Most small business owners believe they're protected because they have "good IT" or "antivirus software." Most of them are wrong. The controls that actually stop cyberattacks are simpler and cheaper than most owners think — but they're rarely in place.

This checklist covers the 10 controls that matter most. If you complete all 10, you'll stop roughly 85% of the attacks that target small businesses, and you'll satisfy the requirements for cyber insurance in 2025.

1. Multi-Factor Authentication (MFA) on Every Account

What it is: A second verification step — a code from an app, a push notification, or a hardware key — required to log in.

What to do: Enable MFA on every account that supports it. Prioritize: email, banking, cloud storage, and any remote access tools. Authenticator apps (Google Authenticator, Authy, 1Password) are better than SMS. Hardware keys (YubiKey) are best for high-value accounts.

Red flag: If any account still lets you log in with just a username and password, that's an open door.

Why it matters: 80% of breaches involve compromised credentials. MFA would have stopped most of them.

2. Unique Passwords, Managed by a Password Manager

What it is: A password manager (1Password, Bitwarden, or NordPass) stores unique, complex passwords for every account so you don't have to remember them.

What to do: Require every employee to use the company password manager for all work accounts. No exceptions. Generate random passwords — don't let people create their own.

Red flag: Reused passwords. If one service gets breached and your password is exposed, every account using that same password is now compromised.

3. Automatic, Tested Backups — Stored Off-Site

What it is: Daily automated backups of all business data, stored somewhere other than your office. Tested quarterly to confirm you can actually restore.

What to do: Use a cloud backup service (Backblaze, Carbonite, or your MSP's solution). Set it to run automatically every night. Once per quarter, do a real restore test — not just a backup confirmation. Many businesses discover their backups are corrupted when they actually need them.

Red flag: Backups stored on the same network as your data. Ransomware encrypts everything. If your backup is on the same server, it's encrypted too.

4. Phishing Awareness Training for Every Employee

What it is: Regular training — at least annually, quarterly is better — that teaches employees to recognize and report phishing attempts.

What to do: Book a live training session for your team. Not a video. Not a quiz. A real instructor who runs your team through actual attack scenarios. Then run a phishing simulation test afterward to see who actually learned it.

Red flag: "We've done the KnowBe4 training" — the video and quiz approach has a 15% behavioral retention rate. Live coaching has a 70%+ rate.

Learn more: See our live training courses →

5. Incident Response Plan — Written, Not Just in Your Head

What it is: A document that tells everyone what to do in the first hour of a breach — who to call, what to shut down, how to communicate, and what NOT to do (like paying a ransom without a plan).

What to do: Write the plan. It doesn't need to be long — one page is fine. Include: who the IT contact is, what to do if you suspect ransomware, how to preserve evidence (don't reboot), and how to contact your cyber insurance company. Test it once a year with a tabletop exercise.

Free tool: Use our free IR Plan Builder → It generates a personalized incident response plan for your industry in 10 minutes.

6. Software Updates — Patch Within 72 Hours of a Release

What it is: Running the latest versions of your operating system, applications, and firmware. Most breaches exploit known vulnerabilities that had patches available for weeks or months before the breach.

What to do: Enable automatic updates wherever possible. For business-critical software, assign someone to monitor for new patches and apply them within 72 hours. Your IT provider or MSP should be doing this — if they aren't, that's a problem.

Red flag: "We've been meaning to update that." The window between patch release and exploit is measured in weeks. "Meaning to update" is an open invitation.

7. Endpoint Detection and Response (EDR) on Every Device

What it is: Software that monitors your computers and alerts you when something suspicious is happening — not just when a known virus shows up, but when behavior is unusual.

What to do: Install EDR on every device — laptops, workstations, servers. SentinelOne, CrowdStrike Falcon Go, and Microsoft Defender for Business all work well for small businesses. This is now required by most cyber insurance policies.

8. Email Security — Spam Filter + Domain Authentication (SPF/DKIM/DMARC)

What it is: A spam filter that catches malicious emails before they reach your inbox, plus DNS records that prove your company's emails are legitimate (so attackers can't impersonate your domain).

What to do: Check if your email provider has advanced threat protection (Microsoft 365 Business Basic+ has it; basic plans don't). Set up SPF, DKIM, and DMARC records for your domain — this takes an hour and dramatically reduces impersonation attacks against your domain. Use MXToolbox to check your current email health →

9. Least-Privilege Access — Employees Get Exactly What They Need

What it is: Every employee has access only to the systems and data they need for their job. Not more.

What to do: Conduct a quarterly access review. When someone leaves or changes roles, their access should be updated or revoked within 24 hours. Default to the minimum necessary access — if a new hire doesn't need QuickBooks access on day one, they shouldn't have it until they do.

10. Cyber Insurance — With a Known Insurer, Not Just a Policy Number

What it is: A cyber insurance policy that covers breach response costs, legal fees, and business interruption — and that comes with a breach response team (not just a claims process).

What to do: Not all cyber policies are equal. Look for a policy that includes access to a 24/7 breach response hotline, a dedicated claims adjuster, and coverage for both the breach costs and the business interruption. Download our free cyber insurance readiness checklist → It's what insurers actually want to see.

How to Use This Checklist

Work through it top to bottom. Each control you add reduces your risk significantly. The first five controls on this list — MFA, password manager, backups, phishing training, and an incident response plan — stop the vast majority of attacks targeting small businesses today.

If you're not sure where you stand, take our free 15-question Cybersecurity Scorecard. It takes 4 minutes and gives you a personalized risk rating with specific recommendations.

If you need help implementing any of these controls, book a discovery call with one of our instructors. We walk through your current setup and give you a prioritized roadmap — no obligation.