The Small Business Cybersecurity Checklist (That Actually Matters)

Every cybersecurity vendor wants to sell you their 47-page compliance framework. Meanwhile, most small businesses get breached because of the basics: weak passwords, unpatched systems, and employees who click things they shouldn't.

Here are the 10 things that actually matter - ranked by how much damage they prevent.

1. Multi-Factor Authentication (MFA) - Everywhere

Impact: Critical. MFA blocks over 99% of account compromise attacks. If your team can log into email, VPN, or cloud apps with just a password, you're one phishing email away from a breach.

Enable MFA on: Microsoft 365, Google Workspace, banking, VPN, remote desktop, and any admin panel.

2. Patch Management on Autopilot

Impact: Critical. Most ransomware exploits known vulnerabilities that already have patches available. The problem? Nobody applied them.

Set up automated patching for operating systems AND third-party software (Chrome, Acrobat, Java, Zoom). Nightly deployment windows mean patches apply without disrupting the workday.

3. Email Security Beyond Spam Filtering

Impact: High. Basic spam filtering catches the obvious stuff. Modern phishing - impersonating your CEO, your bank, or a vendor - requires:

• SPF, DKIM, and DMARC - prevents attackers from spoofing your domain
• Advanced threat protection - scans links and attachments in real-time
• Impersonation detection - catches "CEO fraud" and business email compromise (BEC)

Not sure if your email is protected? Run a free scan - it checks your SPF and DMARC in seconds.

4. DNS-Layer Security

Impact: High. DNS filtering blocks malicious domains before any connection is made. Employee clicks a bad link? The DNS filter stops it at the network level - the malware never downloads.

Solutions like Cisco Umbrella or Cloudflare Gateway add this layer with zero client software needed.

5. Endpoint Detection & Response (EDR)

Impact: High. Traditional antivirus looks for known threats. EDR watches behavior. If a program starts encrypting files or calling a command-and-control server, EDR catches it - even if it's never been seen before.

This is the difference between "we found the virus" and "we stopped the attack in progress."

6. Backup & Disaster Recovery (Tested)

Impact: High. Having backups isn't enough. You need:

• Backups that run daily (minimum)
• Off-site or cloud copies (not just on the same server)
• Regular restore tests - if you haven't tested a restore in the last 90 days, your backup is a hope, not a plan

7. Security Awareness Training

Impact: Medium-High. Your employees are your biggest vulnerability AND your first line of defense. Monthly phishing simulations and 5-minute security lessons reduce click rates dramatically.

The goal isn't to make everyone a security expert. It's to make them pause for 3 seconds before clicking.

8. Least-Privilege Access

Impact: Medium. Does the receptionist need admin access to the file server? Does the intern need access to financial data? Probably not.

Principle of least privilege: everyone gets only the access they need for their job. Nothing more.

9. Firewall & Network Segmentation

Impact: Medium. A properly configured firewall with IDS/IPS (intrusion detection/prevention) watches for suspicious traffic. Network segmentation ensures that if one device is compromised, the attacker can't move laterally to everything else.

10. Security Headers & Website Hardening

Impact: Low-Medium. If you have a website (you do), security headers like HSTS, Content-Security-Policy, and X-Frame-Options prevent common web attacks. Most small business sites have zero security headers configured.

The Uncomfortable Truth

43% of cyberattacks target small businesses. The average cost of a data breach for a small business is over $120,000. And most small businesses that suffer a major breach don't recover.

The good news: items 1 through 6 on this list block the vast majority of attacks. You don't need to be Fort Knox - you just need to not be the easiest target on the block.