Home / Resources / Cybersecurity checklist
Checklist · 8 min read · Updated May 2026

Small business cybersecurity checklist for 2026.

This list isn't about scaring you into buying things. It's the 12 things we actually configure for every small business client during onboarding, in priority order. If you've got 6 of these, you're ahead of most SMBs. If you've got 10+, you're better off than a lot of mid-market companies.

Quick filter: if you store credit cards, health records, legal documents, or financial data, treat items 1–8 as non-negotiable. Item 9+ is "you should, when you can."

The 12 essentials

  1. Multi-factor authentication on every business account. Email, banking, payroll, point-of-sale admin, every SaaS tool with admin access. The single highest-impact security control. Use an authenticator app (Microsoft, Google, or 1Password) — SMS is better than nothing but app-based is meaningfully stronger.
  2. A real password manager rolled out to your team. 1Password Business, Bitwarden Teams, Dashlane Business. Pick one, enforce its use, kill the spreadsheet of passwords. The point isn't password complexity — it's eliminating reuse.
  3. Automated cloud backups for every device that holds business data. Not "we have OneDrive." Actual versioned backup with a 30-day retention window so you can recover from ransomware that took a few days to discover. Test the restore process at least once a year.
  4. Endpoint protection on every laptop and workstation. Windows Defender for Business or a similar endpoint security tool. Configured to actually update, not just installed and forgotten.
  5. A separate guest Wi-Fi network. Customers, vendors, the kid working part-time — none of them need to be on the same network as your POS, your file server, or your office printer. Trivial to set up; massively reduces blast radius.
  6. An offboarding checklist for departing employees. Disable accounts, revoke MFA seeds, change shared passwords, recover devices, transfer email forwarding. Most "small business breach" stories start with an old account that nobody disabled.
  7. Phishing training for the whole team — once. Not a quarterly subscription, not a fear-based drip campaign. Once. A 30-minute "here's what these emails look like and what to do when you see one" session, with a simple internal protocol: when in doubt, forward to the owner.
  8. Encryption on company laptops. BitLocker on Windows, FileVault on macOS. Both are free and built in. The difference between "lost laptop" and "data breach" is whether it was encrypted.
  9. Domain DNS records configured for email (SPF, DKIM, DMARC). This stops bad actors from spoofing your domain to phish your customers, and it improves your own email deliverability. Set it up once, basically forever.
  10. Admin accounts separated from daily-use accounts. The owner shouldn't be using a global-admin Microsoft 365 account to read email. Daily account = limited permissions. Admin tasks = a separate, MFA-protected account.
  11. A documented incident-response basics page. One page. Who to call, what to do if you click a phishing link, where the backups are, who has admin access. Stick it on the office bulletin board. The point is that if something goes wrong at 9pm Saturday, the on-shift manager doesn't have to figure it out from scratch.
  12. Vendor and SaaS audit, once a year. List every tool you pay for. Cancel the ones you don't use. For each one that touches customer data, confirm MFA is enforced and admin access is locked down. This takes two hours and saves a startling amount of money.

What's not on this list (and why)

You'll notice we didn't include "buy a SOC service" or "deploy a SIEM" or "schedule quarterly penetration testing." Those are real controls, but they're not where small businesses get value first. Items 1–12 above will reduce your real-world risk by about 90%. Anything beyond that is decreasing return.

If you're in healthcare, legal, or financial services with specific compliance requirements, the calculus changes — talk to a specialist. For everyone else: get the 12 above in place and you're doing more than most.

The order of operations

If you do nothing else this week, do MFA (#1) and a password manager (#2). Those two cover the entry vectors for the vast majority of small-business breaches. Then add backup (#3) within the month. Then work down the list at whatever pace makes sense.

Or hand the list to us and we'll knock it out as part of a one-time setup engagement.

→ Free download

Get the cybersecurity checklist as a printable PDF.

12 essentials, in priority order. Drop your email and we'll send the link.

Related reading Does my small business actually need an MSP? → QuickBooks IT setup checklist → All our services →

Want us to knock this list out for you?

Book a 15-min call →