Small Business Cybersecurity Checklist (2026)

Use a password manager for the entire team. Tools like Bitwarden (free for individuals) or 1Password Business generate and store unique passwords for every account. No more sticky notes, no more shared spreadsheets. Use our Password Generator to create strong, randomized passwords.

Enforce minimum 16-character passwords. Length matters more than complexity. A 16-character passphrase like "correct-horse-battery-staple" is vastly stronger than "P@ssw0rd!" and easier to remember when you need it.

Enable two-factor authentication (2FA) on every account. Email, banking, cloud storage, project management, social media — everything. Use an authenticator app (Google Authenticator, Authy) or hardware keys (YubiKey), not SMS codes which can be SIM-swapped.

Eliminate password sharing. If multiple people need access to an account, use the password manager's sharing feature or set up individual accounts with role-based access. Never send passwords over Slack, email, or text.

Audit all accounts quarterly. Remove access for ex-employees and contractors immediately upon departure. Review who has admin access — the fewer people with the keys to the kingdom, the smaller the attack surface.

Enable automatic operating system updates. Set all devices to install security patches automatically. Most exploits target known vulnerabilities that already have patches available — the problem is businesses that delay updates for weeks or months.

Encrypt all hard drives. Enable BitLocker (Windows) or FileVault (Mac) on every company device. If a laptop is stolen, encryption ensures the thief cannot read the data on the drive.

Install reputable endpoint protection. Windows Defender is good enough for basic protection. For stronger coverage, consider Malwarebytes Business or SentinelOne. Ensure real-time scanning is enabled, not just on-demand scans.

Enable remote wipe capability. Configure Find My Device (Windows/Mac) or a mobile device management (MDM) solution so you can remotely erase a lost or stolen device. Test this capability before you actually need it.

Set automatic screen locks. Require screens to lock after 5 minutes of inactivity. Require a password or biometric to unlock. This prevents casual access when a team member steps away from their desk or leaves a laptop at a coffee shop.

Use a business-grade router with firewall. Consumer routers lack proper logging, VLAN support, and firmware update cycles. Invest in a proper firewall/router from Ubiquiti, Meraki, or pfSense. Configure it to block inbound connections by default.

Separate guest and business WiFi. Create a dedicated guest network that is isolated from your internal network. Visitors and personal devices should never be on the same network as your business systems.

Use WPA3 encryption on all WiFi networks. If your router does not support WPA3, use WPA2-Enterprise at minimum. Never use WPA or WEP — they can be cracked in minutes.

Require VPN for remote workers. Any employee working from home, a co-working space, or a hotel should connect through a business VPN before accessing company resources. This encrypts all traffic between the remote device and your network.

Change default router credentials. Factory-default usernames and passwords for routers are published online. Change them immediately to unique credentials stored in your password manager.

Set up SPF, DKIM, and DMARC records. These DNS records verify that emails sent from your domain are actually from you, preventing spoofing. Without them, attackers can send emails that appear to come from your company. Use our Hash Generator to verify file integrity when receiving attachments.

Train all employees to recognize phishing. Conduct quarterly phishing awareness sessions. Teach the team to check sender addresses carefully, hover over links before clicking, and verify unusual requests (especially payment changes) through a second channel like a phone call.

Enable email filtering and scanning. Use your email provider's built-in threat protection (Microsoft Defender for Office 365, Google Workspace security features) or add a third-party filter like Mimecast or Proofpoint.

Establish a payment change verification process. Any request to change banking details, wire money, or redirect payments must be verified through a phone call to a known number — never through email alone. This single rule can prevent business email compromise losses.

Disable auto-forwarding rules. Attackers who compromise an email account often set up forwarding rules to silently copy emails to an external address. Regularly audit email forwarding rules across all accounts.

Follow the 3-2-1 backup rule. Maintain 3 copies of critical data, on 2 different types of media, with 1 copy stored offsite (cloud backup). Test restoring from backup at least quarterly to confirm your backups actually work.

Encrypt sensitive data at rest and in transit. Customer data, financial records, and employee information should be encrypted in storage and when transmitted. Use HTTPS for all web traffic and encrypt cloud storage.

Implement least-privilege access control. Every employee should have access only to the data and systems they need for their role — nothing more. An intern should not have the same access as the CFO. Review permissions when roles change.

Classify your data by sensitivity. Not all data needs the same protection. Identify what is public, internal, confidential, and restricted. Apply security controls proportionally — customer payment data needs stronger protection than your office lunch menu.

Securely dispose of old devices and data. Before recycling or selling old computers, use a secure data wiping tool (not just "delete files"). Physically destroy hard drives containing highly sensitive data. Shred paper documents.

Enforce HTTPS everywhere with a valid SSL certificate. There is no excuse for running HTTP in 2026. Free SSL certificates are available through Let's Encrypt and Cloudflare. Ensure all pages redirect from HTTP to HTTPS.

Keep your CMS, plugins, and themes updated. WordPress plugins are one of the most common entry points for website hacks. Enable automatic updates for minor versions and check for major updates weekly.

Publish a privacy policy. Beyond being a legal requirement in most jurisdictions, a privacy policy signals to customers that you take data protection seriously. Use our Privacy Policy Generator to create one in minutes.

Use a web application firewall (WAF). Cloudflare's free tier includes basic WAF protection. For e-commerce or sites handling sensitive data, consider Cloudflare Pro or Sucuri for more comprehensive protection against SQL injection, XSS, and DDoS attacks.

Remove unused plugins, themes, and user accounts. Every piece of unused software is a potential vulnerability. Delete anything you are not actively using. Audit admin accounts and remove those belonging to former developers or agencies.

Conduct security onboarding for every new hire. Before a new employee gets account access, walk them through your security policies: password requirements, 2FA setup, phishing awareness, data handling rules, and who to contact if they suspect an incident.

Run quarterly phishing simulations. Use a service like KnowBe4 or GoPhish (free) to send simulated phishing emails. Track who clicks, and provide additional training to those who fall for the simulation. Do not punish — educate.

Create a clear acceptable use policy. Document what employees can and cannot do with company devices. Cover personal use, software installation, public WiFi, USB drives, and cloud storage. Make it specific and concise — nobody reads a 40-page policy document.

Establish a "see something, say something" culture. Employees should feel safe reporting suspicious emails, accidental clicks, or potential security issues without fear of punishment. Fast reporting limits the damage of any incident. Designate a specific person or channel for security reports.

Write a one-page incident response plan. It does not need to be complex. Document: (1) who to call first, (2) how to contain the threat, (3) how to communicate with affected parties, (4) how to restore from backup. Print copies — if your network is down, you cannot access a cloud document.

Designate an incident response lead. One person should own the security response process. For small businesses, this is usually the owner or a senior employee with the most technical knowledge. They make decisions during an incident.

Maintain an emergency contact list. Include: IT support, internet service provider, hosting provider, cyber insurance carrier, legal counsel, and local law enforcement cyber unit. Store this list in a physical location, not just digitally.

Know your breach notification requirements. Most states and countries require notifying affected individuals and regulators within 72 hours of discovering a data breach. Know your jurisdiction's requirements before an incident occurs.

Conduct a tabletop exercise annually. Gather your team and walk through a hypothetical scenario: "We just received a ransomware demand. What do we do?" Talking through it once makes the real thing far less chaotic.