Cybercriminals target small businesses because they can
Forty-three percent of cyberattacks target small businesses. The reason is not sophistication — it is opportunity. Small companies have valuable data, weaker defenses, and fewer resources to recover. This checklist covers the 12 actions that give you the most protection for the least effort.
The 12-step checklist
1. Enable multi-factor authentication everywhere
Start with email, then financial accounts, then everything else. MFA blocks 99% of automated credential attacks.
2. Inventory every device that touches your network
You cannot protect what you do not know exists. List every laptop, phone, server, IoT device, and vendor-connected system. Update quarterly.
3. Patch software within 48 hours of critical updates
The average exploit appears 15 days after a patch is released. Automate OS updates. Subscribe to vulnerability alerts for critical business software.
4. Implement least-privilege access
Every employee should have the minimum access needed to do their job — nothing more. Review permissions every quarter. Revoke access the day someone leaves.
5. Back up data using the 3-2-1 rule
Three copies of your data, on two different media types, with one copy offsite or in the cloud. Test restores monthly.
6. Segment your network
Guest WiFi should never touch your internal network. IoT devices should live on their own VLAN. If one device gets compromised, segmenting limits the blast radius.
7. Deploy endpoint protection on all devices
Modern EDR (Endpoint Detection and Response) beats traditional antivirus. It watches for behavior patterns, not just known signatures.
8. Encrypt sensitive data at rest and in transit
Full-disk encryption on laptops. HTTPS everywhere. Encrypted backups. If a device gets stolen, encryption makes the data useless to attackers.
9. Train employees to spot phishing
Run simulated phishing campaigns quarterly. Share the results anonymized. Turn your team from the weakest link into a human firewall.
10. Create and test an incident response plan
Who gets called first? Who communicates with customers? Who handles forensics? Write it down. Practice it.
11. Vet your vendors’ security
Your security is only as strong as your weakest vendor. Ask for SOC 2 reports. Include security requirements in contracts.
12. Get a third-party security assessment
An external assessment costs $3,000–$15,000 depending on scope and delivers a prioritized list of vulnerabilities with remediation steps. Cheaper than a breach.
Start this week
Steps 1, 2, and 3 take less than a day combined and give you 80% of the protection for 20% of the effort. Schedule them now.