The Complete Cybersecurity Checklist for Small Businesses in 2025

60% of small businesses close within six months of a major cyberattack. The good news? Most attacks exploit basic security gaps that are entirely preventable.

This checklist covers the essential security controls every small business should have in place. Use it to assess your current posture and identify gaps.

Access Control & Authentication

✅ 1. Unique User Accounts

Every employee has their own login credentials. No shared accounts.

Why it matters: Shared accounts make it impossible to track who did what—critical for security investigations and compliance.

✅ 2. Strong Password Policy

Minimum 12 characters, complexity requirements, no password reuse.

Why it matters: Weak passwords are the #1 entry point for attackers. "Password123" gets cracked in seconds.

✅ 3. Multi-Factor Authentication (MFA)

MFA enabled on all critical systems: email, banking, remote access, cloud services.

Why it matters: MFA stops 99.9% of automated attacks. Even if passwords are stolen, attackers can't get in.

✅ 4. Principle of Least Privilege

Employees only have access to systems and data required for their job.

Why it matters: Limits damage if an account is compromised. The receptionist doesn't need access to financial systems.

✅ 5. Prompt Access Termination

Process to disable accounts immediately when employees leave.

Why it matters: Former employees with active credentials are a significant threat vector.

Email Security

✅ 6. Email Filtering

Advanced spam and phishing filtering on all incoming email.

Why it matters: 91% of cyberattacks start with a phishing email. Filter them before employees see them.

✅ 7. DMARC/DKIM/SPF Records

Email authentication configured to prevent domain spoofing.

Why it matters: Stops attackers from sending emails that appear to come from your domain.

✅ 8. External Email Warning

Banners on emails from outside your organization.

Why it matters: Helps employees identify potential phishing attempts from "the CEO" who's actually external.

Endpoint Protection

✅ 9. Next-Generation Antivirus

Modern endpoint protection on all devices (not just signature-based AV).

Why it matters: Traditional antivirus misses modern threats. You need behavioral detection.

✅ 10. Automatic Updates Enabled

Operating systems and applications update automatically.

Why it matters: 60% of breaches involve unpatched vulnerabilities. Patches fix known security holes.

✅ 11. Full-Disk Encryption

All laptops and portable devices encrypted.

Why it matters: Lost or stolen devices don't become data breaches if encrypted.

✅ 12. Mobile Device Management

Company data on personal devices can be remotely wiped.

Why it matters: Employees leave, phones get stolen—you need control over company data.

Network Security

✅ 13. Business-Grade Firewall

Next-generation firewall with intrusion prevention (not consumer router).

Why it matters: Your firewall is your digital front door. Consumer equipment has consumer-grade security.

✅ 14. Network Segmentation

Separate networks for operations, guests, and IoT devices.

Why it matters: If one segment is compromised, attackers can't easily move to critical systems.

✅ 15. Secure WiFi Configuration

WPA3 encryption, hidden SSID for business network, strong passwords.

Why it matters: Open or poorly secured WiFi is an easy entry point.

✅ 16. VPN for Remote Access

Secure VPN required for remote workers accessing company resources.

Why it matters: Public WiFi is dangerous. VPN encrypts all traffic.

Data Protection & Backup

✅ 17. Regular Backups

Critical data backed up at least daily.

Why it matters: Ransomware, hardware failure, human error—backups are your safety net.

✅ 18. Air-Gapped/Immutable Backups

At least one backup copy that ransomware cannot reach or encrypt.

Why it matters: Modern ransomware targets backups first. Offline copies survive.

✅ 19. Tested Recovery Process

Backups tested quarterly to verify data can actually be restored.

Why it matters: Untested backups might be corrupted or incomplete. You'll only find out when it's too late.

✅ 20. Data Classification

Sensitive data identified and protected with additional controls.

Why it matters: You can't protect what you don't know you have.

Security Awareness

✅ 21. Employee Security Training

All employees trained on security basics, phishing recognition, and incident reporting.

Why it matters: Your employees are your first line of defense—and often the weakest link.

✅ 22. Phishing Simulations

Regular simulated phishing tests to reinforce training.

Why it matters: Practice makes perfect. Simulations identify who needs additional training.

✅ 23. Incident Reporting Process

Clear process for employees to report suspicious activity without fear.

Why it matters: Early detection limits damage. Employees who fear punishment won't report.

Monitoring & Response

✅ 24. Security Monitoring

Systems monitored 24/7 for suspicious activity.

Why it matters: Average time to detect a breach is 277 days. Continuous monitoring catches threats faster.

✅ 25. Incident Response Plan

Documented plan for responding to security incidents.

Why it matters: Panic makes breaches worse. A plan ensures systematic, effective response.

How Did You Score?

20-25 checks: Strong security posture. Focus on continuous improvement.

15-19 checks: Good foundation with gaps. Prioritize missing controls.

10-14 checks: Significant risk exposure. Address critical gaps immediately.

Under 10 checks: High risk. You may already be compromised without knowing it.

Need Help Closing the Gaps?

Most small businesses don't have the internal expertise to implement enterprise-grade security. That's where we come in.

For 30 years, Layth Solutions has been protecting NYC businesses from cyber threats. We implement these controls as part of our managed IT services—so you get comprehensive security without hiring a security team.

Request a free security assessment to see where you stand and what it would take to check every box on this list.