Why you need a checklist
Cybersecurity for small businesses is not about buying expensive tools. It is about consistently doing the basics right. Most breaches happen because of a missed patch, a reused password, or an employee who clicked a link they should not have. A checklist turns abstract security advice into concrete actions you can verify and track.
This checklist is organized by category. Each item is something a small business can implement without a dedicated IT security team. If you complete even half of these items, you will be ahead of the majority of businesses your size.
Email security
Email is the primary attack vector for small businesses. More breaches start with a compromised email account or a phishing message than any other method.
Configure SPF on your domain
SPF (Sender Policy Framework) tells receiving email servers which servers are authorized to send email on behalf of your domain. Without it, anyone can send email that appears to come from your company. Your IT provider or domain registrar can add this DNS record in minutes.
Configure DKIM on your domain
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails that proves they were not altered in transit. Most email providers like Google Workspace and Microsoft 365 support DKIM — it just needs to be turned on and configured.
Configure DMARC on your domain
DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication — deliver it, quarantine it, or reject it outright. Start with a monitoring policy (p=none) to see what is happening, then move to quarantine or reject once you are confident your legitimate email is properly authenticated.
Enable spam and phishing filters
Make sure your email provider's built-in phishing and malware filters are enabled and set to their recommended levels. These catch the majority of mass phishing campaigns before they reach employee inboxes.
Train employees to recognize phishing
Classroom-style training has limited effectiveness. Run realistic phishing simulations that send test emails mimicking real attacks. Track who clicks and provide targeted follow-up training. Do this quarterly at minimum.
Access control
Controlling who can access what — and how they prove their identity — is one of the highest-impact areas of security.
Enable multi-factor authentication everywhere
MFA should be enabled on every account that supports it. Email, cloud storage, accounting software, CRM, remote access tools, social media accounts — all of it. SMS-based MFA is better than nothing, but authenticator apps or hardware keys are significantly more secure.
Use a password manager
Require employees to use a business password manager. This eliminates password reuse, makes strong unique passwords practical, and gives you visibility into password hygiene across the organization. Most password managers cost between $3 and $8 per user per month.
Apply the principle of least privilege
Every employee should have access only to the systems and data they need for their role. The receptionist does not need access to the accounting system. The marketing intern does not need admin rights on the file server. Review access permissions quarterly and revoke access immediately when employees leave.
Disable former employee accounts immediately
When someone leaves the organization, their accounts should be disabled within hours, not days. This includes email, VPN, cloud services, and any shared accounts they had access to. Former employee accounts are a common entry point for attackers.
Require screen locks
All company devices should lock automatically after five minutes of inactivity. This is a simple policy setting that prevents unauthorized access to unattended devices.
Network protection
Your network is the perimeter that separates your internal systems from the internet. Even basic network hygiene makes a significant difference.
Use a business-grade firewall
Consumer-grade routers do not provide adequate protection for a business. A business-grade firewall with intrusion detection, content filtering, and VPN support costs between $200 and $1,000 and is worth every dollar.
Separate your Wi-Fi networks
Guest Wi-Fi should be on a completely separate network from your business systems. Clients, vendors, and visitors should never be on the same network as your file servers, printers, and workstations. Most modern routers and access points support this with a few configuration changes.
Use a VPN for remote access
If employees access company resources remotely, they should connect through a VPN. Never expose internal services like Remote Desktop Protocol directly to the internet. RDP exposed on port 3389 is one of the most commonly exploited entry points for ransomware.
Disable unused network services
Review what services are running on your network and disable anything that is not actively needed. Open ports and unnecessary services expand your attack surface for no benefit.
Software and patch management
Unpatched software with known vulnerabilities is one of the easiest things for attackers to exploit, and one of the easiest things for you to fix.
Enable automatic updates
Turn on automatic updates for operating systems, web browsers, and productivity software. The inconvenience of an occasional restart is insignificant compared to the risk of running software with known security flaws.
Patch critical vulnerabilities within 48 hours
When a critical vulnerability is announced — especially one that is being actively exploited — prioritize patching it immediately. Attackers begin scanning for vulnerable systems within hours of a public disclosure.
Replace end-of-life software
Software that is no longer receiving security updates is a liability. If you are running Windows versions, server operating systems, or business applications that have reached end-of-life, plan your migration now. Every day you run unsupported software is a day you are exposed to every vulnerability discovered from this point forward.
Inventory your software
You cannot patch what you do not know about. Maintain a list of every application, operating system, and firmware version running in your environment. Review it quarterly and remove anything that is no longer needed.
Data backup and protection
Backups are your last line of defense against ransomware, hardware failure, accidental deletion, and natural disasters.
Follow the 3-2-1 backup rule
Keep three copies of important data, on two different types of storage, with one copy stored offsite. For example: your live data on your server, a local backup on an external drive, and a cloud backup with a service like Backblaze, Wasabi, or your cloud provider's backup tool.
Keep at least one backup offline or immutable
If ransomware encrypts your network, it will encrypt any backups connected to that network. At least one backup should be either physically disconnected (air-gapped) or stored in an immutable format that cannot be modified or deleted for a set retention period.
Encrypt sensitive data at rest
Client files, financial records, employee personal information, and any data subject to regulatory requirements should be encrypted when stored. Modern operating systems make full-disk encryption straightforward — BitLocker on Windows, FileVault on macOS.
Test your backups quarterly
A backup that has never been tested is not a backup. Every quarter, pick a selection of files and perform an actual restore to verify the backup is complete, not corrupted, and can be recovered within an acceptable timeframe.
Security policies
Policies document how your organization handles security. They do not need to be long or written by a lawyer, but they do need to exist and employees need to know about them.
Create an acceptable use policy
Define what employees can and cannot do with company devices and accounts. Cover personal use of company equipment, approved software, social media, and handling of sensitive data. Keep it short and readable.
Create an incident response plan
Document what happens when a security incident occurs. Who is responsible for what? Who do you call? What systems do you disconnect first? How do you communicate with clients? Having this written down before an incident saves critical time during one.
Establish a data retention policy
Define how long you keep different types of data and how you dispose of it when the retention period expires. This reduces your exposure in a breach — data you no longer have cannot be stolen.
Require employees to acknowledge policies
Policies are only effective if employees have read and acknowledged them. Have each employee sign or digitally acknowledge your security policies annually. This also creates documentation that can be important for regulatory compliance and insurance claims.
Review and update policies annually
Security threats evolve and your policies should evolve with them. Schedule an annual review of all security policies to ensure they reflect your current technology environment, workforce, and regulatory requirements.
Where to start
If this list feels overwhelming, focus on three things first: enable multi-factor authentication on all email accounts, configure DMARC on your domain, and verify that you have a working, tested backup that is not connected to your network. These three actions alone will significantly reduce your risk.
Then work through the rest of the list at a pace that is sustainable for your organization. Security is not a one-time project — it is an ongoing practice.
Not sure where your gaps are? Run a free security assessment to get a clear picture of your email security, exposed services, and vulnerability status in minutes.
