What is the single most important cybersecurity measure for a small business?

Multi-factor authentication (MFA) on every account. Microsoft reports that MFA blocks over 99.9% of account compromise attacks. It is the highest-impact, lowest-cost security measure you can implement. If you do nothing else on this list, enable MFA.

How often should we conduct security awareness training?

At minimum, quarterly. Monthly is better. Training should include simulated phishing exercises that test whether employees can identify and report suspicious emails. One-time annual training is not effective — people forget. Regular, short training sessions (15-20 minutes) create lasting security habits.

Do I need cyber insurance?

For most businesses, yes. Cyber insurance covers the costs of breach response, notification, legal fees, regulatory fines, and business interruption. Premiums have been rising, and insurers increasingly require evidence of MFA, endpoint protection, backup, and employee training before issuing a policy. Having these security measures in place can also lower your premiums.

Can I handle cybersecurity myself, or do I need a managed IT provider?

If you have in-house IT expertise and the time to manage security tools, monitor alerts, apply patches, test backups, and stay current on threats — you can handle it internally. For most small businesses without dedicated IT staff, a managed IT provider is the more practical and cost-effective option. Cybersecurity requires consistent, daily attention — it is not something you can set up once and forget.

Small Business Cybersecurity Checklist 2026

Cybersecurity is not just for enterprises anymore. Small businesses are targeted more frequently precisely because attackers know their defenses are weaker. According to the Cybersecurity and Infrastructure Security Agency (CISA), small businesses are disproportionately affected by cyberattacks because they lack the resources and expertise that larger organizations dedicate to security.

This checklist covers the 20 most important cybersecurity measures every small business should have in place. It is based on the NIST Cybersecurity Framework and adapted for businesses with 10 to 200 employees. No measure on this list requires enterprise-level budgets — they are all achievable for small businesses.

Identity and Access Controls

1. Enable Multi-Factor Authentication (MFA) on Every Account

MFA requires a second form of verification — typically a code from an authenticator app — in addition to a password. According to Microsoft, MFA blocks over 99.9% of account compromise attacks. Enable it on email, cloud storage, VPN, banking, payroll, and every other business application that supports it. Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS codes.

2. Enforce Strong Password Policies

Require passwords of at least 14 characters. Encourage passphrases instead of complex character combinations — "correct horse battery staple" is stronger and more memorable than "P@55w0rd!". Prohibit password reuse across accounts. Consider a business password manager to make this practical.

3. Implement Least-Privilege Access

Every employee should have access only to the systems and data they need for their role — nothing more. Admin access should be limited to the people who actually need it. When an employee changes roles or leaves the company, update their access immediately. This limits the damage if any single account is compromised.

4. Separate Admin Accounts from Daily-Use Accounts

IT administrators should use a separate admin account for administrative tasks and a standard account for email and daily work. If a phishing attack compromises their daily account, the attacker does not get admin-level access to your entire environment.

5. Disable Accounts Immediately When Employees Leave

When someone leaves your company, disable their accounts the same day — email, VPN, cloud applications, everything. Former employees with active credentials are a security risk whether they intend to be or not.

Endpoint Protection

6. Deploy Endpoint Detection and Response (EDR)

Traditional antivirus is not enough. Modern EDR solutions monitor endpoint behavior in real time, detect suspicious activity, and can automatically isolate compromised devices. Every workstation, laptop, and server in your environment should have EDR installed and monitored. This is a core part of any managed IT service.

7. Keep All Software Updated

Unpatched software is one of the most common attack vectors. Enable automatic updates for operating systems, browsers, and business applications. For critical updates (especially security patches), deploy within 48 hours of release. A managed service provider automates patch management so nothing slips through the cracks.

8. Encrypt All Devices

Enable full-disk encryption on every laptop and workstation (BitLocker for Windows, FileVault for Mac). If a device is lost or stolen, encryption prevents the thief from accessing the data on the drive. For businesses with compliance requirements (HIPAA, SOC 2), encryption is not optional — it is a requirement.

9. Manage Mobile Devices

If employees access company email or data on personal phones, implement a mobile device management (MDM) solution. MDM allows you to enforce screen locks, encrypt data on the device, and remotely wipe company data if the device is lost. Microsoft Intune integrates directly with Microsoft 365 for this purpose.

Email Security

10. Deploy Advanced Email Filtering

Enable advanced anti-phishing, anti-malware, and anti-spam filters on your email platform. Microsoft Defender for Office 365 or a third-party solution like Proofpoint or Barracuda should scan every inbound email for malicious links, attachments, and impersonation attempts. Phishing is the most common initial attack vector for BEC — see our guide on what to do when your business email gets hacked.

11. Configure DMARC, DKIM, and SPF

These email authentication protocols prevent attackers from spoofing your domain to send phishing emails that appear to come from your company. SPF specifies which servers are authorized to send email for your domain. DKIM adds a digital signature to outgoing emails. DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. All three should be configured on your domain's DNS records.

12. Block Legacy Email Protocols

Older email protocols like IMAP, POP3, and SMTP Basic Auth do not support MFA, making them a bypass path for attackers. Disable legacy authentication in your email platform. In Microsoft 365, this is done through Conditional Access policies or Security Defaults.

Data Protection and Backup

13. Implement Automated Backup

Back up all critical data automatically — files, databases, email, cloud data. Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored off-site or in the cloud. Test your backups regularly — a backup that has not been tested is not a backup.

14. Test Disaster Recovery Annually

At least once a year, conduct a full disaster recovery test. Can you actually restore your data from backup? How long does it take? What is your recovery point objective (how much data can you afford to lose) and recovery time objective (how long can you be down)? Document the results and fix any gaps.

15. Classify and Protect Sensitive Data

Identify where your most sensitive data lives — client financial information, health records, employee SSNs, intellectual property. Apply additional protections: access restrictions, encryption at rest and in transit, data loss prevention (DLP) policies, and audit logging. You cannot protect what you have not identified.

Employee Training

16. Conduct Regular Security Awareness Training

Train every employee — not just IT staff — on cybersecurity basics: recognizing phishing emails, reporting suspicious activity, safe web browsing, and password hygiene. Training should be ongoing (monthly or quarterly), not a one-time event. Include simulated phishing exercises to test whether training is working.

17. Establish Clear Reporting Procedures

Employees need to know exactly what to do when they see something suspicious — who to contact, how to report it, and that they will not be punished for reporting (even if they clicked on something they should not have). Fast reporting is critical for containing incidents early.

Network Security

18. Manage Your Firewall

Your firewall should be actively managed — not just installed and forgotten. Review firewall rules quarterly, close unused ports, enable intrusion detection and prevention features, and keep the firmware updated. A managed network includes ongoing firewall management as a core service.

19. Segment Your Network

Separate your network into segments — guest WiFi should be isolated from your internal network, IoT devices should be on their own VLAN, and sensitive systems should be in their own protected zone. If an attacker compromises one segment, segmentation prevents them from moving laterally across your entire network.

Incident Response

20. Create and Test an Incident Response Plan

Document what happens when a security incident occurs: who is responsible for containment, investigation, notification, and recovery. Include contact information for your IT provider, legal counsel, insurance carrier, and relevant regulatory bodies. Test the plan annually with a tabletop exercise. The CISA Incident Response Plan guide provides a useful template for building your plan.

Putting It All Together

This checklist is a lot to implement — especially if you are starting from scratch. Do not try to do everything at once. Prioritize in this order:

Enable MFA everywhere — highest impact, lowest effort
Deploy EDR on all endpoints — protects against the most common attacks
Implement automated backup — your safety net for everything else
Start security awareness training — your people are your first line of defense
Everything else — build from there as resources allow

Or, partner with a managed service provider that implements all 20 items as part of their standard service. A good MSP builds cybersecurity into the foundation of your IT environment — not as an afterthought or add-on. See our IT support pricing guide to understand what this costs.

Type 5 Technology includes every item on this checklist in our managed IT services. If you want help assessing where your business stands on cybersecurity, call 855-TYPE5-IT for a free security assessment.