Small Business Data Security Checklist: 10 Things to Fix This Week
Here's a stat that should keep small business owners up at night: 43% of cyberattacks target small businesses, and 60% of those businesses close within six months of being hit. The reason is simple -- most small businesses don't think they're a target, so they don't take basic precautions.
The good news? Most attacks exploit the same basic weaknesses. Fix these 10 things and you'll be ahead of the vast majority of small businesses.
1. Turn On Multi-Factor Authentication (MFA) Everywhere
This is the single most impactful thing you can do. MFA means that even if someone steals a password, they can't log in without the second factor (usually a code from your phone). Enable it on email, banking, cloud storage, your accounting software -- everything that has the option. Use an authenticator app (Google Authenticator, Authy) rather than SMS when possible.
2. Test Your Backups
Having backups isn't enough. You need to verify they actually work by restoring from them periodically. Set a calendar reminder to do a test restore every quarter. If you're using cloud backup, make sure it covers all your critical data -- not just the files you remembered to add when you set it up.
3. Run Security Awareness Training
Phishing is still the number one way attackers get in. Your team needs to know what a phishing email looks like and what to do when they get one. This doesn't have to be expensive -- services like KnowBe4 offer affordable training with simulated phishing tests. Even a 30-minute annual training session makes a measurable difference.
4. Install Endpoint Protection
Every computer and phone that connects to your business data needs antivirus and endpoint protection. Windows Defender is a solid baseline, but business-grade tools like SentinelOne or Malwarebytes for Business add layers of protection against ransomware and zero-day threats. This costs $3-7 per device per month.
5. Segment Your Network
Your guest Wi-Fi should not be on the same network as your business systems. If you have IoT devices (security cameras, smart thermostats), those should be on their own segment too. Most modern routers support VLANs or at least a separate guest network. This limits what an attacker can reach if they get into one device.
6. Review Who Has Access to What
Do a quick audit: who has admin access to your systems? Are there former employees who still have active accounts? Does every employee have access to every file share? Apply the principle of least privilege -- people should only have access to what they need for their job. Remove access the same day someone leaves.
7. Keep Software Updated
Unpatched software is one of the easiest ways attackers get in. Turn on automatic updates for operating systems, browsers, and business applications. If you have software that can't auto-update, put a monthly reminder on someone's calendar to check for updates manually.
8. Create an Incident Response Plan
If you got hit with ransomware today, would your team know what to do? Write a simple one-page plan that covers: who to call (IT support, your insurance company, legal), what to disconnect (affected machines from the network), and how to communicate (to employees, to customers if needed). Having a plan before you need it saves critical hours during an actual incident.
9. Review Your Vendors' Security
Your business is only as secure as the tools you use. For any cloud service that handles sensitive data (accounting, CRM, file storage), check that they offer MFA, encrypt data at rest, and have a SOC 2 or equivalent certification. If a vendor can't answer basic security questions, that's a red flag.
10. Encrypt Sensitive Communications
If your team shares passwords, financial information, or customer data over email, those messages are vulnerable in transit and at rest. Use encrypted messaging for sensitive information (Signal, Microsoft Teams with encryption enabled), and never send passwords in plain email. Use a password manager like 1Password or Bitwarden to share credentials securely.
What to Do Next
Print this list. Go through it one item at a time. Most of these changes take less than an hour each and cost little or nothing. The ones that require more effort (network segmentation, incident response planning) are worth scheduling for the next month.
You don't need to be perfect. You just need to not be the easiest target on the block.
Related reading: Security is just one part of getting your tech in order. If you're also looking to save time, check out our guide on AI automation for small business. And if you're bringing in outside help for any of this, here's how to choose an IT consultant.
Want a professional security assessment? Contact us -- we'll audit your current setup and give you a prioritized action plan.