Your Small Business Cyber Security Checklist: 50 Controls to Have in Place

This is the final post in our fifteen-part Fundamentals of Cyber Security series. Everything in the series has been building towards this: a practical, comprehensive checklist that any small business can use to assess their current position and identify the gaps that need addressing.

The checklist is organised across ten categories. For each item, ask: is this in place, fully and verifiably? Not "we have something that does this" — that's the answer that leads to backups that don't work and MFA that was enabled on one system but not the one that was breached. But "yes, this is in place, we've verified it, and we have evidence."

This checklist also maps to the Cyber Essentials scheme. Items marked [CE] are required or closely related to Cyber Essentials certification.

1. Backups

Backups are first because a working backup is the control that determines whether a catastrophic incident is recoverable or not.

• ☐ We have at least three copies of all critical business data (3-2-1 rule)
• ☐ At least one backup copy is stored offline or off-site, completely disconnected from the network
• ☐ We use an immutable or air-gapped backup for at least one copy — ransomware cannot encrypt it
• ☐ Email is backed up separately from the file system (Microsoft 365 / Google Workspace retention is not a backup)
• ☐ Line-of-business application data (CRM, practice management, accounting) is explicitly included in backups
• ☐ Staff laptops are backed up — not just the file server
• ☐ We have tested a restore from backup in the last three months
• ☐ We have run a full recovery test (restoring everything to a clean system) in the last 12 months
• ☐ Backup data is encrypted at rest
• ☐ We know our Recovery Point Objective (how much data we can afford to lose) and our backup frequency meets it

2. Passwords and Authentication

• ☐ We use a business password manager and all staff have adopted it [CE adjacent]
• ☐ All staff accounts use unique passwords — no reuse across accounts
• ☐ MFA is enabled on all email accounts [CE]
• ☐ MFA is enabled on all cloud services and SaaS applications [CE]
• ☐ MFA is enabled on VPN and remote access [CE]
• ☐ Administrator accounts have MFA and are separate from standard user accounts [CE]
• ☐ Default passwords have been changed on all devices and services — routers, switches, printers, software
• ☐ Shared accounts have been eliminated or minimised, with credentials managed in a shared vault

3. Patching and Updates

• ☐ All operating systems are current and supported — no end-of-life OS in use [CE]
• ☐ Automatic updates are enabled on all operating systems where possible [CE]
• ☐ All applications are kept current — browsers, Office, PDF readers, and business applications [CE]
• ☐ Router and network equipment firmware is current [CE]
• ☐ We have a process for applying critical security patches within 14 days of release [CE]
• ☐ Mobile devices used for work are on current, supported OS versions
• ☐ We know when each piece of software in use reaches end of life and have a plan for it

4. Network and Firewall

• ☐ We have a properly configured boundary firewall [CE]
• ☐ Remote administration is disabled on the router unless specifically required
• ☐ Wi-Fi uses WPA2 or WPA3 encryption [CE adjacent]
• ☐ A separate guest Wi-Fi network exists for visitors and non-business devices
• ☐ RDP is not exposed directly to the internet — it is behind a VPN or NLA with MFA
• ☐ We use DNS filtering to block connections to known-malicious domains
• ☐ IoT and operational technology devices are on a separate network segment where present

5. Email Security

• ☐ SPF is configured and published for our domain
• ☐ DKIM is configured for our domain
• ☐ DMARC is configured, at minimum at p=quarantine
• ☐ Email platform anti-phishing and anti-spoofing policies are configured (not just default settings)
• ☐ Mailbox forwarding rules are reviewed periodically for unauthorised rules
• ☐ Staff have been trained on phishing recognition in the last 12 months
• ☐ We have run a simulated phishing exercise in the last 12 months

6. Devices and Endpoints

• ☐ All devices used for work have endpoint security software installed and active [CE]
• ☐ Full-disk encryption is enabled on all laptops (BitLocker / FileVault)
• ☐ Mobile devices used for work have screen lock, encryption, and remote wipe enabled
• ☐ Personal devices used for work meet a documented minimum security standard (BYOD policy)
• ☐ We have a process for remotely wiping lost or stolen devices

7. User Access Control

• ☐ Staff have the minimum access necessary for their role (least privilege) [CE]
• ☐ Standard user accounts are used for day-to-day work — admin accounts are separate [CE]
• ☐ We have a joiners / movers / leavers process that keeps access current
• ☐ Leavers have all accounts disabled on or before their last day
• ☐ We have an inventory of all accounts and what access they have

8. Physical Security

• ☐ Servers and networking equipment are in a physically secured location
• ☐ Staff habitually lock screens when leaving their desks
• ☐ Auto screen-lock is configured on all computers (maximum 5 minute idle period)
• ☐ We have a visitor sign-in process and visitors are not left unattended near business systems
• ☐ We have a clean desk policy and it is followed
• ☐ Sensitive documents and storage media are securely disposed of (cross-cut shredding / drive wiping)

9. Policies and Governance

• ☐ We have a documented cyber security policy that staff have read and acknowledged
• ☐ We have an acceptable use policy covering devices, email, and internet use
• ☐ Staff know who to contact and what to do if they suspect a security incident
• ☐ We have documented our incident response process
• ☐ We hold Cyber Essentials certification (or have a plan to achieve it)
• ☐ We have cyber liability insurance that is adequate for our risk profile

10. Monitoring and Awareness

• ☐ We have visibility into what is happening on our network and endpoints
• ☐ We receive regular threat intelligence relevant to our sector
• ☐ Staff receive security awareness training at least annually
• ☐ We review our security posture at least annually against current threats
• ☐ We have a process for staying informed about vulnerabilities relevant to our technology stack

What to Do With Your Results

Count your unchecked items. If you have fewer than five, you are in a strong position and the remaining gaps are your focus. If you have ten to twenty, you have meaningful gaps in your fundamentals — prioritise them using the risk-based approach from the previous post: address the gaps that correspond to your most likely threats and most valuable assets first. If you have more than twenty, the fundamentals are not yet in place and the priority is to build from the most critical controls outward: backups, MFA, patching, and access control as the absolute foundation.

This checklist is the end of the fundamentals series — but it's the beginning of the work. Security is not a project that finishes; it is a discipline that becomes embedded in how the organisation operates. The businesses that get this right are not the ones that did a security project three years ago. They are the ones that maintain their controls, review them regularly, and adapt them as the threat landscape evolves.

The goal is not to be impenetrable. The goal is to be resilient — able to detect threats early, respond effectively, and recover quickly. That is achievable for any organisation that takes it seriously.