Cybersecurity Checklist for Small Businesses

Small businesses are the primary target for cybercriminals, not because their data is more valuable, but because their defenses are typically weaker. Many small business owners assume they're too small to be targeted, but the reality is that automated attacks don't discriminate by company size. Ransomware, phishing, and credential theft hit businesses of all sizes, and the impact on a small business can be devastating.

This checklist covers the essential cybersecurity measures every small business should have in place. You don't need to implement everything at once. Prioritize based on your current gaps and work through the list systematically.

Identity and Access Management

Controlling who can access your systems, and how they authenticate, is the foundation of cybersecurity.

• Multi-factor authentication (MFA) on all accounts: Email, cloud services, VPN, remote access, banking, everything. MFA blocks the vast majority of automated attacks and credential theft. This is non-negotiable.
• Strong password policy: Require passwords of at least 14 characters. Better yet, deploy a password manager and require unique, complex passwords for every account.
• Principle of least privilege: Users should only have access to the systems and data they need for their job. Admin accounts should only be used for administrative tasks, not daily work.
• Separate admin accounts: IT administrators should have separate accounts for admin work and regular work. A compromised admin account is far more dangerous than a regular user account.
• Offboarding process: When employees leave, disable their accounts immediately. Remove access to email, cloud services, VPN, and any shared credentials they had access to.
• Regular access reviews: Quarterly review of who has access to what. Remove access that's no longer needed.

Email Security

Email is the primary attack vector for businesses. Most breaches start with a phishing email.

• Business-grade email filtering: Use a service that scans for spam, phishing, malware, and impersonation attempts before emails reach inboxes. Microsoft Defender for Office 365, Proofpoint, or Barracuda are common choices.
• SPF, DKIM, and DMARC configured: These email authentication records prevent attackers from sending emails that appear to come from your domain. They also improve your legitimate email deliverability.
• External email banner: Configure a warning banner on emails coming from outside your organization so employees can easily identify external messages.
• Block auto-forwarding to external addresses: Attackers often set up inbox rules to silently forward emails to an external address after compromising an account. Block this at the organizational level.
• Phishing simulation and training: Run regular phishing tests and provide training to employees who click. This builds awareness and creates a culture of healthy skepticism.

Endpoint Security

Every device that connects to your network or accesses your data is a potential entry point for attackers.

• Endpoint detection and response (EDR): Traditional antivirus isn't enough. Modern EDR solutions (like Microsoft Defender for Endpoint, SentinelOne, or CrowdStrike) use behavioral analysis to detect and respond to threats that signature-based antivirus misses.
• Automatic updates enabled: Operating systems, browsers, and applications should update automatically. Unpatched software is one of the most common ways attackers gain access.
• Disk encryption: Enable BitLocker (Windows) or FileVault (Mac) on all workstations and laptops. If a device is lost or stolen, encryption prevents the data from being accessed.
• Screen lock policy: Require devices to lock after 5 minutes of inactivity with a password or PIN required to unlock.
• Mobile device management (MDM): If employees access business email or files on personal phones, use an MDM solution to enforce security policies and enable remote wipe if a device is lost.
• USB and removable media policy: Consider restricting or monitoring USB device connections, which can introduce malware or be used for data theft.

Network Security

Your network is the highway that connects all your systems. Securing it limits what attackers can do even if they get inside.

• Business-grade firewall: A proper firewall (Fortinet, SonicWall, Meraki, pfSense) with active security services, not just the consumer router from your ISP. Business firewalls provide intrusion detection, content filtering, and VPN capabilities.
• Network segmentation: Separate your network into segments: one for workstations, one for servers, one for guest Wi-Fi, one for IoT devices. This prevents an attacker who compromises one segment from easily accessing everything.
• Secure Wi-Fi: Use WPA3 (or WPA2 at minimum) with a strong, unique password. Create a separate guest network for visitors and personal devices. Never use the same network for business operations and guest access.
• DNS filtering: Use a DNS filtering service to block known malicious domains at the network level. If a user clicks a phishing link, the connection is blocked before it reaches the malicious server.
• VPN for remote access: Require VPN for remote employees accessing internal resources. Don't expose servers or services directly to the internet.
• Disable unused ports and services: If you don't need Remote Desktop Protocol (RDP) exposed to the internet, turn it off. Every open port is a potential entry point.

Backup and Recovery

When (not if) something goes wrong, your backup is your lifeline.

• 3-2-1 backup strategy: Maintain 3 copies of your data, on 2 different types of media, with 1 copy stored off-site (or in the cloud). This protects against hardware failure, ransomware, theft, and natural disasters.
• Cloud data backup: Back up your Microsoft 365, Google Workspace, or other cloud service data with a third-party backup solution. Cloud providers protect their infrastructure, but they don't protect your data from accidental deletion, malicious insiders, or ransomware.
• Regular backup testing: Test your backups by actually restoring data at least quarterly. A backup that can't be restored is worthless.
• Defined RTO and RPO: Know your Recovery Time Objective (how quickly you need to be back up) and Recovery Point Objective (how much data you can afford to lose). Design your backup strategy to meet these targets.
• Immutable backups: Store at least one backup copy in an immutable format that cannot be modified or deleted, even by administrators. This prevents ransomware from encrypting your backups.

Employee Training and Policies

Your employees are both your greatest vulnerability and your first line of defense.

• Security awareness training: Provide formal cybersecurity training at least annually, with shorter refreshers throughout the year. Cover phishing, password security, social engineering, and safe browsing habits.
• Acceptable use policy: Document what employees can and can't do with company technology. Cover personal device use, software installation, data handling, and social media.
• Incident reporting process: Make it easy for employees to report suspicious emails, unusual computer behavior, or potential security incidents. Create a culture where reporting is encouraged, not punished.
• Physical security basics: Lock screens when stepping away, don't leave laptops unattended in public, secure server rooms and network equipment, properly dispose of old hard drives.

Incident Response

No defense is perfect. Having a plan for when something goes wrong is critical.

• Documented incident response plan: A clear, written plan that outlines who does what when a security incident occurs. Include contact information for your IT provider, cyber insurance carrier, and legal counsel.
• Cyber insurance: A cyber insurance policy can cover the costs of incident response, legal fees, notification requirements, and business interruption following a breach.
• Regular plan reviews: Review and update your incident response plan at least annually, and after any significant IT changes or actual incidents.
• Tabletop exercises: Walk through hypothetical scenarios with your team to test the plan and identify gaps before a real incident occurs.

Where to Start

If this checklist feels overwhelming, that's normal, and it's exactly why managed IT providers exist. You don't need to tackle everything at once. Here's a prioritized approach:

1. Week 1: Enable MFA on all email and cloud accounts
2. Week 2: Verify your backup strategy (or implement one)
3. Week 3: Deploy EDR/antivirus on all endpoints
4. Week 4: Configure email security (SPF, DKIM, DMARC, filtering)
5. Month 2: Review and improve network security
6. Month 3: Implement employee training and policies
7. Ongoing: Regular reviews, updates, and testing

Every step you take moves you closer to a secure environment. Perfect security doesn't exist, but thoughtful, layered defenses dramatically reduce your risk.

Related Articles

• How to Spot Phishing Emails and Protect Your Business
• Smooth Sailing to the Cloud: Migrating with Password Managers
• 7 Signs Your Business Needs a Managed IT Provider
• Navigating the VPN Jungle: A Look at Different Types and Providers