Managed IT • Commercial Security Cameras • Cybersecurity • WiFi • Northern Michigan
833-787-2487support@northern-pc.com
Security Planning

Small Business Cybersecurity Checklist

Small business cybersecurity is not one product. It is a set of practical layers that reduce risk and improve recovery.

Quick Answer

Start with MFA, endpoint protection, patching, email security, backups, administrator controls, and remote access review.

  • MFA is the first high-value step
  • Backups are part of security
  • Documentation and response plans matter

Small Business Security Is About Layers

Small businesses often ask what they should do first to improve cybersecurity. The answer is not one product. Good security comes from layers that reduce the chance of compromise and improve recovery when something goes wrong.

This checklist is intended for practical business planning. It is not a compliance audit, but it covers the controls most small businesses should take seriously.

1. Enable MFA

Use multi-factor authentication for Microsoft 365, administrator accounts, VPN, remote access, banking, payroll, backup systems, and other critical services.

2. Use Endpoint Protection and EDR

Every workstation and server should have managed endpoint protection. Where practical, use EDR for better visibility into suspicious behavior.

3. Patch Systems

Keep Windows, browsers, Office, line-of-business applications, firewalls, switches, and servers updated. Attackers frequently use known vulnerabilities.

4. Protect Email

Email remains one of the most common attack paths. Use spam filtering, phishing protection, attachment scanning, SPF, DKIM, DMARC, and user training.

5. Back Up Important Data

Backups should be automatic, monitored, protected from ransomware, and tested. A backup that has never been restored is not a proven recovery plan.

6. Limit Administrator Rights

Users should not have local administrator rights unless there is a real business reason. Admin accounts should be separate and protected.

7. Secure Microsoft 365

Review MFA, legacy authentication, mailbox forwarding, administrator roles, sharing settings, retention, and backup strategy.

8. Use DNS Filtering

DNS filtering can block known malicious domains before users connect to them. It is not perfect, but it is a useful layer.

9. Document the Network

Keep records of firewalls, switches, WiFi, servers, backups, vendors, admin accounts, internet circuits, and critical systems. Documentation speeds recovery.

10. Train Employees

Training should focus on real threats: phishing, MFA prompts, payment changes, suspicious attachments, password reuse, and reporting quickly.

11. Review Remote Access

Remote access should be protected with MFA, limited to necessary users, monitored, and kept patched. Avoid exposing remote desktop directly to the internet.

12. Have an Incident Plan

Know who to call, how to isolate systems, where backups are, how to reach insurance, and who makes decisions during an incident.

Frequently Asked Questions

What is the first cybersecurity step for a small business?

Enable MFA on email, remote access, administrator accounts, and financial systems.

Do small businesses need EDR?

Most businesses benefit from stronger endpoint visibility, especially if they rely on Microsoft 365, shared files, or remote work.

Are backups part of cybersecurity?

Yes. Backups are essential for recovery after ransomware, deletion, hardware failure, or user error.

How often should cybersecurity be reviewed?

At least annually, and whenever the business changes systems, vendors, remote work, or compliance requirements.

Can a small business be too small to be targeted?

No. Many attacks are automated and target any exposed account, weak password, vulnerable system, or user who clicks.

Need Help Securing Your Business?

Northern Computer Services helps Northern Michigan businesses improve security with managed IT, Microsoft 365 security, endpoint protection, DNS filtering, backups, and practical cybersecurity planning.