// blog · 2026-02-24

The 10-point small business cybersecurity checklist

Most breaches of small companies exploit the same handful of gaps. Close these ten — in this order — and you've defended against the attacks that actually happen.

Each item below has three parts: what it is, roughly what it costs, and — the part most lists skip — how to verify it's really on. Security that isn't verified degrades silently.

1. Multi-factor authentication on everything

MFA stops the single most common attack: a stolen or guessed password. Cost: usually included in Microsoft 365 and Google Workspace. Verify: pull the MFA enrollment report from your admin console. "Enabled for most people" means the attacker will find the exceptions.

2. Backups that restore, offsite and tested

Ransomware turns "we have backups" into a claim you must prove under pressure. Follow 3-2-1: three copies, two media, one offsite and disconnected from your network. Cost: tens of dollars a month per server for small environments. Verify: restore a real file and a real mailbox quarterly, and log the result — that log is your evidence. More on this in our backup & disaster recovery service.

3. Patch on a schedule

Most exploited vulnerabilities are months old. Updates on a weekly cycle, with a rapid path for critical fixes. Cost: time, or included in any managed plan. Verify: pick three machines at random and check their update history right now.

4. Managed endpoint protection (EDR)

Modern endpoint protection watches behavior — a process encrypting many files fast gets killed, not logged. Cost: a few dollars per device monthly. Verify: ask who receives the alerts and what happened to the last one. An EDR nobody watches is a smoke detector with no battery.

5. Email filtering and phishing defense

Email is the front door for most attacks. Filtering plus correctly configured SPF, DKIM and DMARC blocks the bulk of it. Cost: often included in your mail platform, properly configured. Verify: send yourself a test from a spoofing tool — or ask us to during an assessment.

6. A password manager for the team

Reused passwords make one breached website into a master key for your business. Cost: a few dollars per user monthly. Verify: browser-saved and spreadsheet passwords are gone, and the finance team's logins live in the vault.

7. Offboarding that actually happens

Ex-employee accounts are free backdoors. Access ends the day employment does — email, VPN, cloud apps, shared logins. Cost: free; it's a checklist and someone accountable for running it. Verify: list your last three leavers, then check whether their accounts still authenticate.

8. Security awareness training

Short, regular, with simulated phishing — not an annual hour of slides. The metric that matters is the click rate trending down. Cost: a few dollars per user monthly. Verify: ask for last quarter's simulation results.

9. Remove local admin rights

Malware runs with the permissions of the user who opened it. Standard users for daily work, admin credentials only when needed. Cost: free, minus a week of grumbling. Verify: check whether ordinary users can install software right now.

10. A written incident response plan

One page: who to call, what to disconnect, where backups live, who talks to clients and the insurer. Printed, because the wiki may be encrypted too. Cost: an afternoon. Verify: the people named in it know they're named in it.

A side benefit: your insurer wants this exact list

Cyber insurance applications now ask directly about most of these ten — MFA coverage, EDR, tested backups, awareness training and offboarding are standard questions, and misstating them can void a claim precisely when you need it paid. Working through this checklist doesn't just reduce the odds of an incident; it lowers premiums, keeps your answers on the application honest, and produces the verification evidence an adjuster will ask for afterwards. If you renew a cyber policy this year, do the checklist first and let the paperwork write itself.

The takeaway

None of this requires enterprise budgets — the whole list typically costs less per user than a phone plan. What it requires is verification, on a calendar, by someone accountable. That's the core of our cybersecurity service, and the free assessment will tell you which of the ten you're missing.

// questions

Frequently asked

We're too small to be a target, aren't we?

Attacks on small businesses are mostly automated — bots scan for weak credentials and unpatched systems without caring who owns them. You're not targeted; you're swept. The checklist defends against sweeps.

What order should we do these in?

The list is already ordered by impact. If you do nothing else this quarter: MFA everywhere, then a tested backup, then patching. Those three eliminate the most common disaster scenarios.

Can we do this without an IT provider?

A technically confident owner can implement most of the ten. The harder part is keeping them on — verification, patching cycles and offboarding drift within months without someone accountable. That ongoing part is what a managed plan buys.

Want your score against the checklist?

The free 45-minute assessment checks all ten points and puts the gaps in writing — yours to fix with anyone.

response within one business hour Get a free IT assessment