AEAsk Erik
Computer Services
541-359-3111Book Assessment
Resources
ChecklistJuly 1, 20253 min read

Small Business Cybersecurity Checklist

A practical 30-point cybersecurity checklist for small businesses with 10–75 users. Covers MFA, backups, email security, endpoint protection, and staff training.

Use this checklist to assess your current cybersecurity posture. Items marked with ★ are highest priority if you're starting from scratch.


Identity & Access

  • ★ Multi-factor authentication (MFA) enforced for all users
  • MFA required for admin accounts (authenticator app preferred over SMS)
  • Legacy authentication protocols disabled (Basic Auth, SMTP Auth unless required)
  • Password policy requires minimum 12-character passwords
  • Unique passwords for every account (enforced via password manager)
  • Admin accounts are separate from daily-use accounts
  • Offboarding process removes all access on the same day an employee leaves

Email Security

  • ★ SPF, DKIM, and DMARC configured for your domain
  • Anti-phishing policy enabled in Microsoft 365 or Google Workspace
  • Safe Links and Safe Attachments enabled (Microsoft 365 Business Premium)
  • No email forwarding rules to external addresses
  • Staff trained to recognize phishing — tested with simulations in the past 12 months

Endpoint Protection

  • ★ Endpoint Detection & Response (EDR) software on every device
  • All operating systems current and fully patched
  • All third-party software (browsers, Adobe, etc.) current
  • Unsupported operating systems (Windows 10 after Oct 2025) removed or isolated
  • Full-disk encryption enabled on all laptops
  • USB/removable media restricted or disabled where not needed

Backups & Recovery

  • ★ Automated backups run daily at minimum
  • Backups stored offsite or in immutable cloud storage (not only local)
  • Backup restoration tested within the past 12 months
  • Recovery time objective (RTO) documented — how long can you actually be down?
  • Backup access credentials stored securely offline

Network

  • Firewall in place and managed
  • Guest Wi-Fi network separate from business network
  • Remote access uses VPN or Zero Trust — not open RDP
  • Default passwords changed on all network devices (routers, switches, cameras)

Compliance & Documentation

  • System and network inventory documented
  • Vendor and software credentials documented and secured (not in a spreadsheet on your desktop)
  • Incident response plan documented — who to call, in what order
  • HIPAA Security Risk Assessment completed if you're a covered entity
  • Cyber insurance policy in place and reviewed annually

How to Use This Checklist

Run through this with your IT provider or use it to identify your gaps. Every unchecked box is a risk. The items marked ★ are the non-negotiable baseline — if those aren't in place, start there before anything else.

Not sure where you stand? Book a free IT Assessment with Ask Erik Computer Services. We'll review your environment against this checklist and tell you honestly what needs attention — no sales pressure.

Call: 541-359-3111

Not sure how your environment measures up?

We review small business IT environments throughout Lane County — no cost, no pressure.

Book a Free Assessment 541-359-3111