cybersecurity
Small Business Cybersecurity Checklist: 10 Controls That Actually Matter
A small business cybersecurity checklist focused on the controls that block most real attacks: MFA, patching, tested backups, endpoint protection, access removal, and employee training. Each item explained in plain language with cost context.
A small business cybersecurity checklist should cover six controls at minimum: multi-factor authentication, automatic patching, tested backups, prompt removal of access for departed employees, endpoint protection, and phishing training. These six items address roughly 80% of the attack vectors that result in real breaches for small businesses. Everything else matters too, but starting here is the right call.
This article covers those six plus four more, with plain-language explanations and honest cost context. If you want the deeper picture of why cybersecurity matters for small businesses specifically, the complete cybersecurity guide for small businesses is the right starting point.
What should be on a small business cybersecurity checklist?
Here is the checklist. Each item gets its own section below.
- Multi-factor authentication on email and remote access
- Automatic patching for operating systems and software
- Tested backups stored off your primary network
- Immediate access removal when employees leave
- Endpoint protection with active monitoring
- Phishing awareness training for all staff
- Email filtering for spam and malicious attachments
- Strong password policy with a password manager
- Basic network segmentation
- An incident response plan
What are the most important controls?
1. Multi-Factor Authentication
MFA is the single highest-leverage control available to a small business. When an attacker steals or guesses a password — and passwords are stolen constantly through phishing, data breaches, and credential stuffing — MFA prevents them from using it. The attacker has the password but not the second factor, and they are locked out.
Implement MFA on: business email, remote access tools (VPN, Remote Desktop), cloud services (Microsoft 365, Google Workspace, QuickBooks Online, your CRM), and any admin accounts. The authenticator app approach (Google Authenticator, Microsoft Authenticator) is more secure than SMS codes, though SMS MFA is still significantly better than no MFA at all.
Most MFA for cloud services is included in existing subscriptions. Standalone authenticator apps are free. This is one of the cheapest items on the checklist and one of the most effective.
2. Automatic Patching
Software vulnerabilities are how attackers get in when phishing alone does not work. Microsoft, Apple, and software vendors release patches that fix these vulnerabilities on a regular schedule. The catch: patches only protect you if they get installed.
Turn on automatic updates for Windows or macOS. Enable auto-update for browsers, Office, Adobe products, and any other software your team uses regularly. Configure update schedules to run during off-hours so work is not interrupted. For businesses with managed IT, patch management is one of the core services — your provider should have a report showing patch compliance across every device.
Unpatched systems are not a theoretical risk. Attackers actively scan for known vulnerabilities in outdated software and exploit them within days of a patch being released, because they know most organizations are slow to update.
3. Tested Backups
Backups are how you recover. But a backup that has never been tested is not a backup — it is an assumption.
The 3-2-1 rule is the standard: three copies of your data, on two different media types, with one copy stored off-site (or in cloud storage that is not connected to your primary systems). For a small business, that typically means local backup to an external drive plus cloud backup to a service like Backblaze or your IT provider’s managed backup platform.
The “tested” part matters as much as the “stored” part. Run a quarterly restore test. Pick a handful of files, restore them from backup, confirm they open correctly. If you have never tested your backups and ransomware hits on a Tuesday afternoon, you will find out whether they work under the worst possible conditions.
4. Access Removal for Departed Employees
This one is consistently underestimated. When an employee leaves — voluntarily or not — their accounts need to be disabled the same day. That means their email login, their VPN access, their cloud service accounts, their access to shared drives, and any system credentials they held.
It is not just about malicious ex-employees, though that happens. Inactive accounts are a target because nobody is watching them. An attacker who compromises a dormant account for someone who left two years ago can operate undetected for a long time.
Build an offboarding checklist that includes account revocation as a required step. Include it in your HR process, not just your IT process — IT needs to know when someone is leaving so they can act on the right day.
5. Endpoint Protection
Antivirus is not enough anymore. Modern endpoint protection — often called EDR (Endpoint Detection and Response) or EPP (Endpoint Protection Platform) — does more than scan for known malware. It monitors behavior, detects anomalies, and can isolate a compromised device before damage spreads.
Microsoft Defender for Business (included in Microsoft 365 Business Premium) is a legitimate endpoint protection solution for small businesses. Third-party options like CrowdStrike Falcon Go, SentinelOne Singularity, or Bitdefender GravityZone cover similar ground. The specific product matters less than the fact that you have one deployed on every device and that someone is watching the alerts.
Alerts with nobody watching them are decoration. If you do not have the internal capacity to respond to endpoint alerts, this is a strong argument for managed IT services — the monitoring value is the point.
6. Phishing Training
Phishing is the entry point for most ransomware attacks and a large share of business email compromise fraud. Attackers send convincing emails that look like they come from your bank, your CEO, a vendor, or a cloud service asking you to click a link or enter credentials.
Training reduces click rates. It does not eliminate them — humans make mistakes — but it meaningfully reduces the odds. Simulated phishing tests (where your IT provider or a service like KnowBe4 sends fake phishing emails to see who clicks) are more effective than one-time awareness sessions. When someone clicks a test phishing email, they get immediate training instead of a breach.
Quarterly training plus regular simulated tests is a reasonable cadence for most small businesses. This is not expensive — KnowBe4 and similar platforms run around $20 to $30 per user per year.
How much does this cost to implement?
Here is an honest cost breakdown for a 20-person company implementing the full checklist. Numbers are approximate and vary by vendor and whether you self-manage or use a managed IT provider.
| Control | Approximate Annual Cost |
|---|---|
| MFA (included in M365/Google Workspace) | $0–$120 |
| Patch management (managed IT) | Included in provider fee |
| Backup (cloud + local) | $600–$1,200 |
| Endpoint protection (Defender for Business) | $1,200–$2,400 |
| Email filtering (Defender, Proofpoint, Mimecast) | $600–$1,800 |
| Password manager (1Password, Bitwarden Teams) | $400–$800 |
| Phishing training (KnowBe4, Proofpoint SAT) | $400–$600 |
| Managed IT for monitoring and patching | $3,000–$12,000 |
Total for a 20-person shop implementing the full checklist: roughly $6,000 to $18,000 per year, depending on whether you self-manage tools or pay a managed IT provider for monitoring. The wide range reflects real variation in provider pricing and tool choices.
Where should a small business start?
If you have nothing in place today, start here and only here: turn on MFA for email, and confirm your backups are running and have been tested. Those two steps take a single day to implement and protect against the two most damaging outcomes — account takeover and ransomware recovery failure.
Everything else on this checklist is important. But if you try to do all ten items at once and do none of them well, you are in a worse position than if you do two things correctly and add more over time.
After MFA and backups are solid, add endpoint protection and phishing training. Then address access management, patch management, and email filtering. The last items — network segmentation and an incident response plan — require more planning and usually benefit from professional support.
If you are not sure where your gaps are, a structured assessment is a faster path to clarity than working through this list manually. Helix Stax provides cybersecurity compliance assessments for small businesses in Hampton Roads — if you want to know exactly where you stand before deciding what to prioritize, that is a reasonable starting point.
No pressure to do anything. The checklist is free. Use it.