This checklist covers the 25 most impactful security measures a small business can implement — most of them free or nearly free. Print it, share it with your team, and work through it over a month.

1. Identity & Access

Deploy a password manager for every employee (Bitwarden — free) Enable MFA on all accounts that touch client data Audit who has admin access — remove anyone who doesn't need it Create a formal offboarding checklist (revoke access same day) Use a business email domain (not @gmail.com)

2. Email & Phishing

Enable SPF, DKIM, and DMARC on your email domain Train staff to recognize phishing (quarterly, 15-minute sessions) Set up email filtering (built into Google Workspace / M365) Test with simulated phishing emails once per quarter Establish a "report suspicious email" process

3. Endpoints & Devices

Enable automatic OS updates on all devices Deploy endpoint protection (Windows Defender is fine for most) Enforce full-disk encryption (BitLocker / FileVault) Disable USB autorun on all workstations Maintain an inventory of every device that touches company data

4. Backups & Recovery

Implement the 3-2-1 rule (3 copies, 2 media types, 1 offsite) Automate backups — no manual steps Test restoring from backup at least quarterly Keep at least one backup immutable (ransomware can't encrypt it) Document your recovery process

5. Network & Access Controls

Change default passwords on all routers and network gear Segment your network (guest WiFi separate from business) Use a VPN or zero-trust access for remote work Review firewall rules annually Monitor for unusual login attempts or network traffic

Score Yourself

20–25 Strong foundation

15–19 Good start, close the gaps

10–14 Significant risk

< 10 Urgent — you need help

Want help working through this list?

Book a free 30-minute assessment. We'll identify your biggest gaps and build a plan to close them.

Book a Free Assessment

The Small Business IT Security Checklist