The Essential Cybersecurity Checklist for Small Businesses

Small and mid-sized businesses are not too small to be targeted — they are too small to recover. According to the National Cyber Security Alliance, 60% of small businesses that suffer a significant cyberattack close within six months. The good news: most of these attacks exploit basic security gaps that are straightforward to fix.

This checklist covers the ten most important cybersecurity controls every small business should have in place. You do not need a large IT team or a massive budget. You need the right priorities and the discipline to follow through.

1. Multi-Factor Authentication (MFA) Everywhere

Passwords alone are not enough. Even strong, unique passwords can be compromised through phishing, credential stuffing, or data breaches at third-party services. Multi-factor authentication adds a second layer — typically a code from an authenticator app or a hardware security key — that makes stolen passwords useless on their own.

Where to enable MFA:

• Email accounts (this is the single most important one)
• VPN and remote access tools
• Cloud applications (Microsoft 365, Google Workspace, etc.)
• Admin consoles for firewalls, routers, and domain registrars
• Financial and banking platforms
• Any system that stores sensitive client or employee data

Prefer authenticator apps (like Microsoft Authenticator or Authy) over SMS-based codes. SMS can be intercepted through SIM swapping attacks.

2. Endpoint Detection and Response (EDR)

Traditional antivirus software uses signature-based detection — it recognizes known malware but misses new threats. Endpoint Detection and Response (EDR) solutions monitor system behavior in real time, detecting suspicious activity even from previously unknown malware. EDR platforms can automatically isolate compromised devices, kill malicious processes, and alert your team before an attacker moves laterally through your network.

Every workstation, laptop, and server in your environment should have EDR installed and actively monitored. Cloud-managed EDR solutions make this feasible even for small teams.

3. Backup Strategy: The 3-2-1 Rule

Ransomware can encrypt every file your business depends on in minutes. Your backup strategy determines whether that is a minor inconvenience or a catastrophic loss. Follow the 3-2-1 rule:

• 3 copies of your data (the original plus two backups)
• 2 different media types (e.g., local disk and cloud storage)
• 1 offsite copy (physically separate from your primary location)

Critically, test your backups regularly. A backup you have never restored is a backup you cannot trust. Run a full restoration test at least quarterly to verify your data is recoverable and your process works under pressure.

4. Employee Security Awareness Training

Your employees are both your greatest vulnerability and your strongest defense. Over 90% of successful cyberattacks begin with a phishing email, and no technical control can fully compensate for a user who clicks a malicious link or opens an infected attachment.

Effective security awareness training should:

• Be ongoing, not a once-a-year checkbox exercise
• Include simulated phishing campaigns to test and reinforce learning
• Cover current threats, not generic scenarios from five years ago
• Build a culture where reporting suspicious messages is encouraged, not punished
• Address specific risks for different roles (finance staff need BEC training, executives need whaling awareness)

5. Patch Management

Unpatched software is one of the most common entry points for attackers. When a vulnerability is disclosed, the clock starts ticking — attackers begin scanning for vulnerable systems within hours. Your patching process needs to keep pace.

What to patch:

• Operating systems (Windows, macOS, Linux)
• Business applications (browsers, email clients, PDF readers, Office suites)
• Network equipment firmware (firewalls, routers, switches, access points)
• Web applications and CMS platforms
• Third-party plugins and libraries

Enable automatic updates wherever possible. For systems that require manual patching, establish a regular cadence — critical patches within 48 hours, all others within 30 days.

6. Network Segmentation

A flat network — where every device can communicate with every other device — means a single compromised workstation can give an attacker access to your file servers, databases, and payment systems. Network segmentation divides your network into isolated zones, limiting how far an attacker can move after gaining initial access.

At minimum, separate your guest Wi-Fi from your corporate network, isolate point-of-sale or payment systems, and put IoT devices on their own VLAN. For organizations with sensitive data, consider microsegmentation that restricts access down to individual workloads.

7. Incident Response Plan

When a security incident happens — not if, when — the last thing you want is to be figuring out what to do for the first time. Even a simple incident response plan dramatically reduces response time and limits damage.

Your plan should answer these questions:

• Who do we call first? (Internal team, IT provider, legal counsel, cyber insurance carrier)
• How do we isolate a compromised system?
• What are our communication procedures for staff, clients, and regulators?
• Where are our backup restoration procedures documented?
• What are our regulatory notification obligations?

Print a copy of this plan and store it somewhere accessible even if your entire network is offline. A digital-only incident response plan that lives on a server that just got encrypted is not helpful.

8. Vendor and Third-Party Risk Management

Your security is only as strong as your weakest vendor. If a supplier has access to your systems, handles your data, or connects to your network, their security posture directly affects yours. Some of the largest data breaches in history started with a compromised vendor.

For every third party with access to your environment, ask: What data do they have access to? How do they protect it? What happens if they get breached? Require security questionnaires or SOC 2 reports from critical vendors, and review access permissions annually.

9. Data Encryption

Encryption ensures that even if data is stolen, it cannot be read without the decryption key. You need encryption in two places:

• At rest: Enable full-disk encryption on all laptops and workstations (BitLocker on Windows, FileVault on macOS). Encrypt database storage and backup files.
• In transit: Require TLS/SSL for all web traffic, email transmission, and API connections. Use a VPN for remote access. Never transmit sensitive data over unencrypted channels.

Encryption is a compliance requirement under most regulatory frameworks (HIPAA, PCI DSS, state privacy laws) and provides a critical last line of defense when other controls fail.

10. Regular Security Assessments

You cannot fix what you do not know is broken. Regular security assessments — whether internal reviews, vulnerability scans, or professional penetration tests — reveal gaps before attackers find them.

The frequency depends on your risk profile, but every business should have at least an annual assessment against a recognized framework like NIST CSF 2.0. This gives you a structured baseline, measurable progress over time, and a clear roadmap for improvement.

Start Where You Are

You do not have to do everything at once. If you have none of these controls in place, start with the top three: MFA, EDR, and backups. Those three alone will eliminate the vast majority of common attack scenarios. Then work your way down the list, building a security program that grows with your business.

The cost of implementing these controls is a fraction of the cost of recovering from a breach — or of not recovering at all.