Serving Orange County, CA - Based in Irvine  ·  (949) 274-8774
Resource 2026-03-15 · 5 min read

Is Your Business Secure? A 10-Point IT Security Checklist (No Jargon)

Want this as a PDF you can share with your team?

Drop your email below and well send you a clean, printable version of this checklist.

Lets be honest  when was the last time you actually checked this stuff?

Most small and midsize businesses dont need a 200-page security framework. You just need a clear, practical way to see whether the basics are covered.

This 10-point checklist walks you through the fundamentals. For each item youll see:

  • What to check
  • Why it matters
  • How bad it is if you ignore it

Grab a pen, give yourself a score, and youll know exactly where you stand.

1. Multi-Factor Authentication (MFA) on Email & Critical Systems

What to check

  • Is MFA turned on for all users on your email platform (Microsoft 365, Google Workspace, etc.)?
  • Is MFA required for admins and for remote access (VPN, remote desktop, etc.)?

Why it matters

Most successful account takeovers start with a stolen or guessed password. MFA makes a stolen password much less useful by requiring a second factor (an app code, push notification, hardware key, etc.).

Risk if missing: High

2. Email Forwarding Rules & Mailbox Rules

What to check

  • For key staff (leadership, finance, HR, IT), review mailbox rules:
    • Any rules that forward email outside the company?
    • Any rules that auto-delete or move emails about security, billing, or finance?
  • In the admin center, look for tenant-level forwarding rules.

Why it matters

When attackers get into a mailbox, they usually dont start blasting spam. They set up smart rules to keep a quiet copy of everything or hide certain messages. Thats a classic move in business email compromise.

Risk if missing: High

3. Admin Accounts & Privileged Access

What to check

  • Do you have named admin accounts (like jane.admin@) instead of shared generic ones (admin@, it@)?
  • Are admin roles in Microsoft 365 / Google / other systems limited to people who truly need them?
  • Is MFA required for all admin accounts?
  • Do admins use separate accounts for daily work vs. admin work?

Why it matters

Compromising an admin account is like getting a master key. Tightening who has those keys and how theyre protected drastically reduces the damage a single breach can cause.

Risk if missing: High

4. Verified, Tested Backups

What to check

  • Are critical systems (file servers, key apps, cloud data like Microsoft 365 or Google) backed up regularly?
  • Are backups stored offsite or in a separate environment from the primary system?
  • Have you tested a restore in the last 69 months? (Not just backup completed  an actual test restore.)

Why it matters

Backups are your safety net against ransomware, accidental deletion, and hardware failures. A backup youve never tested is basically a box labeled maybe.

Risk if missing: High

5. Patch Status for Servers, Workstations, and Apps

What to check

  • Are Windows, macOS, and server operating systems set for regular security updates?
  • Do you patch common third-party apps (browsers, Java, Adobe Reader, Zoom, etc.)?
  • Do you have central visibility into patch status, or is it whenever users click update?

Why it matters

Many attacks use known vulnerabilities that have already been fixed  if you install the updates. Unpatched systems are the low-hanging fruit of cybersecurity.

Risk if missing: High

6. DNS Filtering

What to check

  • Are you using a DNS filtering service (such as Cisco Umbrella, Cloudflare, NextDNS, etc.)?
  • Are requests to known malicious or newly registered domains blocked?
  • Is DNS filtering applied across all locations and remote users?

Why it matters

DNS filtering can stop many attacks at the click stage. Even if someone falls for a phishing email, the malicious site often never loads.

Risk if missing: MediumHigh

7. Endpoint Protection (AV/EDR)

What to check

  • Do all workstations and servers have modern endpoint protection installed and active (not expired)?
  • Is it managed centrally, so someone can see status and alerts?
  • Does someone actually review detections and alerts?

Why it matters

Modern endpoint tools can spot malware, ransomware behavior, and suspicious activity  but only if theyre installed, updated, and watched.

Risk if missing: High

8. Password Policy & Password Managers

What to check

  • Do you enforce reasonable password policies (length, lockouts, limits on reuse)?
  • Do staff use a password manager instead of reusing the same password everywhere?
  • Do you have a rule against sending passwords over email or chat?

Why it matters

Weak or reused passwords are still one of the biggest problems in small and midsize environments. Strong passwords + MFA + password managers remove a lot of the risk.

Risk if missing: MediumHigh

9. Email Authentication: SPF, DKIM, DMARC

What to check

  • Does your domain have a valid SPF record listing your legitimate mail senders?
  • Is DKIM signing enabled for outgoing email (especially in Microsoft 365/Google Workspace)?
  • Is DMARC configured with at least a monitoring (p=none) policy and a reporting address you review?

Why it matters

SPF, DKIM, and DMARC make it harder for attackers to spoof your domain and send convincing fake emails from you. They also help your legitimate emails land where they should.

Risk if missing: Medium (can be High depending on your industry)

10. Incident Response Plan (Written Down, Not Just in Someones Head)

What to check

  • Do you have a simple, documented plan for what to do if an account is compromised, a device is lost, or ransomware is suspected?
  • Does the plan clearly state who to contact, what systems to isolate, and where critical vendor details live?
  • Have you walked through the plan with leadership at least once?

Why it matters

During an incident is the worst possible time to figure this out from scratch. A simple, tested plan dramatically improves your response and reduces panic.

Risk if missing: MediumHigh

Score Yourself

For each of the 10 items, give yourself:

  • 2 points  In place, documented, and working well
  • 1 point  Partially in place, needs improvement
  • 0 points  Not in place / unknown

Add up your total out of 20.

  • 1720 points: Solid foundation
  • 1216 points: Needs targeted improvements
  • 011 points: High risk

What to Do With Your Score

  1. Circle any High-risk items where you scored 0 or 1.
  2. Build a simple 90-day plan to tackle those first.
  3. Repeat this checklist at least once a year  or after big IT changes.

You dont have to fix everything overnight. But doing nothing isnt a strategy.

Want a copy you can share with your team?

Drop your email and well send over the PDF version of this checklist for free.