Small Business Cybersecurity Checklist: 10 Steps to Protect Your Company

Small businesses are under siege. According to the Verizon Data Breach Investigations Report, 43% of cyberattacks target small businesses, yet only 14% are prepared to defend themselves. The average cost of a data breach for a small company can exceed $150,000, enough to put many out of business permanently. But here is the good news: you do not need a massive IT budget to dramatically reduce your risk. Most of the steps that matter most are either free or low-cost, and you can start implementing them today.

This checklist is organized by impact. The first three items alone will stop the vast majority of common attacks. Work through them in order, and by the time you finish, your business will be significantly harder to compromise than most companies your size. For each step, we explain what it is, why it matters, how to do it yourself, and when it makes sense to bring in professional help.

Your Small Business Cybersecurity Checklist

1. Enable Multi-Factor Authentication (MFA) Everywhere

What it is: Multi-factor authentication requires a second form of verification beyond your password, such as a code from an authenticator app, a push notification, or a physical security key. Even if an attacker steals your password, they cannot access your account without that second factor.

Why it matters: Microsoft reports that MFA blocks over 99.9% of automated account compromise attacks. It is the single most effective security measure you can implement, and it is free on nearly every major platform. Without MFA, a stolen or guessed password is all it takes to hand over your email, banking, and cloud data to an attacker. For a deeper comparison of authentication methods, see our guide on 2FA vs. MFA.

How to do it (DIY): Start with your email accounts, because email is the master key to resetting every other password. Enable MFA in Microsoft 365, Google Workspace, or whatever email platform you use. Then move on to banking, cloud storage, accounting software, and social media accounts. Use an authenticator app like Microsoft Authenticator or Google Authenticator rather than SMS codes, which can be intercepted.

When to get help: If you have more than 10 employees or use multiple cloud services, an IT provider can enforce MFA through conditional access policies, ensuring no one can opt out or skip enrollment. They can also set up phishing-resistant methods like hardware security keys for high-risk accounts.

2. Use a Password Manager

What it is: A password manager generates, stores, and auto-fills strong, unique passwords for every account your business uses. Your team only needs to remember one master password. The manager handles the rest, eliminating the need to reuse passwords or write them on sticky notes.

Why it matters: Password reuse is one of the top reasons breaches succeed. When one service gets hacked, attackers try those same credentials on every other platform. A password manager ensures every account has a unique, complex password, so a breach at one service does not cascade into a breach at all of them. It also gives you visibility into password health across your organization.

How to do it (DIY): Choose a business-grade password manager like Bitwarden (which has a free tier), 1Password, or Keeper. Set it up for your team with a shared vault for company accounts and individual vaults for personal credentials. Require everyone to install the browser extension and mobile app. Run a password health audit to identify and replace any weak or reused passwords immediately.

When to get help: If you need to enforce usage across your entire organization, integrate the password manager with your identity provider, or set up automated onboarding and offboarding workflows, a managed IT provider can configure this as part of a broader identity management strategy.

3. Keep Software Updated Automatically

What it is: Software updates and patches fix known security vulnerabilities in operating systems, applications, and firmware. Automatic updates ensure these patches are applied as soon as they are available, closing the window of time attackers have to exploit known flaws.

Why it matters: The majority of successful cyberattacks exploit vulnerabilities that already have patches available. The problem is that small businesses often delay updates because they are busy, worried about disruption, or simply forget. Every day a patch goes unapplied is a day your systems remain vulnerable to known attacks. Automated patching removes the human bottleneck.

How to do it (DIY): Enable automatic updates on all Windows and Mac computers through the operating system settings. Turn on auto-updates for browsers like Chrome, Firefox, and Edge. Enable automatic updates in Microsoft 365, Google Workspace, and any other cloud applications. For your router and firewall, check the manufacturer's website for firmware updates at least monthly, and enable auto-update if available.

When to get help: If your business relies on specialized software that could break with updates, or if you have servers and network equipment that need coordinated patching, a managed IT provider can handle patch management with testing and rollback capabilities. They can also ensure nothing falls through the cracks with centralized patch reporting.

4. Set Up Automated Backups

What it is: Automated backups create regular copies of your critical business data and store them in a separate, secure location. This ensures you can recover your files, databases, and systems if they are destroyed by ransomware, hardware failure, accidental deletion, or any other disaster.

Why it matters: Ransomware attacks on small businesses have surged, and the attackers' leverage disappears entirely if you have clean, recent backups. Beyond ransomware, hardware fails, employees accidentally delete files, and natural disasters happen. Without backups, a single event can erase years of business data. The 3-2-1 rule is the gold standard: three copies of your data, on two different types of media, with one copy stored offsite.

How to do it (DIY): If you use Microsoft 365 or Google Workspace, your documents are already in the cloud, but that is not a true backup since deletions and ransomware can sync. Use a dedicated backup service like Backblaze, Carbonite, or the built-in backup features of your cloud platform. Set backups to run daily at minimum. Test your backups by actually restoring a file at least once per quarter to confirm they work. For more hands-on guidance, check out our DIY cybersecurity resources.

When to get help: If you have servers, databases, or compliance requirements that mandate specific retention periods, a managed backup solution with monitoring, testing, and guaranteed recovery times is worth the investment. A provider can also set up immutable backups that ransomware cannot encrypt or delete.

5. Train Employees on Phishing

What it is: Phishing training teaches your employees to recognize and report fraudulent emails, text messages, and phone calls designed to steal credentials, install malware, or trick people into transferring money. It combines education with simulated phishing exercises to build real-world awareness.

Why it matters: Phishing is the number one method attackers use to gain initial access to small businesses. No matter how strong your technical defenses are, one employee clicking the wrong link can bypass all of them. Account compromise through phishing remains the most common attack vector, and AI-powered phishing emails are becoming increasingly difficult to distinguish from legitimate messages. Training turns your employees from your biggest vulnerability into your first line of defense.

How to do it (DIY): Start with a team meeting covering the basics: check sender addresses carefully, hover over links before clicking, never enter credentials from an email link, and report suspicious messages. Use free resources from the Cybersecurity and Infrastructure Security Agency (CISA) or the National Cyber Security Alliance. Send periodic test phishing emails using free tools to see who clicks and use the results as teachable moments rather than punishment.

When to get help: If you want ongoing, automated phishing simulations with detailed reporting, or if your industry has compliance requirements for security awareness training, a managed security provider can run a complete program with tracking, reporting, and targeted follow-up training for employees who need extra help.

6. Implement Endpoint Protection

What it is: Endpoint protection goes beyond traditional antivirus to provide advanced threat detection on every device that connects to your business network, including laptops, desktops, tablets, and smartphones. Modern endpoint protection uses behavioral analysis and machine learning to detect threats that signature-based antivirus misses.

Why it matters: Traditional antivirus only catches known malware. Modern attacks use fileless techniques, living-off-the-land tactics, and zero-day exploits that bypass legacy antivirus entirely. Endpoint Detection and Response (EDR) tools watch for suspicious behavior patterns, like a program trying to encrypt all your files, and can automatically isolate a compromised device before the damage spreads.

How to do it (DIY): At minimum, ensure Windows Defender is enabled and up to date on all Windows machines, as it has become a capable basic protection tool. For better protection, consider Microsoft Defender for Business or a solution like SentinelOne or CrowdStrike, which offer small business plans. Make sure every device that accesses company data, including personal phones and home computers, has some form of protection installed.

When to get help: If you want 24/7 monitoring of endpoint alerts, someone to investigate suspicious activity, and the ability to remotely isolate compromised devices, you need a managed detection and response (MDR) service. This is where the gap between DIY and professional security becomes most significant.

7. Secure Your Email

What it is: Email security involves configuring your email platform to filter out spam, phishing, and malware before it reaches employee inboxes. It also includes authentication protocols like SPF, DKIM, and DMARC that prevent attackers from sending emails that appear to come from your domain.

Why it matters: Email is the primary attack vector for small businesses. Over 90% of cyberattacks begin with an email. Beyond phishing, business email compromise (BEC) attacks trick employees into wiring money or sharing sensitive data by impersonating executives or vendors. Proper email security stops most of these threats before anyone even sees them, and email authentication prevents attackers from spoofing your company's domain to scam your customers and partners.

How to do it (DIY): If you use Microsoft 365 or Google Workspace, enable the built-in advanced threat protection features. Configure SPF, DKIM, and DMARC records in your domain's DNS settings; your email provider's documentation will walk you through this. Enable external email banners that warn employees when a message comes from outside the organization. Block automatic forwarding rules to external addresses, a common technique attackers use to silently siphon data.

When to get help: DMARC configuration can be tricky, and a misconfiguration can cause legitimate emails to be rejected. If you send email from multiple platforms such as marketing tools, CRM systems, and support desks, a professional can ensure all your sending sources are properly authenticated without breaking email delivery.

8. Control Access With Least Privilege

What it is: The principle of least privilege means giving each employee access only to the systems, data, and tools they need to do their specific job, and nothing more. When someone changes roles or leaves the company, their access is immediately adjusted or revoked.

Why it matters: When everyone has admin access to everything, a single compromised account can access your entire business. Least privilege limits the blast radius of any breach. If an attacker compromises a marketing employee's account, they should not be able to access financial records, HR data, or IT systems. It also protects against insider threats and accidental data exposure.

How to do it (DIY): Audit who has access to what. Remove admin privileges from accounts that do not need them. Create separate user groups for different departments or roles with appropriate access levels. Use shared drives with folder-level permissions rather than giving everyone access to everything. Review access quarterly and revoke it for anyone who has left or changed roles. Ensure no one is using shared accounts, as every user should have their own login for accountability.

When to get help: If you want to implement role-based access control across multiple systems, integrate with an identity provider for single sign-on, or set up automated provisioning and deprovisioning tied to your HR system, professional help ensures nothing is overlooked and the setup scales as your business grows.

9. Monitor for Threats

What it is: Threat monitoring means continuously watching your systems, network, and accounts for signs of suspicious activity. This includes tracking failed login attempts, unusual file access, new device connections, changes to security settings, and other indicators of compromise. For a more detailed look, read our guide on stopping account hacks.

Why it matters: The average time to detect a breach is 204 days. During that time, attackers are moving through your systems, stealing data, and setting up persistence so they can come back even after you think you have cleaned up. Monitoring shrinks that detection window from months to hours or even minutes, dramatically reducing the damage an attacker can cause.

How to do it (DIY): Enable audit logging in Microsoft 365 or Google Workspace. Set up alerts for failed login attempts, logins from unusual locations, and changes to admin settings. Review your security dashboard weekly at minimum. Check for new mail forwarding rules, unfamiliar devices, and accounts with disabled MFA. Most cloud platforms provide basic security dashboards and alerts at no additional cost; you just need to turn them on.

When to get help: DIY monitoring only works during business hours, and most attacks happen after hours and on weekends. If you want 24/7 coverage with trained analysts who can triage alerts and respond immediately, a Security Operations Center (SOC) or managed detection and response service is the answer. This is the most significant gap between DIY security and professional security management.

10. Have an Incident Response Plan

What it is: An incident response plan is a documented, step-by-step playbook that tells your team exactly what to do when a security incident occurs. It covers who to contact, how to contain the damage, how to communicate with affected parties, and how to recover operations.

Why it matters: When a breach happens, panic leads to mistakes. Employees delete evidence, shut down the wrong systems, or wait too long to respond. An incident response plan eliminates the guesswork and ensures everyone knows their role. Companies with tested incident response plans reduce the average cost of a breach by over $2 million compared to those without one. It is not a matter of if you will face an incident, but when.

How to do it (DIY): Create a simple one-page document that answers: Who do we call first? How do we isolate a compromised system? Who communicates with customers and partners? Where are our backups, and how do we restore from them? What is our insurance carrier's claims process? Include contact numbers for your IT provider, cyber insurance carrier, and legal counsel. Store printed copies in a known location, because if your systems are compromised you may not be able to access a digital version. Run through the plan with your team at least once per year.

When to get help: A managed security provider can create a comprehensive incident response plan tailored to your specific business, run tabletop exercises to test it, and serve as your on-call response team when an actual incident occurs. If your business handles regulated data like healthcare, financial, or legal information, professional incident response planning is not optional.

Free Tools to Get Started

You do not need a big budget to make meaningful progress. Here are free and low-cost tools that cover the essentials:

• Bitwarden (Free tier) -- Open-source password manager with individual and small team plans at no cost. Includes browser extensions, mobile apps, and a password health report.
• Microsoft Authenticator / Google Authenticator (Free) -- Authenticator apps for MFA. Both support time-based one-time passwords and push notifications. Choose whichever matches your email platform.
• Windows Defender (Built into Windows) -- Endpoint protection that comes pre-installed on every Windows PC. Keep it enabled and updated for a solid baseline of protection against malware and ransomware.
• Backblaze (Starting at $7/month) -- Affordable, automated cloud backup for individual computers. Set it and forget it, with unlimited storage and easy restores.
• Have I Been Pwned (Free) -- Check if your business email addresses or domains have appeared in known data breaches. Set up free notifications for future breaches involving your domain.
• Cloudflare (Free tier) -- DNS filtering and basic website protection. Their free plan includes DDoS protection and DNS security for your website.
• CISA Cybersecurity Resources (Free) -- The Cybersecurity and Infrastructure Security Agency provides free training materials, assessment tools, and best practice guides specifically designed for small businesses.
• MXToolbox (Free) -- Check your email authentication records (SPF, DKIM, DMARC) to ensure your domain is properly configured and not being spoofed by attackers.

When to Bring in Professional Help

DIY cybersecurity can take you far, and our DIY cybersecurity guide covers what you can handle on your own. But there are clear signs that it is time to move beyond self-managed security:

• You have more than 20 employees -- The complexity of managing access, devices, and policies grows exponentially. What worked for a five-person team becomes unmanageable.
• You handle regulated data -- Healthcare (HIPAA), financial services, legal, and government contracting all have compliance requirements that demand professional security oversight and documentation.
• You have experienced a breach or close call -- If you have already been hit, or if a phishing email almost succeeded, it is time to get proactive rather than reactive.
• No one is watching after hours -- Attackers work nights and weekends. If no one is monitoring your systems outside of business hours, threats can go undetected for days.
• You are spending too much time on IT -- If the business owner or a non-IT employee is spending hours each week managing security, that time has a cost. A managed security provider often costs less than the productivity you are losing.
• You cannot answer basic security questions -- If you do not know how many failed login attempts happened this week, which accounts lack MFA, or when your last backup was tested, you lack the visibility needed to protect your business.
• Your cyber insurance requires it -- Many insurers now require specific security controls and documentation. A managed provider can ensure you meet these requirements and help with claims if an incident occurs.

Professional managed security is not just about tools. It is about having trained people who monitor, investigate, and respond to threats around the clock, so you can focus on running your business.

The Bottom Line

Cybersecurity does not have to be overwhelming or expensive. The ten steps in this checklist, implemented in order, will dramatically reduce your risk of a successful cyberattack. Start with the big three: MFA, a password manager, and automated backups. Then work through the rest at a pace that makes sense for your business.

The most dangerous mindset is believing your business is too small to be a target. Attackers use automated tools that scan the internet indiscriminately, and they specifically look for businesses without basic protections in place. Being small does not make you invisible. It makes you easy.

Whether you tackle this checklist yourself or bring in professional help, the important thing is to start. Every step you complete makes your business harder to breach and more resilient if something does get through. Print this checklist, assign owners to each step, and set a deadline. Your future self will thank you.