Home/Insights/A cybersecurity checklist for small businesses (2026)

// Insights

A cybersecurity checklist for small businesses (2026)

Twelve controls, ordered by what actually stops breaches. No products to buy first, no fear-mongering, just the list we would run against any small business, including our own.

// Cybersecurity A glowing red checklist interface over a dark shield and network grid, representing a practical small business cybersecurity checklist.

Small businesses get breached for boring reasons. Not nation-state exploits: a reused password, a missed patch, an invoice email that looked real enough at 4:45 on a Friday. The numbers behind that boredom are brutal: the average breach now costs $4.45 million (IBM), 74 percent of breaches involve the human element (Verizon), and roughly 60 percent of small businesses close within six months of a serious attack.

The good news buried in those statistics: if breaches come from boring causes, boring discipline prevents most of them. This is the checklist we would run against any small business. It is the same posture, scaled down, that we run on our own three-data-center stack.

Access: who can get in

  1. Multi-factor authentication on everything that matters. Email, banking, admin panels, remote access. MFA stops the single most common attack outcome, a stolen password becoming a takeover. If you do exactly one thing from this list, do this one.
  2. A password manager, company-wide. Humans cannot remember unique strong passwords for forty systems, so without a manager they reuse, and one leaked credential unlocks everything. Roll one out and make it policy.
  3. Offboarding that actually revokes. Keep a live list of every system each person can touch. The day someone leaves, access dies. Orphaned accounts are a favorite way in, because nobody is watching them.
  4. Least privilege by default. The bookkeeper does not need domain admin. Every unnecessary permission is free blast radius for whoever compromises that account.

Systems: what you run

  1. Patching on a schedule, not a vibe. Most exploited vulnerabilities are old, with fixes published long before the breach. Set a monthly cadence for everything, and a fast lane for critical fixes on anything internet-facing.
  2. Backups on the 3-2-1 rule, with tested restores. Three copies, two types of storage, one offsite. Then actually restore something quarterly. Ransomware's entire business model is you not having this. This one control converts a company-ending event into a bad afternoon.
  3. Endpoint protection beyond free antivirus. Modern endpoint detection watches behavior, not just signatures, and catches what email filters miss. Every laptop that touches company data gets it, including the owner's.

Network: what stands in front

  1. A real firewall, configured, not just installed. Default-deny inbound, and review what is exposed to the internet. Most small businesses are shocked by what an external scan of their own network shows. We are rarely shocked, which is the problem.
  2. Edge protection for your website. A web application firewall and bot filtering in front of your site blocks the constant background attack traffic every public site receives. This is standard posture on everything we host; if your host cannot say the same, ask why. Your website is part of your attack surface, not just your marketing. Our infrastructure guide covers where hosting fits in the bigger picture.
  3. Separate the things that do not need each other. Guest Wi-Fi off the business network. Payment systems away from the break-room smart TV. Segmentation costs nothing and contains everything.

People: where 74 percent of breaches start

  1. Phishing awareness, little and often. Not an annual slideshow. Short, regular exposure to what current lures look like, plus a no-blame culture for reporting clicks fast. The half-life of security training is measured in weeks, so cadence beats ceremony.
  2. A one-page incident plan. Who gets called, what gets disconnected, where the backups are, who talks to customers. Printed. When the screens are encrypted, the wiki with your response plan is too.
Do these three first

MFA everywhere (item 1), tested backups (item 6), and the incident page (item 12). Together they neutralize the most common attack, the most damaging attack, and the chaos that multiplies both.

What attackers actually do first

It helps to know what the first hour of a typical small-business compromise looks like, because it explains why the checklist is ordered this way. The attacker rarely "hacks" anything. They log in, with a password bought from a previous breach or phished that morning. Then they read email quietly for days or weeks, learning who pays invoices and who approves them. The actual attack, a fraudulent payment request or a ransomware detonation, comes only after the reconnaissance is done.

Every early item on this list breaks a link in that exact chain. MFA breaks the login. Least privilege caps what a compromised account can see. Offboarding closes the forgotten doors. The incident page turns the eventual bad day from chaos into procedure. Security is not about predicting the exotic attack; it is about making the routine one expensive enough that the attacker moves to a softer target, of which there is never a shortage.

Compliance and cyber insurance: two forcing functions

Two outside pressures increasingly do small businesses the favor of mandating this list. If you take card payments, PCI-DSS already obligates several items on it. If you touch health data, HIPAA does the same and adds documentation requirements. And nearly every cyber insurance application now asks, in writing, about MFA, backups, endpoint protection, and training. Answer dishonestly and you have bought a policy that will not pay. Answer honestly without the controls and your premium, if you are offered one at all, prices in the gap. Running this checklist first is the cheaper order of operations, and if an audit is on your horizon, our compliance readiness work exists for exactly that.

What this list cannot do

A checklist hardens the baseline. It does not tell you which risks are actually pointed at your business, whether your industry brings compliance obligations like HIPAA or PCI-DSS, or whether that legacy system in the corner is a soft target. That is what a proper risk assessment is for: mapping your real attack surface and handing you a priority list ranked by business risk, not a generic scan dump.

One honest test of any security partner, ours included: ask them what they run on their own systems. We answer that question with specifics, because we secure clients with the same posture we depend on ourselves, watched by our own operations center around the clock. If a vendor gets vague at that question, keep shopping.

Want this checklist run against your business, properly?

Open a channel