You don't need a $2M security budget to protect your business. You don't need a SOC, a CISO, or a team of analysts. You need to do 12 specific things — and most of them are free. The businesses that get hit aren't always the ones that couldn't afford to protect themselves. They're often the ones that simply hadn't gotten around to doing the basics.
This checklist comes directly from what our IT Center Cybersecurity team finds during security assessments on new clients. We walk in, run the checklist, and see the same gaps repeated across industry after industry. The good news: every one of these items is fixable. The bad news: you need to fix them before an attacker finds them, not after.
Print this out. Check them off. Call us if you get stuck.
How to use this list: Go through each item with your IT team or IT provider. For any item that can't be immediately confirmed as complete — assume it's not done and treat it as a priority. A "we think it's set up" is not a pass.
The 12-Point Checklist
Enable MFA on Everything Free
Multi-factor authentication is the single highest-ROI security control available to a small business. Enable it on Microsoft 365, Google Workspace, your VPN, your bank, your cloud platforms, your password manager, and every admin account you own. Microsoft's own data shows that MFA blocks over 99.9% of automated account compromise attacks. There is no excuse for any business account that handles email, money, or client data to be running without MFA in 2025.
Audit Admin Accounts — Remove What Shouldn't Exist Free
Pull a list of every admin-level account across your systems — Active Directory, Microsoft 365, your firewall, your servers. Every single one. Now ask: does that person still work here? Do they still need admin access? Do you know who created that account and why? Former employees with lingering admin access are one of the most common breach vectors we find. Insider threats — even unintentional ones from orphaned credentials — account for nearly 20% of incidents. Audit quarterly, minimum.
Patch Everything on a Schedule — Not "When We Get to It" Low Cost
Establish a formal patch schedule: critical patches within 14 days of release, standard patches within 30. This applies to Windows, macOS, Linux, server operating systems, network firmware (firewalls, switches, access points), and third-party applications. Unpatched vulnerabilities are responsible for a massive proportion of successful attacks because attackers know that most businesses patch slowly. Use an RMM tool or ask your MSP to automate this — manual patching is too slow and too inconsistent.
Test Your Backups — Actually Restore Something Free
Backups that have never been tested are not real backups. They are hope. Perform a restore test quarterly — pick a non-production server or workstation, restore from backup, and verify the data is complete and the system is functional. Confirm your backup coverage: what's included, what's not, and how far back you can recover. The specific questions to answer: How old is the oldest backup you can restore from? How long does a full restore take? What's the maximum data loss you'd accept in a disaster? If you don't know the answers, your backup is not protecting you the way you think.
Enable Email Security Beyond the Defaults Low Cost
Default email security in Microsoft 365 and Google Workspace is a starting point, not an endpoint. Enable SPF, DKIM, and DMARC records on your domain — these three email authentication standards prevent attackers from spoofing your domain in phishing emails. Configure your spam filtering to quarantine suspicious messages rather than delivering them to a junk folder users never check. Consider a third-party email security layer (Microsoft Defender for Office 365 Plan 2, Proofpoint, or similar) for any business handling sensitive client data. Email is the number-one attack vector — the defenses need to match.
Disable RDP on the Public Internet Free
Remote Desktop Protocol exposed directly to the internet is one of the most scanned-for vulnerabilities in the world. Automated tools run by criminal organizations sweep the entire internet constantly looking for open RDP ports (typically port 3389). If they find yours, they run brute-force attacks against it until they get in. The fix is simple: disable direct RDP access from the public internet entirely. Remote access should go through a VPN or a Zero Trust access solution, with MFA enforced. If your current setup requires RDP exposed to the internet to work, that is an emergency to fix today.
Segment Your Guest WiFi from Your Business Network Low Cost
If your guest WiFi and your business network share the same broadcast domain — meaning a guest device on your WiFi can potentially communicate with your servers and workstations — you have a lateral movement risk. A compromised guest device (a client's laptop with malware, an IoT device, someone's personal phone) can become a launching point for attacks against your internal systems. Configure your router or access points to put guest WiFi on a separate VLAN with no access to internal resources. This is a basic network hygiene requirement that many small businesses overlook.
Install EDR, Not Just Antivirus Moderate Cost
Traditional antivirus works by matching files against a database of known malware signatures. Modern ransomware and advanced persistent threats are engineered to bypass signature-based detection — they're often deployed as living-off-the-land attacks using legitimate Windows tools to avoid triggering AV alerts. Endpoint Detection and Response (EDR) tools — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, or equivalent — monitor behavior in real time and can detect and stop attacks that look nothing like known malware. If you still have "just antivirus" on your endpoints, you have a significant gap.
Create an Incident Response Plan — Even a 1-Pager Free
When a ransomware attack hits at 2 AM, the people who need to respond should not be making decisions for the first time about who to call, who has authority to take systems offline, whether to contact the FBI, or how to reach clients. Write down the answers in advance. Your incident response plan doesn't need to be 50 pages. It needs: a list of who to call first (IT, legal, cyber insurance), authority to isolate systems, the location of your cyber insurance policy number, contact info for your incident response firm, and a communication template for clients and staff. A 1-page document that everyone knows exists is vastly better than nothing.
Train Your Employees on Phishing — Once a Year Minimum Low Cost
Security awareness training is not a checkbox to complete during onboarding and never revisit. Attackers update their phishing techniques constantly — the emails that fooled people in 2022 look nothing like what's being sent in 2025. Run simulated phishing campaigns at least quarterly, using a platform like KnowBe4, Proofpoint Security Awareness, or Microsoft's built-in Attack Simulator. Track click rates. Use the results to target additional training — not to punish, but to reinforce. The goal is to make skepticism of suspicious emails a reflex, not a conscious decision. You're building muscle memory against the most common attack vector in existence.
Monitor the Dark Web for Your Domain and Credentials Moderate Cost
Every week, massive data breaches are discovered and credential dumps — lists of usernames and passwords stolen from compromised services — appear on dark web forums. If your employees reuse passwords, their compromised credentials from a breach at some unrelated service could be the key attackers use to access your systems. Dark web monitoring services (SpyCloud, Recorded Future, or included in many security platforms) continuously scan criminal forums for your domain and email addresses. When a match is found, you're alerted and can force a password reset before the credential is weaponized. This is early warning intelligence — and in security, early warning is everything.
Get a Penetration Test — If You've Never Been Tested, You're Already Exposed Moderate Cost
A penetration test is a controlled, authorized attempt by security professionals to break into your systems — to find what an attacker would find before an attacker does. For most SMBs, a basic external pen test ($3,000–$8,000) will reveal external attack surface issues that no internal checklist will catch. Internal tests, phishing simulations, and social engineering exercises reveal additional layers. If your business has never been penetration tested, you are operating on the assumption that your defenses work — but that assumption has never been validated by anyone trying to defeat them. The pen test report becomes your prioritized remediation roadmap.
Where Most Businesses Stand Right Now
When our IT Center Cybersecurity team runs through this checklist with a new client, the median score is 4 out of 12. That's not a criticism — it's a reality. Items 1, 3, and 6 are consistently the most likely to be partially or fully incomplete. Item 4 (backup testing) is almost universally untested despite backups technically being in place. Item 12 (penetration testing) is almost universally skipped.
Four out of twelve means eight open doors. For an attacker with automated tools and patient persistence, eight open doors is more than enough.
The goal isn't perfection on day one. The goal is a prioritized plan: what do we fix this week, what do we fix this month, what do we put on the roadmap for the quarter. Cybersecurity is a continuous process — you don't complete it and move on. But you have to start somewhere, and starting with this list is starting in the right place.
Let IT Center Cybersecurity Run Through This Checklist With You
Free, no commitment, no pressure. Our security team will go through all 12 items with you, show you where you stand, and give you a clear picture of what to prioritize. One call is all it takes to know where your real risks are.
Schedule Your Free Security Review