Cyber Hygiene Checklist for Small Businesses

Cyber hygiene is the daily routine that keeps your business safe online. It’s not about stopping headline-grabbing attacks – it’s about the basic practices that prevent most incidents from happening in the first place.

Think of it like locking your doors and windows. It won’t stop a determined attacker, but it eliminates the easy opportunities that most criminals rely on.

Why This Matters

A lot of small businesses are missing basic protections:

• No encryption – Customer names, addresses, and payment info stored in plain text. If someone gets access to your files, they can read everything immediately.
• No multi-factor authentication (MFA) – Accounts protected by nothing but a password. One stolen or guessed password and an attacker is in.
• Outdated security tools – Old software with known vulnerabilities, or free tools that don’t catch modern threats.

These gaps are how most breaches actually happen. Not through sophisticated zero-day exploits, but through basic weaknesses that could have been fixed in an afternoon.

Common Threats That Exploit Poor Hygiene

Phishing emails – Fake messages designed to trick employees into clicking malicious links or opening infected attachments. Without training, people miss the warning signs: slightly off email addresses, spelling errors, and artificial urgency.

Weak passwords – Using the same password across multiple accounts, or passwords that are easy to guess. A password manager solves this by generating and storing strong, unique passwords for every account.

Outdated software – Unpatched software has known security holes that attackers scan for automatically. Keeping everything updated closes these holes.

Uncontrolled USB drives – Unknown USB drives can carry malware that infects your network the moment they’re plugged in. Set a clear policy: no personal or unknown USB devices on company machines.

Unsecured Wi-Fi – Public Wi-Fi is unencrypted. Anything you send or receive can potentially be intercepted. Use a VPN for any business activity on public networks.

Lost or stolen devices – A laptop or phone with company data is a security incident waiting to happen if it’s not encrypted and password-protected.

The Checklist

Data Protection

• [ ] All business data is encrypted, both stored and in transit
• [ ] Personal USB drives are prohibited on company systems
• [ ] Sensitive files are stored in approved, access-controlled locations

Access Control

• [ ] Every account uses a strong, unique password (use a password manager)
• [ ] MFA is enabled on all accounts that support it
• [ ] Access permissions follow least-privilege (people only access what they need)
• [ ] Former employees have access revoked immediately upon departure

Employee Training

• [ ] All staff complete cybersecurity awareness training at least quarterly
• [ ] Employees can identify common phishing tactics
• [ ] There’s a clear process for reporting suspicious emails or activity

Software and Updates

• [ ] All operating systems and applications are set to update automatically
• [ ] End-of-life software has been replaced (no more Windows 10 after October 2025)
• [ ] Antivirus/endpoint protection is installed and current on every device

Network Security

• [ ] Business Wi-Fi uses WPA3 encryption with a strong password
• [ ] Guest Wi-Fi is on a separate network from business systems
• [ ] VPN is required for any remote access to company resources
• [ ] Public Wi-Fi is off-limits for business activities without a VPN

Device Security

• [ ] All devices require a password or biometric to unlock
• [ ] Full-disk encryption is enabled on all laptops and desktops
• [ ] Remote wipe capability is set up for mobile devices
• [ ] There’s a procedure for reporting lost or stolen devices

Backups

• [ ] Critical data is backed up at least daily
• [ ] Backups are stored in a separate location (cloud or offsite)
• [ ] Backup restoration is tested at least quarterly
• [ ] Backups are encrypted

Taking Action

If you went through that checklist and found gaps, here’s how to prioritize:

1. Enable MFA everywhere – This single step blocks the majority of account takeover attacks. Start with email, banking, and any system containing customer data.

2. Deploy a password manager – Roll out a business password manager (1Password, Bitwarden, or similar) and require its use for all company accounts.

3. Update everything – Set all systems to auto-update. Replace anything that’s no longer receiving security patches.

4. Start training – Even a monthly 15-minute awareness session makes a measurable difference. Free resources are available from CISA (cisa.gov/cybersecurity-training) and the SBA.

5. Get help if needed – A managed security provider can handle the technical pieces if you don’t have dedicated IT staff. Many offer packages specifically designed for small businesses.

These are straightforward fixes. None of them require a big budget or specialized expertise. What they do require is making them a priority and following through.