Most cybersecurity checklists are written for companies with IT departments. They reference tools and processes that cost six figures to implement and assume you have a security team to manage them. This checklist is different. Every item on it is realistic for a small business with 15 or fewer devices and no in-house IT staff.
We built this list from the findings of hundreds of IT audits. These aren’t theoretical best practices from a security textbook. They’re the specific gaps we found most often at small businesses, the ones that led to actual incidents. If you can check every box on this list, you’re ahead of most companies ten times your size.
A practical cybersecurity checklist for small businesses should cover five categories: endpoints, email security, passwords and authentication, backups, and network security. On the endpoint side, every machine needs a supported operating system with automatic updates enabled, third-party application patching that covers more than just the OS, endpoint detection software monitored by someone who responds to alerts, and restricted local administrator rights. Email security means configuring SPF, DKIM, and DMARC records on your domain, enabling phishing filters that scan attachments and links, and adding external email warning banners. Password hygiene requires multi-factor authentication on all accounts, unique passwords stored in a dedicated password manager, and default credentials changed on every network device. Backups should run daily to an offsite location, get verified with real restore tests at least quarterly, and retain thirty or more days of history. Network security includes current router firmware, strong Wi-Fi encryption, guest network isolation, and no exposed remote access ports.
Print this out. Go through it with whoever manages your technology. Check off what you have. Circle what you’re missing. That circled list is your to-do list.
Endpoints (Computers and Devices)
1. Every device runs a supported operating system
If any of your computers are running Windows 10 that’s reached end of life without Extended Security Updates, those machines no longer receive security patches. Unpatched operating systems are one of the easiest ways for attackers to get in. Upgrade or replace any machine running an unsupported OS.
2. Automatic updates are enabled on every machine
Windows Update, macOS software updates, and application updates should all be set to install automatically. Don’t rely on your employees to click “Update later” and then actually do it later. Automated patching closes vulnerabilities before attackers can use them.
3. Third-party applications are patched, not just the operating system
Your web browser, PDF reader, office suite, and every other application on your machines gets security updates too. Attackers target these applications as often as they target Windows itself. A patch management tool that covers more than just the OS is important. We patch over 630 applications automatically for our clients.
4. Endpoint detection and response (EDR) is installed and monitored
Traditional antivirus catches known threats. EDR catches suspicious behavior, including attacks that use legitimate Windows tools to avoid detection. EDR needs to be monitored by someone who can respond to alerts. Software that generates alerts nobody reads is not protection. It’s a false sense of security.
5. Screen lock is enabled with a short timeout
Every machine should lock its screen after five minutes of inactivity, maximum. If an employee walks away from their desk and the computer stays unlocked, anyone who walks by has full access to whatever that employee has access to. This is a one-minute settings change that prevents a real category of incidents.
6. Local administrator rights are restricted
Most employees don’t need administrator access on their work computer. Admin rights let users install any software they want, including malicious software. Running as a standard user means malware that gets downloaded can’t install itself without an admin password prompt. This single change blocks a significant percentage of malware.
Email Security
7. SPF, DKIM, and DMARC records are configured on your domain
These three DNS records prevent attackers from sending emails that look like they come from your domain. SPF specifies which mail servers are allowed to send email on your behalf. DKIM adds a digital signature to verify the email wasn’t tampered with. DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks. Without all three, anyone can send an email that appears to come from you.
8. Email filtering scans attachments and links before delivery
Your email provider should scan incoming attachments for malware and check links against known phishing databases before the email hits your inbox. Microsoft 365 and Google Workspace both offer this, but the settings need to be properly configured. Default settings are often not aggressive enough for business use.
9. External email warnings are enabled
Configure your email system to add a visible banner to any email that comes from outside your organization. This simple visual cue helps employees recognize when an email claiming to be from a coworker actually came from an external address. Most email platforms support this with a simple configuration change.
Passwords and Authentication
10. Multi-factor authentication is enabled on every account that supports it
Multi-factor authentication is the single highest-impact security improvement any small business can make, and it is free on most platforms. MFA means logging in requires something you know, your password, plus something you have, typically your phone. If an attacker steals or guesses your password through phishing or a data breach, they still cannot get into the account without passing the second factor challenge. Microsoft has reported that MFA blocks over ninety-nine percent of automated account compromise attempts. Start with email accounts because email is the gateway to password resets on virtually every other service you use. Then enable MFA on cloud storage, banking, accounting software, and any application that stores sensitive client or business data. Setup takes about five minutes per account. No other single security control comes anywhere close to this level of protection for the amount of effort it requires.
11. Passwords are unique per account and stored in a password manager
If your employees use the same password across multiple services, one breach exposes all of them. A password manager generates and stores unique passwords for every account. The employee only needs to remember one master password. Sticky notes on monitors and spreadsheets of passwords are not acceptable alternatives.
12. Default passwords have been changed on all devices and services
Routers, printers, security cameras, and other devices often ship with default admin passwords like “admin” or “password.” Attackers know every default password for every device manufacturer. If you haven’t changed them, those devices are effectively unlocked. Walk through your office and check every device that connects to your network.
Backups
13. Critical data is backed up daily to an offsite or cloud location
Your backup should run every day, and the backup destination should be somewhere your office machines can’t directly access. If ransomware can reach your backup from a workstation, the backup will get encrypted along with everything else. Cloud backup or an offsite location with restricted access is the standard.
14. Backups are verified with an actual restore test at least quarterly
A backup that runs but has never been tested is a guess. Someone needs to take data from the backup, restore it, and confirm it opens and works. This should happen monthly or quarterly and the results should be documented. If your IT provider can’t show you a restore test report, ask why not.
15. Backup retention covers at least 30 days
If your backup only keeps the most recent copy, and your data was corrupted a week ago without anyone noticing, your backup is also corrupted. Retention means keeping multiple versions going back at least 30 days so you can recover from problems that aren’t discovered immediately.
Network Security
16. Your router firmware is current
Your office router is a computer. It runs software. That software has vulnerabilities that get patched by the manufacturer. If you’ve never updated your router’s firmware, it’s running with known security holes. Log into your router’s admin page and check for firmware updates, or ask your IT provider to do it.
17. Wi-Fi uses WPA3 or WPA2 with a strong password
If your Wi-Fi network uses WEP encryption or an older WPA version, it can be cracked in minutes with freely available tools. WPA3 is the current standard. WPA2 with AES is acceptable if your devices don’t support WPA3. The Wi-Fi password should be long and not something guessable like your business name.
18. Guest Wi-Fi is on a separate network from business devices
If customers, vendors, or visitors connect to the same Wi-Fi network as your business computers, they have network-level access to your devices. A separate guest network isolates visitor traffic from your business network. Most modern routers support this feature. It takes fifteen minutes to set up and it closes a real gap.
19. No RDP or other remote access ports are exposed to the internet
Remote Desktop Protocol on port 3389 is the second most common entry point for ransomware, right behind phishing. If any of your machines have RDP accessible from the internet, attackers will find it. Use a VPN or a secure remote access tool instead. If you’re not sure whether RDP is exposed, ask your IT provider to scan your public IP.
Physical Security
20. Server and network equipment is in a locked area
If your server, router, and switches are sitting under a desk in an open area, anyone who walks into your office can physically access them. Physical access to a machine bypasses almost every software security control. A locked closet or room with restricted access is sufficient for most small offices.
21. Decommissioned devices are properly wiped before disposal
Old computers, hard drives, USB drives, and even printers with internal storage contain your business data. Deleting files doesn’t actually remove the data. A proper wipe uses software that overwrites the drive, or the drive is physically destroyed. Dropping an old computer in the dumpster is a data breach waiting to happen. We have seen businesses get burned by this.
Policies and Awareness
22. Employees know how to report a suspicious email
It doesn’t matter how good your email filtering is. Some phishing emails will get through. When an employee spots one, they need to know what to do: don’t click anything, don’t reply, report it to whoever handles your IT. If there’s no clear reporting process, employees either ignore suspicious emails or click them out of uncertainty.
23. There is a documented plan for what to do during a security incident
If ransomware hits your office at 2 PM on a Tuesday, who do you call? What’s the phone number? What do you tell employees to do with their computers? Having a one-page incident response plan posted where people can see it turns a panic situation into a set of steps to follow. The plan doesn’t need to be complicated. It needs to exist.
How Many Did You Check Off?
If you checked 20 or more, you’re in good shape. Focus on closing the remaining gaps. If you checked 15 to 19, you have a reasonable foundation but meaningful gaps that need attention. If you checked fewer than 15, your business has significant exposure. Start with the items that are easiest to implement: MFA, automatic updates, and screen lock. Then work through the rest systematically.
The two most commonly missed items on a small business cybersecurity checklist, based on hundreds of IT audits, are backup verification and third-party application patching. Almost every small business has some form of backup software running on a schedule. Very few have ever tested a restore to confirm the backup actually produces usable, complete data when needed. Businesses that discover their backup does not work only find out during an actual emergency when they have no other recovery options available. Third-party application patching is the second largest gap. Small businesses rely on Windows automatic updates for operating system patches but let their web browser, PDF reader, office suite, and line-of-business applications fall months behind on critical security patches. Attackers actively target these applications precisely because they know the patches are not being applied at most small businesses. A vulnerability in Adobe Reader is just as exploitable as a vulnerability in Windows.
Every item on this checklist is something a managed IT service should handle for you. At Mr. Fix IT Geeks, our Foundation tier at $499 per month covers items 1 through 3, 5, 7 through 9, and 22 for up to five devices. Our Professional tier at $899 adds EDR, verified backups, vulnerability scanning, and vendor coordination. Our Complete tier at $1,399 covers every item on this list including password management and priority support. The checklist is free. Getting someone to actually implement and maintain it is what managed IT is for.
Frequently Asked Questions
How much does it cost to implement this entire checklist?
If you do it yourself, most items on this list are free or low-cost. MFA is free on most platforms. Operating system updates are free. Configuring email security records is free if you know how. The costs come from tools like EDR and cloud backup, which run $5 to $15 per device per month each, and from the labor of someone implementing and maintaining everything. For most small businesses, a managed IT service that covers the entire checklist runs $499 to $1,399 per month depending on the number of devices and features.
Which items on this list should I prioritize first?
Multi-factor authentication on all accounts (item 10) is the single highest-impact change. After that: automatic operating system updates (item 2), changing default passwords on all devices (item 12), and verifying your backups work (item 14). These four items alone close the doors attackers walk through most often.
My business only has three computers. Do I really need all of this?
The number of computers doesn’t determine your risk level. A three-computer accounting firm handling client financial data has more to lose from a breach than a twenty-computer company that doesn’t store sensitive information. Attackers don’t check your employee count. Automated attacks hit every business the same way. The checklist scales down perfectly to three devices.
How often should I review this checklist?
At least once per year. Technology changes, new threats appear, and configurations drift over time. Something that was correctly set up twelve months ago might have been changed, disabled, or become outdated. An annual review catches drift. If you work with a managed IT provider, this review should be part of your quarterly business review or annual assessment.
What’s the biggest item most small businesses miss?
Based on our audits, the most commonly missed item is backup verification. Almost every business has a backup running. Very few have ever tested a restore. The second most missed item is third-party application patching. Businesses update Windows but let their web browser, PDF reader, and other applications fall months behind on security patches. These two gaps alone account for a large share of the incidents we’ve seen.