The small-business cybersecurity checklist that actually matters
A prioritized, no-nonsense cybersecurity checklist for small business: the high-impact basics that stop most attacks before they start.
By Shield Networks
Cybersecurity advice for small business tends to arrive in two unhelpful flavours: terrifying and vague, or technical and endless. Neither helps you decide what to do on Monday morning. The good news is that the basics, done properly, stop the large majority of the attacks that actually hit businesses your size.
This is a prioritized checklist. The items near the top deliver the most protection for the least effort and cost. You do not need to do everything at once. You do need to do these.
Why the basics beat the buzzwords
Most breaches at small and mid-sized businesses are not the work of elite hackers. They are opportunistic: a reused password, a stale account, a missing update, a convincing fake email. Attackers go for easy targets because there are so many of them. The whole goal of this list is to make your business a harder target than the one beside you.
You will notice there is nothing exotic here. That is the point. Get the fundamentals right and you have closed the doors that most attacks walk through.
The checklist, in priority order
-
Turn on multi-factor authentication everywhere. This is the single highest-impact thing you can do. Even if a password is stolen, MFA usually stops the attacker cold. Start with email and any system that touches money or client data, then expand. If you do only one thing on this list, do this.
-
Back up your data, and test that it restores. Backups are not the goal; restoring is. A backup nobody has ever tested is a guess. Make sure backups run automatically, that a copy lives off-site or in the cloud, and that someone actually confirms a restore works on a regular schedule.
-
Run real endpoint protection (EDR). Basic antivirus is no longer enough. Modern endpoint detection and response watches for suspicious behaviour, not just known viruses, and can stop an attack as it unfolds. This belongs on every computer, not just the server.
-
Keep everything patched and up to date. Outdated software is one of the most common ways in. Operating systems, applications, and network equipment all need timely updates. Automate this where you can so it does not depend on anyone remembering.
-
Train your team. Your people are either your strongest layer or your weakest, and the difference is whether they know what a phishing attempt looks like. Short, regular, practical training beats a once-a-year lecture nobody recalls. Teach them to slow down and verify before clicking or paying.
-
Lock down email. Email is the front door for most attacks. Spam and phishing filtering, protections against spoofing of your domain, and a clear habit of verifying any payment or banking change by phone go a long way.
-
Apply least privilege. People should have access to what they need for their job, and nothing more. When someone leaves, their access leaves with them, same day. Old accounts and over-broad permissions are a gift to an attacker.
-
Write down an incident plan. When something goes wrong, you do not want to be inventing a response under pressure. A simple plan covering who to call, how to isolate affected systems, and how to communicate turns a crisis into a procedure.
-
Get cyber insurance, and read the conditions. Insurance does not prevent incidents, but it cushions the financial blow of a serious one. Just know that insurers increasingly require the basics above, things like MFA and tested backups, before they will pay out. The checklist and the policy reinforce each other.
How to actually work through this
If your list of gaps feels long, do not try to fix everything in a week. Sequence it:
- This month: MFA on email and financial systems, confirm backups are running and test one restore.
- This quarter: EDR on every device, automate patching, run your first round of staff training.
- Ongoing: tighten access as roles change, review email protections, write and then keep refreshing your incident plan.
Steady progress beats a heroic burst followed by neglect. Security is a habit, not a project with an end date.
Where small businesses get stuck
The most common failure we see is not a lack of tools. It is a lack of follow-through: MFA enabled on some accounts but not others, backups that quietly stopped running months ago, training that happened once. Security degrades when nobody is watching it. That is exactly the kind of ongoing attention a managed provider is built to give.
The second common trap is assuming you are too small to be a target. Attackers do not check your revenue first. Automated attacks scan for weaknesses across thousands of businesses at once, and a smaller business with weaker defences is often the easier win.
A practical next step
If you want to know where you actually stand, our quick security assessment is a low-effort way to find your gaps before someone else does. You can also see how we handle the fundamentals on our cybersecurity and backup and disaster recovery pages. When you would like a plain-English read on your setup, book a free call and we will walk through it with you.
Want this handled for you?
We help Western Canadian businesses turn IT and AI from a worry into an advantage. Book a free, no-pressure call.