Small Business Cybersecurity Checklist
A practical guide for small business owners who want to protect their data, their customers, and their reputation without needing a dedicated security team.
General Security
Passwords and Password Management
Checklist:
- [ ] Set a minimum password length of 16-24 characters
- [ ] Require a mix of uppercase letters, lowercase letters, numbers, and symbols
- [ ] Block dictionary words, personal information, and reused passwords
- [ ] Encourage passphrases instead of random characters (e.g., “W0wThaTcatb0xsmell5gro55” is easier to remember than “8SFNRYCJQNX674%0”)
- [ ] Use a password deny list instead of forcing regular password changes (this aligns with current NIST SP 800-63B guidance)
- [ ] Change passwords immediately if a breach is suspected (check haveibeenpwned.com)
- [ ] Evaluate a password manager (Bitwarden, 1Password, or Keeper are solid options for small businesses in 2025)
- [ ] Make sure your password manager supports strong encryption and MFA
- [ ] Train employees on how to use the password manager
Practical notes for small businesses:
NIST no longer recommends forcing password changes on a schedule. People tend to pick predictable patterns when forced to change passwords (“Password1!” becomes “Password2!”). Instead, use a deny list of known compromised passwords and only require a change when there’s evidence of a breach.
Free password managers exist, but paid options ($3-5/user/month) typically offer better team management features and are worth the investment.
Multi-Factor Authentication (MFA)
Checklist:
- [ ] Identify all applications that support MFA
- [ ] Enable MFA for all accounts, prioritizing financial platforms, customer databases, and email
- [ ] Use authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) or hardware security keys (YubiKey) instead of SMS when possible
- [ ] Train employees on MFA setup and troubleshooting
Why SMS isn’t ideal: SMS codes can be intercepted through SIM-swapping attacks. Authenticator apps or hardware keys are stronger options. That said, SMS-based MFA is still far better than no MFA at all.
Getting employee buy-in: MFA adds a few seconds to each login. Frame it as protecting the business and their jobs. Keep troubleshooting guides handy for the first few weeks after rollout.
Software Updates
Checklist:
- [ ] Enable automatic updates for operating systems, applications, and firmware
- [ ] Schedule manual checks for software that doesn’t auto-update
- [ ] Apply security patches and critical updates as soon as they’re available
- [ ] Test major updates on a single system before deploying business-wide (especially for point-of-sale or line-of-business applications)
Watch out for: Automatic updates occasionally break things. A retail store’s POS system going down after an update costs real money. For critical business software, test updates on one machine first, then roll out to the rest.
Data Backups
Checklist:
- [ ] Identify your most critical data (financial records, customer information, contracts)
- [ ] Choose a backup method that fits your data volume and budget
- [ ] Set a backup schedule (daily for critical data, weekly for less important files)
- [ ] Test restoring from backups at least quarterly
- [ ] Store backups securely offsite (cloud storage with encryption, or a physical drive at a different location)
Follow the 3-2-1-1-0 rule:
- 3 copies of your data
- 2 different storage types (e.g., cloud + external drive)
- 1 copy offsite
- 1 copy offline (disconnected from your network)
- 0 errors verified through regular restore testing
Cloud storage is convenient but check your provider’s encryption and data privacy practices. Local storage gives faster restore times. Most small businesses benefit from using both.
Employee Training
Checklist:
- [ ] Train employees to recognize phishing emails and suspicious attachments
- [ ] Cover social engineering tactics (pretexting, baiting, tailgating)
- [ ] Teach safe browsing habits (avoid suspicious websites and downloads)
- [ ] Reinforce password security practices
- [ ] Establish clear reporting procedures for suspicious activity
- [ ] Run training sessions at least quarterly to address new threats
- [ ] Conduct phishing simulations, but don’t overdo them (alert fatigue is real)
On phishing simulations: Run them 2-4 times per year. More than that and employees start ignoring all warnings. When someone fails a simulation, treat it as a learning opportunity, not a punishment.
Reporting culture matters: Employees won’t report suspicious emails if they’re afraid of being blamed. Make reporting easy and blame-free. If someone receives a suspicious email and isn’t sure about it, they can forward it to ForwardToSafety.com for safe verification.
Network Security
Secure Wi-Fi
Checklist:
- [ ] Set a strong, unique password for your Wi-Fi network
- [ ] Use WPA3 encryption (or WPA2 if your router doesn’t support WPA3)
- [ ] Create a separate guest network with limited access for visitors
- [ ] Never use public Wi-Fi for sensitive business transactions
- [ ] Use a VPN when working remotely or on any untrusted network
Guest network tip: If customers or visitors need Wi-Fi, a separate guest network keeps them off your business network entirely. Most modern routers support this with a few clicks in the admin panel.
Firewalls
Checklist:
- [ ] Install firewalls on all network gateways (routers, network entry points)
- [ ] Configure rules to allow only authorized traffic and block everything else
- [ ] Review and update firewall rules quarterly or whenever your network changes
- [ ] Consider a managed firewall service if you lack in-house IT expertise
Finding the balance: Firewall rules that are too strict will block legitimate business traffic (payment processing, email delivery). Rules that are too loose leave gaps. Start with a deny-all default and add exceptions for traffic you know is safe.
Data Encryption
Checklist:
- [ ] Identify all sensitive data (financial records, customer PII, health records)
- [ ] Encrypt data at rest (stored on drives) and data in transit (being transmitted)
- [ ] Use established encryption standards (AES-256 for data at rest, TLS 1.3 for data in transit)
- [ ] Establish secure key management procedures
- [ ] Test encryption regularly to confirm it’s working
Practical tip: Most modern operating systems offer built-in disk encryption (BitLocker on Windows, FileVault on macOS). Turn it on for every company device. For data in transit, make sure your website and internal tools use HTTPS.
Third-Party Vendor Management
Vendor Risk Assessment
Checklist:
- [ ] List all third-party vendors with access to your data or systems
- [ ] Send a security questionnaire covering their data security, access controls, and incident response procedures
- [ ] Review responses carefully, focusing on areas critical to your data
- [ ] Follow up with calls or meetings to clarify concerns
- [ ] Set up ongoing monitoring of vendor security posture (or at minimum, annual reviews)
Vendor Contract Security Clauses
Checklist:
- [ ] Include data security obligations (confidentiality, access control, incident reporting)
- [ ] Specify compliance standards the vendor must meet (HIPAA, PCI DSS, SOC 2, etc.)
- [ ] Require immediate notification of any data breach affecting your data
- [ ] Reserve audit rights to verify the vendor’s security practices
- [ ] Define liability for breaches caused by vendor negligence
Reality check: Vendor contracts often come pre-written in the vendor’s favor. Push back on weak security language. If you can’t afford a lawyer specializing in data security, at minimum make sure breach notification and liability clauses are clearly defined.
Incident Response
Building Your Plan
Checklist:
- [ ] Identify key personnel for incident response (IT, legal, communications)
- [ ] Define response stages: detection, containment, eradication, recovery
- [ ] Establish data breach notification procedures (know your state’s breach notification laws)
- [ ] Create a communication plan for internal teams, customers, and media
- [ ] Document everything and review the plan at least annually
Testing Your Plan
Checklist:
- [ ] Schedule simulations at least twice a year (phishing attacks, ransomware scenarios, data breach scenarios)
- [ ] Evaluate how your team executes each response stage
- [ ] Identify gaps and weaknesses
- [ ] Update the plan based on test results
- [ ] Hold debriefing sessions after each simulation
Small business reality: You probably don’t have a dedicated incident response team. That’s okay. Assign roles to existing staff, keep the plan simple, and practice it. A basic plan that people actually follow beats an elaborate plan sitting in a drawer.
Cybersecurity Insurance
Checklist:
- [ ] Assess your business’s vulnerability and potential financial impact from a cyberattack
- [ ] Compare coverage options (data breach response, business interruption, cyber extortion, legal fees)
- [ ] Determine appropriate coverage limits based on your risk assessment
- [ ] Choose a deductible that balances affordability with adequate protection
- [ ] Research the provider’s financial stability and claims track record
What to know in 2025/2026: Cyber insurance premiums have stabilized after sharp increases in 2022-2023, but insurers are now requiring stronger security controls before issuing policies. Many require MFA, regular backups, and endpoint protection as minimum requirements. Having these controls in place before shopping for insurance will get you better rates.
Checklist:
- [ ] Follow trusted sources: CISA.gov, NIST.gov, KrebsOnSecurity.com
- [ ] Subscribe to CISA alerts and your software vendors’ security bulletins
- [ ] Set aside time monthly to review security updates and adjust your strategy
- [ ] Share relevant threat information with employees
Avoid information overload: You don’t need to read every cybersecurity blog. Pick 2-3 trusted sources, subscribe to their alerts, and review them monthly. CISA’s alerts alone will keep you informed about the threats that actually matter to small businesses.
Bottom Line
Cybersecurity is ongoing work, not a one-time project. Start with the basics (strong passwords, MFA, backups, and employee training), then build from there. You don’t need to do everything at once, but you do need to start.
If you receive a suspicious email or aren’t sure whether a message is legitimate, forward it to ForwardToSafety.com for safe verification before clicking any links or opening attachments.