Small Business Security Is About Layers
Small businesses often ask what they should do first to improve cybersecurity. The answer is not one product. Good security comes from layers that reduce the chance of compromise and improve recovery when something goes wrong.
This checklist is intended for practical business planning. It is not a compliance audit, but it covers the controls most small businesses should take seriously.
1. Enable MFA
Use multi-factor authentication for Microsoft 365, administrator accounts, VPN, remote access, banking, payroll, backup systems, and other critical services.
2. Use Endpoint Protection and EDR
Every workstation and server should have managed endpoint protection. Where practical, use EDR for better visibility into suspicious behavior.
3. Patch Systems
Keep Windows, browsers, Office, line-of-business applications, firewalls, switches, and servers updated. Attackers frequently use known vulnerabilities.
4. Protect Email
Email remains one of the most common attack paths. Use spam filtering, phishing protection, attachment scanning, SPF, DKIM, DMARC, and user training.
5. Back Up Important Data
Backups should be automatic, monitored, protected from ransomware, and tested. A backup that has never been restored is not a proven recovery plan.
6. Limit Administrator Rights
Users should not have local administrator rights unless there is a real business reason. Admin accounts should be separate and protected.
7. Secure Microsoft 365
Review MFA, legacy authentication, mailbox forwarding, administrator roles, sharing settings, retention, and backup strategy.
8. Use DNS Filtering
DNS filtering can block known malicious domains before users connect to them. It is not perfect, but it is a useful layer.
9. Document the Network
Keep records of firewalls, switches, WiFi, servers, backups, vendors, admin accounts, internet circuits, and critical systems. Documentation speeds recovery.
10. Train Employees
Training should focus on real threats: phishing, MFA prompts, payment changes, suspicious attachments, password reuse, and reporting quickly.
11. Review Remote Access
Remote access should be protected with MFA, limited to necessary users, monitored, and kept patched. Avoid exposing remote desktop directly to the internet.
12. Have an Incident Plan
Know who to call, how to isolate systems, where backups are, how to reach insurance, and who makes decisions during an incident.
Frequently Asked Questions
What is the first cybersecurity step for a small business?
Enable MFA on email, remote access, administrator accounts, and financial systems.
Do small businesses need EDR?
Most businesses benefit from stronger endpoint visibility, especially if they rely on Microsoft 365, shared files, or remote work.
Are backups part of cybersecurity?
Yes. Backups are essential for recovery after ransomware, deletion, hardware failure, or user error.
How often should cybersecurity be reviewed?
At least annually, and whenever the business changes systems, vendors, remote work, or compliance requirements.
Can a small business be too small to be targeted?
No. Many attacks are automated and target any exposed account, weak password, vulnerable system, or user who clicks.