Your 10-Point Cyber Security Checklist for Small Businesses

Most cyber attacks targeting small businesses succeed not because of sophisticated techniques, but because basic protections were absent. The good news is that the most impactful defences are also the most accessible. This checklist covers ten actions that address the majority of real-world threats — none of which require a dedicated IT team to implement.

1. Enable Multi-Factor Authentication on All Accounts

Multi-factor authentication (MFA) requires a second form of verification — typically a code from an authenticator app — in addition to a password. Even if an attacker obtains your password through a breach or phishing, they cannot access the account without that second factor. Enable MFA on email, cloud storage, accounting software, banking, and any other system that holds sensitive data. Most services support it for free.

2. Use a Password Manager

Reused and weak passwords are responsible for more breaches than any other single cause. A password manager generates strong, unique passwords for every account and stores them in an encrypted vault. You remember one master password; the manager handles everything else. Bitwarden is free and open source; 1Password and Dashlane are popular paid options with strong team management features. Implement one across your whole business, not just for one or two staff.

3. Keep Software and Devices Updated

Software updates fix security vulnerabilities — gaps in code that attackers exploit to gain access. Delaying updates leaves known weaknesses open. Enable automatic updates on all operating systems, browsers, and business applications. Pay particular attention to internet-facing systems, such as your website’s content management platform, VPN software, and remote access tools. A patch applied today closes a door that attackers would otherwise walk through tomorrow.

4. Back Up Your Data — and Test the Backup

A reliable backup removes an attacker’s primary leverage in a ransomware attack and protects against accidental deletion, hardware failure, and theft. Follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored off-site or in offline cloud storage. Critically, test your backups regularly. An untested backup is an assumption — schedule a restoration test at least quarterly so you know recovery is possible and understand how long it takes.

5. Train Your Staff — Even Once a Year Makes a Difference

The majority of successful attacks involve a human element: a phishing email clicked, a password reused, a USB drive picked up and plugged in. Security awareness training does not need to be extensive to be effective. An annual session covering how to recognise phishing, safe password habits, reporting procedures for suspicious activity, and data handling basics significantly reduces the probability of a costly mistake. Consider supplementing with simulated phishing tests to measure and reinforce learning.

6. Use Email Filtering and Treat Unexpected Messages with Suspicion

Email is the primary delivery mechanism for phishing, malware, and business email compromise attacks. A good email security solution — most business email platforms include basic filtering — catches a large proportion of malicious messages before they reach an inbox. Supplement the technology with culture: establish a clear process for verifying unexpected payment requests, supplier changes, or requests involving sensitive data, even when the email appears to come from a known contact. Attackers routinely impersonate suppliers, executives, and HMRC.

7. Limit Who Has Access to What

Not every member of staff needs access to every system and every file. Implementing the principle of least privilege — giving each person only the access they need for their role — means that a compromised account causes limited rather than total damage. Review access rights regularly. Remove access promptly when staff leave or change roles. Use individual named accounts rather than shared logins, so access can be audited and revoked without affecting others.

8. Have an Incident Response Plan — Even a Simple One

When a security incident occurs, the decisions made in the first hour often determine whether it becomes a minor disruption or a serious breach. A simple incident response plan does not need to be lengthy. It should cover: who is responsible for managing a security incident, who to call (IT provider, legal, insurance), when to notify the ICO (within 72 hours if personal data is affected), how to preserve evidence, and whether systems should be isolated before being shut down. Writing this down before an incident means the right actions happen quickly under pressure.

9. Apply for Cyber Essentials Certification

Cyber Essentials is a UK government-backed certification scheme covering five foundational security controls: firewalls, secure configuration, user access control, malware protection, and patch management. Achieving it demonstrates a basic but meaningful security posture — and is required for businesses bidding on certain UK government contracts. The self-assessed Cyber Essentials certification costs around £300–£500. Cyber Essentials Plus includes independent technical verification and costs more but carries greater credibility. Both are a worthwhile investment.

10. Work with a Professional — a One-Off Review Is More Affordable Than You Think

Cyber security professionals are not only for large organisations. A one-off security review or risk assessment from a reputable provider gives you an objective view of where your business is exposed and what to prioritise. Many small businesses discover that their actual risk profile is quite different from what they assumed — and that targeted improvements are more cost-effective than broad, unfocused spending. A professional can also help you navigate insurance requirements, compliance obligations, and certification programmes.

Cyber security does not need to be overwhelming. These ten steps address the most common attack vectors and are within reach of any business, regardless of size or technical knowledge. The cost of implementing them is a fraction of the cost of recovering from a breach.