Most small business cybersecurity guides are vague. This one isn’t. This is a concrete, actionable checklist of 50 specific things your business must have in place to achieve a defensible security posture. Work through it systematically. Check off what’s done. Address what isn’t.
Section 1: Identity and Access (10 Items)
1. Every employee has a unique username and password for every business system — no shared accounts. 2. Multi-factor authentication is enabled on all business email accounts. 3. Multi-factor authentication is enabled on all cloud storage and productivity tools. 4. Multi-factor authentication is enabled on all financial and banking accounts. 5. A business password manager is deployed and all employees use it. 6. All employee passwords are 16+ characters and unique per account. 7. An employee offboarding checklist exists and includes immediate credential revocation. 8. Access to sensitive systems is limited to only employees who need it for their role. 9. Admin accounts are separate from daily-use accounts. 10. All default passwords on routers, switches, and network equipment have been changed.
Section 2: Network Security (10 Items)
11. A business-grade firewall is in place and actively managed. 12. The firewall default inbound policy is DENY ALL. 13. Port 3389 (RDP) is not exposed to the public internet. 14. Guest WiFi is separate from corporate WiFi. 15. IoT devices are on an isolated network segment. 16. Router firmware is current. 17. WiFi networks use WPA3 or WPA2-AES. 18. WiFi passwords are 20+ characters and changed at least annually. 19. Network activity logs are enabled and retained for at least 90 days. 20. No unauthorized devices appear on the network device list.
Section 3: Email Security (8 Items)
21. SPF record is configured and published for your business domain. 22. DKIM is configured and verified for your email provider. 23. DMARC policy is set (ideally p=reject; minimum p=quarantine). 24. Email spam filtering is active for all accounts. 25. Employees have received phishing awareness training in the past 12 months. 26. A process exists for employees to report suspicious emails. 27. External email warning banners are configured. 28. Email retention and archiving is configured per your legal requirements.
Section 4: Endpoint Security (8 Items)
29. All company laptops and desktops have current OS patches applied. 30. Antivirus or EDR software is active and updated on all company devices. 31. Full-disk encryption is enabled on all company laptops (BitLocker for Windows, FileVault for Mac). 32. Screen lock with PIN or biometric is required on all mobile devices used for business. 33. Mobile Device Management (MDM) covers all company-issued and BYOD devices. 34. No end-of-life devices are on the network. 35. USB/removable media access is restricted or monitored on company devices. 36. Employees are prohibited from installing unauthorized software on company devices.
Section 5: Data Protection and Incident Response (14 Items)
37. Business data is backed up at minimum daily. 38. Backups are stored in at least two locations. 39. Backup restoration has been tested successfully in the past 6 months. 40. Customer PII is identified, documented, and subject to access controls. 41. Sensitive data is not stored in email inboxes, personal cloud accounts, or chat tools. 42. Data retention and deletion policies are documented and followed. 43. A list of all third-party vendors with system access or data access exists. 44. All vendors with access to customer data have signed data processing agreements. 45. Vendor accounts are reviewed quarterly and unnecessary access is revoked. 46. You receive security notifications from critical vendors. 47. A written incident response plan exists and is accessible offline. 48. All employees know who to contact if they suspect a security incident. 49. A business continuity plan exists covering how to operate if key systems are unavailable. 50. Cyber liability insurance is in place.
Scoring Your Checklist
45–50 checked: Strong security posture — focus on professional assessment to find deeper vulnerabilities. 35–44 checked: Moderate risk — prioritize unchecked items in Sections 1–3 first. 25–34 checked: Significant exposure — create a 90-day remediation plan immediately. Under 25 checked: High risk — engage professional cybersecurity support now.
Get a professional SMB Security Health Check that evaluates your attack surface, cloud security, remote work risks, and ransomware readiness — delivered in 48 hours for $17.