The Small Business Cybersecurity Checklist: 15 Things to Do This Quarter

← All Articles

Cybersecurity advice for small businesses usually falls into two camps: vague platitudes ("be careful online!") or enterprise-grade solutions that cost six figures. Neither is helpful when you're running a 20-person company and need to know what actually matters.

This checklist is different. These are 15 specific, actionable items ranked roughly by impact. Some take five minutes. Some take an afternoon. All of them meaningfully reduce your risk.

Tier 1: Do These Today (Highest Impact)

1. Enable multi-factor authentication on everything

MFA is the single most effective security measure you can implement. Enable it on email, banking, cloud storage, and any system that supports it. Use an authenticator app (Microsoft Authenticator or Google Authenticator) rather than SMS codes when possible, since SIM-swapping attacks can intercept text messages.

Time required: 15 minutes per service. Start with email and banking.

2. Audit who has access to what

Pull up your Microsoft 365 or Google Workspace admin panel and review every user account. Look for former employees who still have access, shared accounts with generic passwords, and admin privileges granted to people who don't need them. The principle of least privilege says everyone should have exactly the access they need for their job and nothing more.

Time required: 1-2 hours depending on company size.

3. Verify your backups actually work

Having backups isn't enough. When was the last time you actually tested restoring from a backup? Pick a non-critical file, delete it from your production environment, and restore it from backup. Time how long it takes. If you can't do it, or it takes hours, your backup strategy needs work. Read our guide on why backups aren't enough for the full picture.

Time required: 30 minutes for the test itself.

4. Update everything

Unpatched software is one of the most common attack vectors. Set all operating systems to auto-update. Update your router firmware (most people never do this). Update your firewall. Update your browser. If you're running any software that's no longer receiving security updates, it needs to be replaced.

Time required: 1-3 hours across all devices.

Tier 2: Do These This Week

5. Implement a password policy

The current best practice from NIST (the people who set federal cybersecurity standards) is: long passphrases over complex passwords, no mandatory rotation schedules (which cause people to use predictable patterns), and mandatory use of a password manager. Deploy a business password manager like 1Password Business, Bitwarden, or Keeper. The cost is typically $3-8 per user per month.

6. Set up email filtering and anti-phishing

If you're on Microsoft 365 or Google Workspace, configure the built-in anti-phishing policies. Enable impersonation protection, which flags emails that appear to come from executives or trusted vendors but don't. Turn on Safe Links and Safe Attachments if you're on Microsoft. On Google, enable the enhanced pre-delivery message scanning.

7. Encrypt laptops and mobile devices

Every company laptop should have full-disk encryption enabled. On Windows, this is BitLocker (requires Windows Pro). On Mac, it's FileVault. Both are free and built into the operating system. If a laptop is lost or stolen, encryption means the data is unreadable without the password.

8. Create an offboarding checklist

When someone leaves your company, you need a documented process: disable their email account (don't delete it immediately; you may need access to their mail), revoke access to all cloud services, collect company devices, change any shared passwords they knew, and remove them from VPN access. This should happen the same day, not "when we get around to it."

Tier 3: Do These This Month

9. Run a phishing simulation

Services like KnowBe4, Proofpoint, or even Microsoft's built-in Attack Simulator let you send fake phishing emails to your own employees to see who clicks. This isn't about shaming anyone. It's about identifying where training is needed. Typical first-time click rates are 20-30%. After regular training, they drop to under 5%.

10. Secure your Wi-Fi properly

Your business Wi-Fi should use WPA3 (or WPA2 at minimum) with a strong passphrase. Create a separate guest network for visitors and personal devices. Never let your point-of-sale system, security cameras, or business-critical devices share the same network as guest traffic.

11. Review your cyber insurance

If you don't have cyber insurance, get quotes. If you do have it, actually read the policy. Many cyber insurance policies have exclusions that void coverage if you weren't following basic security practices (like MFA or regular backups). Know what your policy requires.

12. Document your critical systems

Could someone else in your organization restore operations if your main IT person were unavailable? Create a document (stored securely) that lists every critical system, the vendor contact, the login process, and what to do if it goes down. This is your "hit by a bus" plan.

Tier 4: Do These This Quarter

13. Implement DNS filtering

DNS filtering (services like Cisco Umbrella, DNSFilter, or even the free Cloudflare Gateway) blocks access to known malicious websites before they even load. It takes about 20 minutes to set up and operates silently in the background, catching threats that get past other defenses.

14. Set up security awareness training

A one-time "don't click bad links" email isn't training. Implement quarterly security awareness sessions that cover real-world examples of attacks targeting businesses like yours. Keep sessions short (15-20 minutes). Make them interactive. Test comprehension afterward.

15. Get a professional security assessment

Even if you've completed items 1-14, there are likely gaps you can't see from the inside. A professional security assessment identifies vulnerabilities in your network, your policies, and your human processes that a checklist can't catch. This is especially important if you handle sensitive customer data, healthcare records, or financial information.

Cybersecurity isn't a product you buy. It's a posture you maintain. The businesses that get breached aren't the ones that did nothing. They're the ones that did something once and then stopped paying attention.