Serving Vancouver, Washington and remote U.S. businesses

Small Business Cybersecurity

Small Business Cybersecurity Checklist

A detailed cybersecurity checklist for small businesses and nonprofits that need a practical way to review essential controls and document follow-up work.

A cybersecurity checklist helps a small organization turn broad security advice into specific tasks with owners, evidence, deadlines, and recurring reviews.

How to Use This Checklist

Review each item and mark it complete, incomplete, not applicable, or requiring investigation. Record the responsible person, evidence, target completion date, and exception approval. A check mark without evidence can create a false sense of security.

Prioritize items that protect business email, administrative accounts, financial systems, customer information, employee records, backups, and critical service delivery.

1. Governance and Responsibility

  • Identify the executive or business owner responsible for cybersecurity risk.
  • Identify the technical owner for security operations.
  • Document who approves access and exceptions.
  • Document who reviews security alerts and backup failures.
  • Maintain current contact information for technology providers, insurers, legal counsel, and critical vendors.
  • Provide leadership with a recurring security status summary.

Responsibilities should name actual people or contracted roles. Phrases such as “the information-technology team” are not enough when no one knows who is expected to act.

2. Asset and Service Inventory

  • Inventory laptops, desktops, mobile devices, servers, network equipment, and removable media.
  • Inventory cloud services, websites, domains, applications, and subscriptions.
  • Identify business owners and administrators.
  • Record renewal dates and support status.
  • Identify systems that are no longer used.
  • Identify unsupported operating systems and applications.

Include services purchased outside normal procurement

Department and employee purchases can create unapproved applications, duplicate subscriptions, unmanaged data, and forgotten administrator accounts.

3. Data Inventory and Classification

  • Identify customer, employee, financial, health, legal, and confidential business information.
  • Document where each category is stored.
  • Identify who can access it.
  • Document retention and deletion requirements.
  • Review external sharing.
  • Remove unnecessary duplicate or outdated sensitive data.

4. Account Security

  • Require unique individual accounts.
  • Require multifactor authentication for important services.
  • Use phishing-resistant authentication where available.
  • Use a business password manager.
  • Remove shared passwords and shared administrator accounts.
  • Review account recovery methods.
  • Disable or remove former-employee accounts promptly.
  • Review inactive accounts.

5. Administrator Access

  • Maintain a current list of administrators.
  • Use separate administrator accounts where supported.
  • Limit local administrator rights on devices.
  • Review privileged vendor access.
  • Protect emergency or break-glass accounts.
  • Review administrator activity and alerts.
  • Complete quarterly privileged-access reviews.

6. Device Security

  • Use supported operating systems.
  • Enable automatic updates where appropriate.
  • Enable full-disk encryption.
  • Install and monitor endpoint protection.
  • Enable host firewalls.
  • Configure automatic screen locking.
  • Enroll company devices in management.
  • Prepare remote lock and wipe procedures.
  • Track assigned devices and accessories.

7. Network and Remote Access

  • Change default router and firewall credentials.
  • Update network-device firmware.
  • Separate guest wireless access from business systems.
  • Use secure remote-access methods.
  • Require multifactor authentication for remote access.
  • Remove unused remote-management tools.
  • Review firewall rules and exposed services.
  • Protect network configuration backups.

Do not expose remote desktop directly to the internet

Use an approved secure access method with multifactor authentication, restricted privileges, logging, and current software.

8. Email and Collaboration Security

  • Require multifactor authentication for email.
  • Review forwarding rules and mailbox delegation.
  • Configure anti-phishing and malware protection.
  • Review external sharing settings.
  • Protect administrator and executive accounts.
  • Provide a phishing-reporting method.
  • Review suspicious sign-in alerts.
  • Review domain and email-authentication settings.

9. Application and Software Management

  • Maintain an approved software list.
  • Remove unauthorized remote-access and file-sharing tools.
  • Patch browsers, plugins, productivity software, and business applications.
  • Review application permissions and integrations.
  • Remove unused application tokens.
  • Review software licensing and support status.
  • Document emergency update procedures.

10. Backup and Recovery

  • Identify essential data and configurations.
  • Define backup frequency and retention.
  • Maintain protected or isolated backup copies.
  • Encrypt sensitive backups.
  • Monitor backup failures.
  • Test restoration.
  • Document recovery order and expected time.
  • Keep recovery credentials protected and available.

11. Employee Training

  • Provide security orientation during onboarding.
  • Train employees to recognize phishing and fake support requests.
  • Explain payment-change verification procedures.
  • Explain unexpected multifactor authentication prompts.
  • Provide lost-device reporting instructions.
  • Review approved data-storage and file-sharing methods.
  • Repeat training and practical exercises.

12. Vendor and Third-Party Risk

  • Inventory vendors with access to systems or data.
  • Record vendor contacts and contract dates.
  • Review administrator and remote-support access.
  • Document incident-notification expectations.
  • Review backup, security, and continuity responsibilities.
  • Remove vendor access when the relationship ends.
  • Review critical providers at least annually.

13. Incident Response

  • Maintain a written incident response plan.
  • Define reporting and escalation paths.
  • Identify the incident leader and decision makers.
  • Document isolation and containment procedures.
  • Protect logs and evidence.
  • Maintain alternative communication methods.
  • Document insurance, legal, law-enforcement, and regulatory contacts when applicable.
  • Exercise the plan at least annually.

14. Business Continuity and Recovery

  • Identify critical business services.
  • Document manual workarounds.
  • Identify critical employees and vendors.
  • Prioritize system restoration.
  • Prepare customer and employee communication.
  • Verify restored systems before normal use.
  • Document lessons learned and corrective actions.

15. Physical and Environmental Security

  • Control access to offices, network rooms, and equipment storage.
  • Secure paper records and removable media.
  • Track keys, badges, and security tokens.
  • Use approved equipment-disposal methods.
  • Protect devices during travel and shipping.
  • Review visitor and contractor access.

Create a Remediation Tracker

For every incomplete item, record the finding, risk, responsible owner, planned action, due date, status, and evidence. Separate urgent exposure from longer-term improvement work.

Leadership should approve delayed items and understand the operational impact of leaving them unresolved.

Quarterly Cybersecurity Review

  • Review privileged and inactive accounts.
  • Review unsupported devices and applications.
  • Review multifactor authentication coverage.
  • Review backup failures and restoration tests.
  • Review security alerts and incidents.
  • Review vendor access.
  • Review employee and contractor departures.
  • Review high-risk remediation items.
  • Update the incident contact list.
  • Report status to leadership.

Document Evidence and Review Dates

For each completed control, record enough evidence that another authorized reviewer can understand what was checked. Evidence may include a configuration export, screenshot, device report, backup restoration result, access-review record, policy approval, support ticket, or dated meeting note.

Also record the next review date. Some controls should be checked continuously or monthly, while others may be reviewed quarterly or annually. A recurring schedule prevents the checklist from becoming a one-time project that is forgotten after the initial review.

Frequently Asked Questions

Should every checklist item be completed immediately?

Prioritize based on business importance, exposure, legal or contractual requirements, and the likelihood and impact of a failure. Document and approve exceptions.

Who should complete the checklist?

The review should include business leadership, the technical owner, system owners, and outside providers when they control important services.

How should completion be proven?

Use evidence such as configuration exports, screenshots, reports, inventories, test results, tickets, approval records, and dated procedures.

When Professional Support Helps

Professional support can perform the review, gather evidence, identify priorities, build the remediation tracker, and translate technical findings into an understandable business action plan.

Need help applying this?

Build a practical cybersecurity program.

J3 Systems Group LLC can review accounts, devices, security settings, backups, vendors, documentation, and incident readiness.

Book a Free Consultation