The Ultimate Small Business IT Security Checklist

Cybersecurity can feel overwhelming, but most breaches exploit the same handful of basics. Get these right and you're already ahead of the majority of businesses. Here's a practical checklist you can work through.

Accounts and access

• Multi-factor authentication (MFA) enabled on email, cloud apps and remote access.
• Strong, unique passwords - ideally via a password manager.
• Least-privilege access - staff only have what they need.
• Admin accounts are separate from everyday accounts.
• Leavers' accounts are disabled promptly when staff depart.

Devices and software

• Automatic updates enabled across operating systems and apps - see patch management.
• Endpoint protection installed on every device - more on endpoint protection vs antivirus.
• Disk encryption (BitLocker / FileVault) on laptops.
• No unsupported software still in use (e.g. end-of-life systems).

Email and the human layer

• Email filtering to block spam and malicious messages.
• Staff trained to spot phishing.
• Payment-change verification process in place to stop fraud.

Network

• Business-grade firewall in place and configured.
• Secure, separate Wi-Fi for guests.
• Remote access secured with MFA and VPN where needed - see remote working security.

Data and recovery

• Backups following the 3-2-1 rule.
• Backups tested regularly - an untested backup is just a hope.
• A disaster recovery plan documented - see business continuity planning.

Policies and compliance

• Acceptable use and security policies written and shared.
• GDPR obligations understood - see GDPR and IT.
• Consider Cyber Essentials certification - see our guide.

The bottom line

You don't have to do everything at once - work top to bottom and you'll close the biggest gaps first. If you'd like a hand auditing your setup against this list, request a callback and we'll review it with you, or explore our IT support service.