Most small business cybersecurity checklists are either too vague to be useful ("use strong passwords") or too exhaustive to be practical (200 NIST controls translated into corporate jargon). Neither helps a 15-person company with limited time and no security team.
This checklist is different. It's 25 controls, grouped into four tiers, ordered by impact. Start at Tier 1 and work down. If your business is in Tier 1 territory, fixing those five items will block roughly 80% of the attacks that actually hit small businesses today.
How to Use This Checklist
Print it. Hand it to whoever handles your IT (internal staff, an MSP, or the founder who's been doing it on the side). Tick boxes. Track progress monthly.
The goal is not perfection — it's defensible. If you can show that you have working controls across each tier, you're ahead of 90% of SMBs and most cyber insurance underwriters will be willing to write you a policy.
Tier 1
Tier 1 — Stop the Bleeding (Week 1)
If you do nothing else, do these. They block 80% of common attacks.
- Turn on multi-factor authentication (MFA) for email, banking, and all admin accounts
- Deploy a modern endpoint security tool (EDR — not just antivirus) on every device
- Enable automatic OS and browser updates on all computers and servers
- Enforce a unique, strong password for every account (use a password manager)
- Confirm you have working backups of email and business-critical data
Tier 2
Tier 2 — Build the Walls (Month 1)
Layered defences that catch what slips past Tier 1.
- Filter inbound email for phishing, malware, and impersonation attempts
- Restrict administrator privileges — most staff don't need admin rights
- Lock down remote access (VPN with MFA, no exposed RDP)
- Implement DNS-level web filtering to block malicious sites
- Enable login alerts and impossible-travel detection on M365 or Google Workspace
- Encrypt laptops and mobile devices (BitLocker, FileVault, MDM)
- Document an incident response plan — even a one-page summary is better than nothing
Tier 3
Tier 3 — Train the People (Month 2)
Tools fail when people click. Training closes the human gap.
- Roll out monthly security awareness training (15-min modules)
- Run quarterly phishing simulations — measure click-through rate
- Create a clear policy for reporting suspicious emails and incidents
- Train executives separately on whaling and CEO-fraud tactics
- Cover safe remote work practices (home Wi-Fi, public networks, BYOD)
Tier 4
Tier 4 — Prove and Improve (Month 3 onwards)
Move from reactive to managed. Measure, monitor, and refine.
- Stand up 24/7 monitoring (in-house SOC, outsourced MDR, or both)
- Run quarterly vulnerability scans on external and internal systems
- Test your backups by performing a full restore — at least twice a year
- Maintain an asset inventory (devices, users, SaaS apps)
- Review user access quarterly — remove ex-employees and dormant accounts
- Map your security controls to a framework (CIS Controls v8 is a great SMB starting point)
- Consider cyber insurance — but make sure you can meet the renewal requirements
- Schedule an annual third-party security assessment
What This Checklist Doesn't Cover
This list covers the controls that block commodity threats — the attacks every SMB faces. It does not cover industry-specific compliance (HIPAA, PCI-DSS, SOC 2, ISO 27001) or advanced threats targeting specific businesses.
If your business handles patient data, payment card data, or you sell into enterprise customers who require security attestations, you'll need more than this. That's where a vCISO engagement can help bridge the gap.
The Bottom Line
Cybersecurity for small business is not about doing everything. It's about doing the right things in the right order. The companies that get breached are rarely the ones who tried and failed — they're the ones who never tried at all.
Pick a tier. Start ticking boxes. Come back next month.
Related reading: MFA guide, EDR vs antivirus, and zero trust security for SMBs.