The 30-Day Challenge
Getting cyber insurance doesn't need to be a six-month project. With focused effort, most small businesses can go from completely unprepared to insurance-ready in 30 days.
This guide provides a week-by-week action plan. Each week builds on the previous one, and by the end of the month, you'll have the security controls, documentation, and evidence that insurers require.
No IT department needed. No six-figure security budget. Just a systematic approach and commitment to follow through.
Before You Start: The Baseline Assessment
Before diving into improvements, spend 15 minutes understanding where you stand. Answer these questions honestly:
- Do you use multi-factor authentication on all systems? (Email, VPN, cloud apps)
- Do you have endpoint protection beyond basic antivirus?
- Are your data backups automated, encrypted, and tested?
- Do you have written security policies?
- Have your employees completed security awareness training?
- Do you have a documented incident response plan?
- Are your systems regularly patched and updated?
- Is your network segmented (at minimum, guest Wi-Fi separated from business)?
If you answered "no" to more than two of these, you're likely in the 41% of businesses that would be denied cyber insurance. That's okay — we're going to fix it.
CoverReady's free readiness assessment provides a detailed score and personalized roadmap. It takes three minutes and gives you a clear starting point.
Week 1: Foundation — MFA and Access Control
Week 1 focuses on the two most critical controls: multi-factor authentication and access management. These are the controls most likely to determine whether your application is approved or denied.
Day 1-2: Email MFA
For Microsoft 365:
- 1Open the Microsoft 365 admin center
- 2Navigate to Users → Active Users → Multi-factor authentication
- 3Select all users and click Enable
- 4Choose "Enforced" (not just "Enabled") to require MFA at next login
- 5Have employees set up the Microsoft Authenticator app
For Google Workspace:
- 1Open Google Admin console
- 2Go to Security → Authentication → 2-Step Verification
- 3Select "Enforcement" → "Turn on"
- 4Allow authenticator apps and security keys
Day 3: VPN and Remote Access MFA
If you use a VPN or remote desktop:
- Check if your VPN solution supports MFA natively (most modern ones do)
- If not, implement Duo or a similar MFA overlay
- Test that MFA is required for every remote connection
Day 4: Cloud Application MFA
Enable MFA on every cloud application your team uses:
- CRM (Salesforce, HubSpot)
- Accounting (QuickBooks, Xero)
- Project management (Asana, Monday)
- File storage (Dropbox, Box)
- Communication (Slack, Teams)
- Any industry-specific software
Day 5: Admin and Privileged Account Review
- List all accounts with administrative privileges
- Remove admin access from anyone who doesn't need it
- Ensure all admin accounts have the strongest MFA method available
- Disable or remove any unused accounts
- Document your MFA deployment with screenshots
Week 1 deliverable: MFA enabled on all systems, admin account audit complete, documentation screenshots saved.
Week 2: Defense — EDR and Backups
Week 2 strengthens your technical defenses with endpoint protection and reliable backups.
Day 8-9: Deploy EDR
Traditional antivirus isn't sufficient for insurance purposes. Deploy an EDR solution:
Recommended options for small businesses:
- Microsoft Defender for Business ($3/user/month) — excellent value
- SentinelOne ($5-$8/user/month) — strong automation
- CrowdStrike Falcon Go ($5/user/month) — industry leader
Steps:
- 1Sign up for your chosen EDR platform
- 2Deploy agents to all workstations, laptops, and servers
- 3Confirm all devices appear in the management console
- 4Enable real-time protection and automated response
- 5Screenshot the dashboard showing all devices protected
Day 10-11: Backup Strategy
Implement the 3-2-1 backup rule:
- 3 copies of critical data
- 2 different storage types
- 1 copy offsite or offline
For most small businesses:
- 1Primary data (on your server/in cloud)
- 2Local backup (external drive or NAS, encrypted)
- 3Cloud backup (Backblaze, Veeam, Carbonite)
Configure automated daily backups. Ensure at least one backup is immutable (can't be modified or deleted for a set retention period).
Day 12: Backup Testing
This is the step most businesses skip — and it's the one insurers care about most.
- 1Select a subset of critical files
- 2Restore them to a separate location
- 3Verify the restored files are intact and usable
- 4Document the test with date, files restored, and results
- 5Schedule quarterly backup tests going forward
Week 2 deliverable: EDR deployed on all devices, 3-2-1 backup strategy implemented, first backup test completed and documented.
Week 3: Governance — Policies and Training
Week 3 builds the organizational framework that demonstrates security maturity to insurers.
Day 15-17: Create Security Policies
Draft these five essential policies:
- 1Acceptable Use Policy — how employees may use company technology
- 2Password and Authentication Policy — credential standards and MFA requirements
- 3Incident Response Plan — what to do when a security incident occurs
- 4Data Handling Policy — how to classify and protect sensitive information
- 5BYOD Policy — rules for personal devices used for work
For each policy:
- Customize a template for your specific business
- Have leadership review and approve
- Save with a revision date
CoverReady generates all five policies customized to your industry, size, and regulatory requirements. What might take a week of research takes about an hour with the right tools.
Day 18-19: Launch Security Training
Start a security awareness training program:
- 1Select a training platform or content source
- 2Assign initial training modules (phishing recognition, password security, data handling)
- 3Send training invitations to all employees
- 4Set a completion deadline (end of Week 4)
- 5Configure a phishing simulation for Month 2
Training doesn't need to be lengthy. Effective programs use short, focused modules (5-15 minutes each) delivered regularly rather than annual hour-long sessions.
Day 19: Policy Distribution
- Email all five policies to every employee
- Include an acknowledgment form (digital or paper)
- Collect signed acknowledgments
- Store acknowledgments as evidence
Week 3 deliverable: Five security policies created and distributed, employee acknowledgments collected, security training launched.
Week 4: Documentation and Application
Week 4 brings everything together. You'll compile your evidence, verify your readiness, and prepare your insurance application.
Day 22-23: Evidence Collection
Gather documentation for every control you've implemented:
MFA Evidence:
- Admin console screenshots showing MFA enforcement
- List of all users with MFA enabled
- MFA policy configuration settings
EDR Evidence:
- Dashboard showing all endpoints with active agents
- Protection policy configuration
- Recent scan or detection reports
Backup Evidence:
- Backup schedule configuration
- Most recent backup completion logs
- Backup test restoration report from Day 12
Policy Evidence:
- All five policy documents with revision dates
- Employee acknowledgment forms
- Policy approval records
Training Evidence:
- Training module assignments
- Completion reports (even partial — training is in progress)
- Phishing simulation plans
Day 24: Readiness Verification
Run through a complete self-assessment:
- Verify MFA is active on all systems (try logging in without it — it should be blocked)
- Confirm EDR agents are reporting on all devices
- Verify today's backup completed successfully
- Confirm all employees have received policies
- Check training completion rates
CoverReady's readiness dashboard provides a real-time score based on your implemented controls and documentation. Aim for 80+ before applying.
Day 25-26: Insurance Application
With your evidence package ready, it's time to apply:
- 1Choose a broker — ideally one specializing in cyber insurance for small businesses
- 2Complete the application honestly — every answer should be accurate as of today
- 3Attach your evidence package — this differentiates your application
- 4Request quotes from multiple carriers — at least three
- 5Review coverage carefully — understand limits, sublimits, exclusions, and deductibles
Day 27-30: Follow-Up
- Respond promptly to any insurer questions
- Provide additional evidence if requested
- Compare quotes on coverage (not just price)
- Select a policy and bind coverage
After Day 30: Maintaining Readiness
Getting insured is the beginning, not the end. To maintain favorable coverage:
- Monthly: Verify MFA is enforced, EDR is active, backups are running
- Quarterly: Test backup restoration, review and update policies, conduct phishing simulations
- Annually: Complete a formal risk assessment, renew security training, review and update incident response plan
CoverReady's compliance calendar automates these reminders and tracks completion, so you're never scrambling before renewal.
The Investment Summary
Here's what 30 days of preparation typically costs for a 20-person business:
| Control | Monthly Cost | Annual Cost |
|---|---|---|
| MFA (built into existing platforms) | $0 | $0 |
| EDR (Microsoft Defender for Business) | $60 | $720 |
| Cloud backup | $50-$150 | $600-$1,800 |
| Training platform | $40-$100 | $480-$1,200 |
| Time invested | ~20 hours | — |
Total annual cost: $1,800-$3,720
Compare this to the average cost of an uninsured cyber incident for a small business: $150,000+. Or the cost of a denied insurance claim: potentially the entire business.
Thirty days. Less than $4,000. That's the distance between vulnerable and insured. Start today.