TickYouOff
Sign in
Back
🛡️

Small Business Cybersecurity Checklist

Hard 18 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Cybersecurity

A practical checklist to help small businesses secure networks, endpoints, and data. Ideal for small IT teams, managed service providers, and business owners who want a prioritized, actionable roadmap to reduce cyber risk.

Progress
0 / 18
  1. Identify and map critical assets — List systems that store or process sensitive data and their owners.
  2. Create and maintain an asset inventory — Record hostnames, OS, location, owner, and criticality in one place.
  3. Configure firewall rules and network segmentation — Use a default-deny approach and separate trust zones.
  4. Block unused inbound ports — Close ports at the firewall; allow only required services.
  5. Segment networks to separate users and servers — Use VLANs or subnets to limit lateral movement and risk.
  6. Enable automatic OS and application patching — Apply critical patches automatically or on a scheduled window.
  7. Deploy endpoint detection and response (EDR) on all endpoints — Ensure EDR is centrally managed and alerts are triaged promptly.
  8. Enforce multi-factor authentication (MFA) for all accounts — Require MFA for admin and user logins; prefer phishing-resistant methods.
  9. Apply least privilege: review and remove unnecessary admin rights — Audit privileges quarterly and adjust roles to minimum required.
  10. Secure remote access: enforce VPN and disable direct admin RDP — Use MFA, restrict access by IP, and require jump hosts for admin tasks.
  11. Implement automated encrypted backups for critical data — Store backups offsite and encrypt in transit and at rest.
  12. Verify backups by performing scheduled restore tests — Test restores quarterly and document recovery time objectives.
  13. Implement email protections: SPF, DKIM, DMARC, and inbound filtering — Enable anti-spam, attachment sandboxing, and URL rewriting.
  14. Configure centralized logging and alerting; retain logs 90 days — Collect firewall, EDR, and server logs into a central store or SIEM.
  15. Create an incident response plan and offline contact list — Document roles, escalation paths, and recovery steps; keep offline copy.
  16. Run a tabletop incident response exercise annually — Simulate ransomware or data breach scenarios with stakeholders.
  17. Train staff on phishing and secure data handling — Provide regular training and clear steps to report suspicious activity.
  18. Run phishing simulations and remediate users with failures — Track repeat offenders and provide targeted coaching.
Sign in to save
📝 My Notes