warnings.
- No orphaned mailboxes. Old, ownerless inboxes are forgotten doors.
icon: ℹ️ type: info title: Why this is urgent body: With AI generating perfect phishing emails at scale, a domain without DMARC is a gift to attackers: they can email your customers from your brand. Setting up the three records takes an afternoon and closes that vector completely. (We break it down in Domain compliance: the 4 silent problems.)
<!-- /widget:callout -->03 - Layer 3 - Data (what you protect)
Your customer data is your asset and your legal responsibility. If it leaks, you lose trust and can face fines.
title: What the Data layer needs
- Inventory of where it lives. CRM, spreadsheets, email, apps. You can't protect what you don't know you have.
- Automatic backups. Regular, tested copies - ones that actually restore, not just exist.
- Encryption at rest and in transit. Info travels and is stored protected.
- Minimum necessary. Don't keep data you don't use; every extra data point is extra risk.
icon: 💡 type: tip title: The backup test body: A backup you never tried to restore isn't a backup, it's a hope. Once a quarter, restore a copy and confirm it works. The day you actually need it is not the day to discover it was broken.
<!-- /widget:callout -->04 - Layer 4 - AI with judgment (the new tools)
The same leap that brings superpowers brings risk. Wiring AI into your systems without control opens new doors - sometimes with permissions you didn't realize you granted.
title: What the AI layer needs
- Scoped permissions. Each AI tool or agent with the minimum access, not "full access just in case."
- Review what you connect. Before wiring an AI app to your email or CRM, know what it can read and do.
- No sensitive data in public tools. Don't paste customer info into AI chats without retention control.
- A human in the loop. For important actions (send, delete, pay), human approval. The LLM proposes, the person confirms.
icon: ℹ️ type: info title: The Fable 5 lesson body: Anthropic built its public model (Fable 5) just as powerful as the restricted one (Mythos), but put a control layer on top that reroutes anything dangerous. Security wasn't in the model's power, it was in the architecture on top. In your business it's the same: the tool doesn't save you, the control system around it does.
<!-- /widget:callout -->05 - Layer 5 - Monitoring and response (the watchman)
Locking down isn't an event, it's a habit. You need to see what's happening and know what to do when something does.
title: What the Monitoring layer needs
- Alerts for odd activity. Logins from new places, permission changes, strange spikes.
- A simple response plan. Who does what in the first 2 hours of an incident. Written, not improvised.
- Periodic review. Your site and forms reviewed each quarter - now automatable with AI.
- Emergency contact. Know who to call before you need to.
speaker_a: Naty speaker_b: Todd N - Naty: The client who messaged us scared didn't need a bunker. He needed 2FA, the domain in order, and to know who touches his data. T - Todd: And whoever does those three things is already ahead of 80% of businesses their size. Fear is optional; preparation isn't.
<!-- /widget:chat -->06 - Connect the five
Having the five layers isn't the goal. Connecting them is. Five loose security tools that don't talk leave gaps at every seam.
left_title: Five loose pieces right_title: One connected system left:
- Five different dashboards and logins
- Manual reviews nobody does
- Alerts that arrive late or never
- Nobody owns the whole right:
- One place that sees everything
- Automatic review and monitoring
- Real-time alerts with an action plan
- One provider accountable for the whole
icon: 💡 type: tip title: A platform vs. glued-together pieces body: When access, domain, data, AI, and monitoring live in one connected system, an intrusion attempt is seen and stopped before it becomes a breach. The cost of security isn't five subscriptions - it's the work of keeping them connected and watched.
<!-- /widget:callout -->Lockdown Scorecard
Score your business honestly. This is a diagnostic, not a test.
title: Score your lockdown - 5 yes/no questions
- Do you have 2FA active on email, banking, CRM, and social, with unique passwords?
- Does your domain have SPF, DKIM, and DMARC configured?
- Do you know exactly where your customer data lives and have tested backups?
- Do your connected AI tools have scoped permissions and human review?
- Do you have odd-activity alerts and a written response plan?
Your score:
- 0-1 - Open doors. Start TODAY with access (Layer 1) and domain (Layer 2).
- 2-3 - You have pieces, but disconnected. Connecting and monitoring is the next win.
- 4-5 - A hard-to-attack business. Now automate monitoring and review quarterly.
Your First 7 Days
Day 1: Turn on 2FA for email, banking, CRM, and social. Install a password manager. Days 2-3: Configure SPF, DKIM, and DMARC on your domain. Review who has access and cut what's extra. Days 4-5: Inventory where your data lives and confirm backups actually restore. Days 6-7: Review your AI tools' permissions and turn on odd-activity alerts. Ongoing: Quarterly review of site, forms, and access. Re-score the scorecard every 90 days.
Frequently Asked Questions
Q: What's the first thing I should do today? A: Turn on two-factor (2FA) for email, banking, CRM, and social, and switch to unique passwords with a manager. It's free or nearly so, and it stops the vast majority of automated attacks.
Q: Is my small business really a target? A: Yes. AI attacks got cheap (one cost under $50) and automated, so you're chosen by how easy you are, not by size. A small business with open doors beats a well-secured large one as a target.
Q: What's a "misconfigured" domain and why does it matter? A: It's a domain without SPF, DKIM, and DMARC records. Without them, anyone can send emails pretending to be you and scam your customers in your name - plus your legitimate emails land in spam.
Q: Do I need to hire a cybersecurity team? A: No. You need to close the obvious doors, order who accesses what, and work with someone who connects it all into one system (website + CRM + AI + monitoring) instead of selling you loose pieces.
Q: Does using AI make me more or less secure? A: Both, depending how you use it. Uncontrolled, it opens new doors. With scoped permissions, human review, and monitoring, AI becomes your best watchman. The key is the control architecture, not the tool.
Q: How often should I review all this? A: Re-score the scorecard every 90 days and run an access and site/forms review each quarter. Security is a habit, not a one-time event.
<!-- /widget:faq -->Audit my exposure free - Read the full article
Want us to review where you're exposed and what to close first? Send LOCKDOWN on WhatsApp - EN - ES: BLINDAJE - or book a free strategy call.



