A Practical Cybersecurity Checklist for Small and Mid-Sized Businesses

You don’t need an enterprise-grade security operations center to protect your business. But you do need the basics in place — and you need them configured correctly. The majority of breaches at small and mid-sized businesses exploit fundamental gaps that are straightforward (and relatively inexpensive) to close.

This checklist is organized by priority. Start at the top and work your way down.

Tier 1: The Non-Negotiables

These should be in place at every business, regardless of size or industry. If any of these are missing, they’re your highest priority.

Multi-Factor Authentication (MFA)

What: Require a second form of verification (app-based code, hardware key, or push notification) for all logins — especially email, VPN, and admin accounts.

Why it matters: Stolen passwords are the #1 entry point for attackers. MFA blocks 99% of automated credential attacks. It’s the single most impactful security measure you can implement.

Cost: Free to low cost. Most platforms (Microsoft 365, Google Workspace) include MFA at no extra charge.

Action items:

• Enable MFA on all email accounts
• Enable MFA on VPN and remote access
• Enable MFA on all admin and privileged accounts
• Use app-based authenticators (Microsoft Authenticator, Google Authenticator) — avoid SMS codes where possible

Email Security

What: Advanced email filtering that catches phishing, business email compromise (BEC), and malware-laden attachments before they reach your employees’ inboxes.

Why it matters: Email is the attack vector in over 90% of successful breaches. Standard spam filters catch bulk spam but miss targeted phishing campaigns that use social engineering.

Cost: $2–$6/user/month for dedicated email security platforms.

Action items:

• Deploy an email security gateway or cloud-based email protection
• Enable anti-phishing policies in your email platform
• Configure DMARC, DKIM, and SPF records for your domain to prevent email spoofing
• Block automatic execution of macros in email attachments

Endpoint Protection

What: Next-generation antivirus/EDR (Endpoint Detection and Response) on every device — desktops, laptops, and servers.

Why it matters: Traditional antivirus catches known malware but misses fileless attacks, living-off-the-land techniques, and zero-day exploits. Modern EDR platforms use behavioral analysis to detect threats that signature-based tools miss.

Cost: $3–$10/endpoint/month for business-grade EDR.

Action items:

• Deploy EDR on all company-owned devices (Windows, Mac, and servers)
• Ensure the solution includes real-time monitoring, not just scheduled scans
• Configure automated response policies for common threats
• Include mobile devices if your business handles sensitive data on phones/tablets

Backup and Recovery

What: Regular, tested backups of critical business data stored in a location that ransomware can’t reach.

Why it matters: If ransomware encrypts your data, backups are your recovery path. Without them, you’re choosing between paying the ransom (with no guarantee of recovery) and losing your data permanently.

Cost: $5–$20/server/month for cloud-based backup solutions.

Action items:

• Back up all critical data — file servers, databases, email, and application data
• Follow the 3-2-1 rule: 3 copies, 2 different media, 1 offsite
• Ensure at least one backup copy is air-gapped or immutable (can’t be modified or deleted by ransomware)
• Test restores quarterly — backups you can’t restore from are worthless

Tier 2: Strengthen Your Defenses

Once the non-negotiables are in place, these measures significantly reduce your attack surface.

Patch Management

What: A systematic process for applying security updates to operating systems, applications, and firmware within days of release — not weeks or months.

Why it matters: Known vulnerabilities with available patches are among the most exploited attack vectors. Attackers scan for unpatched systems constantly, and exploit code is often available within days of a vulnerability disclosure.

Action items:

• Enable automatic updates for operating systems and browsers
• Patch critical vulnerabilities within 72 hours of release
• Include network equipment (firewalls, switches, routers) in your patching process
• Track and update third-party applications (Adobe, Java, Zoom, etc.)

Access Control and Least Privilege

What: Ensure every user has only the access they need to do their job — nothing more. Admin rights should be limited to IT staff who actually need them.

Why it matters: When an attacker compromises a user account, they inherit that user’s permissions. If your accounting clerk has domain admin rights (it happens more than you’d think), a phishing email can give an attacker the keys to your entire network.

Action items:

• Audit user permissions across all systems — remove unnecessary access
• Remove local admin rights from standard user accounts
• Implement role-based access control (RBAC) for business applications
• Review and revoke access immediately when employees leave or change roles
• Use separate admin accounts for IT staff (don’t browse the web with admin credentials)

Security Awareness Training

What: Regular, ongoing training that teaches employees to recognize phishing, social engineering, and other common attack techniques.

Why it matters: Technology can catch most threats, but the ones that get through rely on human error — clicking a link, opening an attachment, sharing credentials. Trained employees are your last line of defense.

Cost: $1–$5/user/month for security awareness platforms with simulated phishing.

Action items:

• Implement a security awareness program with monthly or quarterly training
• Run simulated phishing campaigns to test and reinforce training
• Track completion rates and phishing test results by department
• Make training engaging and practical — not checkbox compliance exercises

Firewall and Network Security

What: A properly configured business-grade firewall at your network perimeter, with intrusion prevention and content filtering enabled.

Why it matters: Your firewall is the front door to your network. A consumer-grade router or a misconfigured firewall provides minimal protection against modern threats.

Action items:

• Deploy a business-grade firewall (not a consumer router) with active security subscriptions
• Enable intrusion prevention (IPS) and content filtering
• Segment your network — keep guest Wi-Fi, IoT devices, and sensitive systems on separate VLANs
• Review firewall rules quarterly and remove unnecessary open ports
• Enable logging and retain logs for at least 90 days

Tier 3: Mature Your Security Program

These measures build on the foundation above and are especially important for businesses in regulated industries or those handling sensitive data.

Vulnerability Scanning

Run regular vulnerability scans against your network and web applications to identify weaknesses before attackers do. Start with quarterly external scans and monthly internal scans.

Incident Response Plan

Document what to do when (not if) a security incident occurs. Who makes decisions? Who communicates with customers? Who contacts law enforcement? What are the first technical steps? Having this written down and rehearsed saves critical hours during an actual incident.

Cyber Insurance

Evaluate cyber insurance to cover the costs of a breach — legal fees, notification costs, forensics, business interruption, and potential regulatory fines. Premiums have risen sharply, but so have breach costs.

Compliance Alignment

If your industry has compliance requirements (HIPAA, PCI DSS, SOC 2, CMMC), map your security controls to the relevant framework. Many of the measures above directly address common compliance requirements.

Vendor Security Assessment

Evaluate the security posture of your critical vendors and service providers. Your security is only as strong as the weakest link in your supply chain.

Where to Start

If this list feels overwhelming, here’s the shortest path to meaningful improvement:

1. Enable MFA everywhere — this week
2. Deploy email security — this month
3. Ensure backups are working and tested — this month
4. Deploy EDR on all endpoints — within 60 days
5. Start security awareness training — within 90 days

Those five steps, properly implemented, address the majority of attack vectors used against small and mid-sized businesses.

Need Help Prioritizing?

Every business has a different starting point and different risk profile. If you’re not sure where your biggest gaps are, a security assessment can give you a clear picture of your current posture and a prioritized action plan. We help businesses implement these measures with the right tools for their size and budget — not oversized enterprise solutions that cost more than they need to.