The Small Business
Cybersecurity Checklist
A step-by-step guide to protecting your business from cyber threats
Why Cybersecurity Matters for Your Business
Cybercriminals don't just target large corporations — small businesses are often the easiest targets because they tend to have fewer protections in place. The good news? Most breaches are preventable with basic security practices.
This interactive checklist covers the 30 most important security measures across 6 key areas. Check off each item as you implement it, and watch your security score improve in real time. Your progress saves automatically so you can come back anytime.
Your Security Score
Critical — Start Now
0 of 30 items completed (0%)
Security Checklist
Risk: Weak passwords are the #1 way hackers break in.
Over 80% of data breaches involve compromised credentials. Using a unique, complex password for each account means that if one service is breached, your other accounts remain safe. Aim for 12+ characters mixing letters, numbers, and symbols.
Audit all business accounts and update passwords to be at least 12 characters. Use a passphrase approach: combine 4+ random words (e.g., "correct-horse-battery-staple"). A password manager makes this easy to manage.
Risk: Without a password manager, people reuse passwords — one breach compromises everything.
Humans can't memorize dozens of unique, complex passwords. A password manager stores and auto-fills them securely, making strong passwords effortless for your whole team.
Choose a reputable password manager like 1Password, Bitwarden, or Dashlane. Set up a business account, invite team members, and migrate existing passwords. Most offer free trials and business plans under $5/user/month.
Risk: Without 2FA, a stolen password gives full access to your accounts.
2FA adds a second layer of verification (like a code sent to your phone) beyond just a password. It blocks 99.9% of automated attacks even if your password is compromised.
Enable 2FA on email, banking, cloud storage, and social media accounts first. Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS when possible. Keep backup codes in a secure location.
Risk: Default passwords are publicly known — attackers try them first.
Manufacturers use the same default credentials across thousands of devices. Attackers use automated tools that try these defaults constantly. Changing them is one of the simplest yet most impactful security steps.
Log into your router admin panel (usually 192.168.1.1), printers, security cameras, and any IoT devices. Change default usernames and passwords. Document the new credentials in your password manager.
Risk: Shared passwords via text or paper can be intercepted or found by anyone.
Sharing passwords insecurely (text, email, sticky notes) creates multiple exposure points. Password managers let you share access without revealing the actual password, and you can revoke access instantly.
Use your password manager's sharing feature to grant access to shared accounts. Create shared vaults for team credentials. Establish a policy that passwords must never be sent via email, text, or written on paper.
Risk: Ransomware or hardware failure could destroy all your business data permanently.
Ransomware attacks encrypt your files and demand payment. Without backups, you may lose everything or be forced to pay. Automatic backups ensure you always have a recent copy of your data.
Set up automatic backups using a cloud service (OneDrive, Google Drive, Backblaze) or a local external drive with scheduling software. Ensure critical folders are included in the backup scope.
Risk: Infrequent backups mean you could lose weeks of work.
The gap between your last backup and a data loss event determines how much work you lose. Weekly backups limit this gap, and daily backups are even better for critical data.
Configure your backup solution to run automatically on a weekly schedule (or daily for critical files). Verify the schedule is active by checking backup logs regularly.
Risk: Backups that can't be restored are worthless when disaster strikes.
Many businesses discover their backups are corrupted or incomplete only when they need them most. Regular restoration testing gives you confidence that your backups actually work.
Once a quarter, pick a few files from your backup and restore them to a test location. Verify they open correctly. Document the process so anyone on your team can perform a restore.
Risk: A single storage location is a single point of failure.
The 3-2-1 backup rule recommends 3 copies of data on 2 different media with 1 offsite. At minimum, having data in 2 locations (e.g., local + cloud) protects against fire, theft, or hardware failure.
Combine local backups (external hard drive) with cloud backups (OneDrive, Google Drive, Backblaze). Ensure at least one copy is offsite or in the cloud so a physical disaster doesn't destroy everything.
Risk: Without a plan, panic and confusion make a bad situation worse.
A written plan ensures everyone knows what to do when something goes wrong. Even a one-page document covering key contacts, steps, and backup locations dramatically improves your response time.
Create a simple document covering: who to contact, where backups are stored, how to restore systems, and critical vendor contacts. Store copies both digitally and as a physical printout. Review and update it quarterly.
Risk: Spam is the primary delivery mechanism for malware and phishing.
Over 90% of cyberattacks start with a phishing email. Spam filters catch the majority of malicious messages before they reach your team's inboxes, dramatically reducing risk exposure.
Check your email provider's security settings. Most services (Microsoft 365, Google Workspace) have built-in spam filtering. Ensure it's set to at least "standard" protection. Consider upgrading to advanced threat protection.
Risk: One click on a phishing link can compromise your entire network.
Phishing emails are increasingly sophisticated, mimicking trusted brands and colleagues. Training your team to spot red flags (urgency, misspelled URLs, unexpected attachments) is your best human defense.
Hold a brief (30-minute) phishing awareness training. Teach the team to check sender addresses, hover over links before clicking, and be suspicious of urgent requests. Share examples of real phishing attempts.
Risk: Without a process, employees may ignore threats or handle them incorrectly.
A clear reporting process ensures suspicious emails are flagged quickly, allowing you to warn the entire team and prevent others from falling for the same attack.
Designate one person or email address (e.g., security@yourdomain.com) where employees can forward suspicious messages. Create a simple rule: "When in doubt, forward and don't click."
Risk: Free email domains lack business-grade security and look unprofessional.
A professional domain gives you control over email security settings, allows you to enforce policies across all users, and gives customers confidence they're communicating with a legitimate business.
Register your business domain and set up email through Microsoft 365 or Google Workspace. Both offer business plans starting around $6/user/month with advanced security features included.
Risk: Without these, attackers can send emails that appear to come from your domain.
SPF, DKIM, and DMARC are email authentication protocols that prevent attackers from spoofing your domain. Without them, criminals can send convincing fake emails that appear to come from your business.
These are DNS records configured through your domain registrar. Your email provider's documentation will have specific values to add. If this seems technical, ask your IT person or contact Simplissit for help.
Risk: Weak encryption lets attackers intercept all network traffic.
WEP encryption can be cracked in minutes. WPA2 and WPA3 provide strong encryption that makes it extremely difficult for attackers to eavesdrop on your network traffic or gain unauthorized access.
Log into your router admin panel and check the wireless security settings. Select WPA3 if available, otherwise WPA2-AES. If your router only supports WEP, it's time for a replacement.
Risk: Guests on your main network can access shared files and devices.
A guest network isolates visitor devices from your business systems. Even if a guest's device is infected, it can't spread to your network or access your files and printers.
Most modern routers support guest networks. Enable it through your router settings, give it a different name and password, and ensure "guest isolation" is turned on to prevent guests from seeing each other.
Risk: Outdated firmware contains known vulnerabilities that attackers exploit.
Router manufacturers regularly release firmware updates that patch security vulnerabilities. An unpatched router is an open door for attackers to enter your network.
Log into your router's admin panel, find the firmware update section, and check for available updates. Enable automatic updates if supported. Set a calendar reminder to check quarterly.
Risk: Default router passwords are publicly listed online.
Websites like routerpasswords.com list default credentials for every router model. If you haven't changed yours, anyone can take control of your router and redirect traffic or spy on your network.
Access your router admin panel (typically at 192.168.1.1 or 192.168.0.1), navigate to the administration section, and change both the admin username and password. Store the new credentials in your password manager.
Risk: Public Wi-Fi is easily intercepted — your data travels in the open.
Public Wi-Fi networks at coffee shops, hotels, and airports are notoriously insecure. A VPN encrypts your connection, making it unreadable to anyone else on the same network.
Subscribe to a reputable VPN service (NordVPN, ExpressVPN, or a business-grade option). Install it on all devices. Create a policy: VPN must be on before connecting to any non-office Wi-Fi.
Risk: Unpatched systems are the easiest targets for automated attacks.
Software updates patch known security vulnerabilities. Attackers actively scan for unpatched systems using automated tools. Enabling auto-updates ensures you're protected as soon as patches are released.
On Windows: Settings → Update & Security → Turn on automatic updates. On Mac: System Preferences → Software Update → Enable automatic updates. Do the same for phones, tablets, and any other devices.
Risk: Without antivirus, malware can operate undetected on your systems.
Antivirus software detects and blocks malicious programs before they can damage your systems or steal data. Modern solutions also protect against ransomware, spyware, and zero-day threats.
Windows Defender (built into Windows) provides solid baseline protection. For additional coverage, consider solutions like Malwarebytes, Bitdefender, or a managed security service. Ensure real-time protection is enabled.
Risk: Unused software often goes unpatched, creating hidden entry points.
Every installed program is a potential attack surface. Software you don't use tends to go un-updated, accumulating vulnerabilities. Removing it reduces your attack surface with zero impact on productivity.
Review installed programs on each computer (Settings → Apps on Windows). Remove anything unused, outdated, or unrecognized. Pay special attention to old browser plugins and Java/Flash installations.
Risk: An unlocked device is an open door to all your business data.
If someone walks away from their computer, an auto-lock prevents unauthorized access. A 5-minute timeout balances security with convenience. Use PIN, password, fingerprint, or facial recognition.
On Windows: Settings → Accounts → Sign-in options. On phones: Settings → Security → Screen lock. Set the timeout to 5 minutes or less. Enable Windows Hello or Touch ID/Face ID for quick unlocking.
Risk: A lost laptop with business data is a breach waiting to happen.
Remote wipe lets you erase all data from a lost or stolen device before someone can access it. Combined with device encryption, this ensures your business data stays protected even if the hardware is gone.
Enable Find My Device on Windows (Settings → Update & Security → Find My Device). On phones, use Find My iPhone or Google Find My Device. For business devices, consider a Mobile Device Management (MDM) solution.
Risk: Human error is the #1 cause of security breaches.
Even the best technical defenses fail if employees click phishing links, use weak passwords, or share credentials. Security awareness training is the highest ROI security investment you can make.
Hold a brief annual (or quarterly) training covering phishing, passwords, and safe browsing. Use free resources from CISA (cisa.gov). Make it engaging — use real examples and quizzes, not just a lecture.
Risk: Delayed incident response gives attackers more time to cause damage.
When something suspicious happens, every minute counts. If employees don't know who to tell or what to do, the incident response is delayed, giving attackers more time to steal data or cause damage.
Create a simple incident response card: "If you see something suspicious, immediately (1) disconnect from the network, (2) don't click anything else, (3) call [designated person]." Post it visibly and include it in onboarding.
Risk: Over-permissioned accounts amplify damage from any compromise.
The "principle of least privilege" means giving people only the access they need for their job. If an account is compromised, the damage is limited to what that account can access.
Audit who has access to what. Remove admin rights from users who don't need them. Use separate admin accounts for IT tasks. Review access quarterly and when roles change.
Risk: Former employees with active accounts is a major security vulnerability.
Former employees who still have access — whether intentionally malicious or not — represent a significant risk. Accounts should be deactivated on or before their last day, and shared passwords should be changed.
Create an offboarding checklist: disable email, revoke cloud access, change shared passwords, collect devices, remove from password manager vaults. Do this the same day as departure.
Risk: Physical access to devices bypasses most digital protections.
Someone who can physically access your devices can install malware, copy data, or photograph screens. Physical security is an often-overlooked layer that supports all your digital protections.
Lock server rooms and network equipment areas. Use privacy screens on monitors visible to visitors. Implement a clean desk policy. Don't leave laptops unattended in common areas. Use cable locks for desktop equipment.
Share Your Results
Copy this summary to share with your IT person, team, or technology consultant.
Need Help Checking Off These Items?
Simplissit's Technology Health Check can assess your security posture and create a personalized action plan to get you protected — fast.
Get Your Free ConsultationNo commitment required. We'll review your results and suggest next steps.
Reset Checklist?
This will uncheck all items and reset your security score to 0. This action cannot be undone.