Small Business Cybersecurity Checklist
A practical 30-point cybersecurity checklist for small businesses with 10–75 users. Covers MFA, backups, email security, endpoint protection, and staff training.
Use this checklist to assess your current cybersecurity posture. Items marked with ★ are highest priority if you're starting from scratch.
Identity & Access
- ★ Multi-factor authentication (MFA) enforced for all users
- MFA required for admin accounts (authenticator app preferred over SMS)
- Legacy authentication protocols disabled (Basic Auth, SMTP Auth unless required)
- Password policy requires minimum 12-character passwords
- Unique passwords for every account (enforced via password manager)
- Admin accounts are separate from daily-use accounts
- Offboarding process removes all access on the same day an employee leaves
Email Security
- ★ SPF, DKIM, and DMARC configured for your domain
- Anti-phishing policy enabled in Microsoft 365 or Google Workspace
- Safe Links and Safe Attachments enabled (Microsoft 365 Business Premium)
- No email forwarding rules to external addresses
- Staff trained to recognize phishing — tested with simulations in the past 12 months
Endpoint Protection
- ★ Endpoint Detection & Response (EDR) software on every device
- All operating systems current and fully patched
- All third-party software (browsers, Adobe, etc.) current
- Unsupported operating systems (Windows 10 after Oct 2025) removed or isolated
- Full-disk encryption enabled on all laptops
- USB/removable media restricted or disabled where not needed
Backups & Recovery
- ★ Automated backups run daily at minimum
- Backups stored offsite or in immutable cloud storage (not only local)
- Backup restoration tested within the past 12 months
- Recovery time objective (RTO) documented — how long can you actually be down?
- Backup access credentials stored securely offline
Network
- Firewall in place and managed
- Guest Wi-Fi network separate from business network
- Remote access uses VPN or Zero Trust — not open RDP
- Default passwords changed on all network devices (routers, switches, cameras)
Compliance & Documentation
- System and network inventory documented
- Vendor and software credentials documented and secured (not in a spreadsheet on your desktop)
- Incident response plan documented — who to call, in what order
- HIPAA Security Risk Assessment completed if you're a covered entity
- Cyber insurance policy in place and reviewed annually
How to Use This Checklist
Run through this with your IT provider or use it to identify your gaps. Every unchecked box is a risk. The items marked ★ are the non-negotiable baseline — if those aren't in place, start there before anything else.
Not sure where you stand? Book a free IT Assessment with Ask Erik Computer Services. We'll review your environment against this checklist and tell you honestly what needs attention — no sales pressure.
Call: 541-359-3111
Not sure how your environment measures up?
We review small business IT environments throughout Lane County — no cost, no pressure.