Endpoint & Detection
A plain-English small business cybersecurity checklist — the ten controls most worth doing first, before you spend a dollar on tools you may not need yet.
If you have one week to improve your small business cybersecurity, spend it on the controls that cut real fraud, account takeover, and ransomware risk fast: MFA, tested backups, software updates, admin cleanup, and a written process for suspicious money requests. Skip the shopping trip.
That order beats chasing a tool stack first, and it is not just our opinion. The FTC's small-business cybersecurity guidance and NIST's Cybersecurity Framework 2.0 Small Business Quick-Start Guide push the same idea: understand what the business depends on, protect the essentials, and make security part of routine operations — not a once-a-year project.
Small businesses get hit because they are easier to pressure, easier to spoof, and least likely to have someone watching when something goes wrong.
The tactics that drain a Fortune 500 — phishing, invoice and wire fraud, account takeover, extortion — scale down cleanly to a ten-person shop. The difference is the blast radius: a six-figure loss is a bad quarter for a large company and an extinction event for a small one. That asymmetry is exactly why the FTC and the FBI run small-business-specific programs. This checklist is the operational version of that guidance.
Start with the accounts that hold the keys:
If a criminal gets one of these, they usually do not need malware to hurt you. They reset logins, reroute invoices, or quietly take over a mailbox. A password alone is no longer a control on accounts that can move money or reset other accounts — turn on multi-factor authentication everywhere on that list this week.
Outdated software is still one of the easiest ways into a business — boring advice because it still works.
Make a one-page list:
Then turn on auto-update everywhere you reasonably can, and put a recurring reminder on the few things that cannot update themselves.
A backup you have never tested is a theory, not a control.
At minimum, write down:
If any answer is vague, that is the gap to close this week. This is also the single fastest place to look unprepared to a cyber-insurance underwriter — our breakdown of what controls cyber insurers require in 2026 explains why, and the free Cyber Insurance Readiness Questionnaire scores your backups the way a carrier will.
Too many small businesses run on shared admin accounts, leftover contractor logins, and staff who have more access than their job needs.
This week:
Inventory and role clarity beat security maturity you have not earned yet. This is the cleanest place to apply that.
Most small-business losses do not start with ransomware. They start with someone believing an email.
Urgency, impersonation, and an unusual payment method are the recurring shape of payment fraud. If the person who pays your bills can be rushed, the business is exposed. You want one short, non-negotiable rule:
No payment-change request, bank-detail change, or urgent invoice gets approved from the first email alone. Confirm it on a known phone number, every time.
That one control stops a surprising amount of damage, and it costs nothing.
You do not need a giant annual module to make progress this week. Give the team a five-minute briefing on the patterns that actually land:
When you are ready for the operating version, our guide to a real phishing training program for small business covers what good looks like.
Remote access is convenient, and lazy remote access is dangerous.
This week, find:
If you do not know what is exposed, that is itself the finding — it means the environment needs a cleanup pass before anything else.
Do not assume the business is protected because "we have antivirus." Ask the stricter question:
Is every workstation and every server that matters actually covered, current, and monitored — by someone who will respond?
That last clause is the one that gets skipped, and it is the whole game. It is also why buyers get stuck between labels like EDR, MDR, and XDR. Our EDR vs MDR vs XDR buyer's guide is the next step when you are choosing that layer.
Every business should be able to answer, on demand:
If you do not have a real answer, write a one-page incident note this week. It does not need to be elegant; it needs to exist. For the first-day version, the first 24 hours after a ransomware scare is the practical follow-on.
Cybersecurity dies in shared ownership.
Even in a tiny business, one named person needs to own the checklist, the follow-ups, and the next review date. They do not need to be a full-time security lead — they need the authority to push basic controls through. Security is an operating responsibility, not an annual technical chore.
If this week is already a mess, do these five and stop:
That is not perfect security. It is meaningful risk reduction, and it is achievable in an afternoon.
Do not start by buying the most expensive product you can find. Do not start by writing a sixty-page policy nobody will read. And do not start by assuming your IT contractor, your MSP, or your antivirus vendor already has this handled — unless you have verified it in writing.
The right first week is about clarity and control, not cosmetics.
The best small-business cybersecurity basics are the ones that stop common failures before they get expensive: MFA, updates, tested backups, admin cleanup, payment verification, and a real reporting path for suspicious activity. Do those first, then decide whether you need a more mature detection-and-response layer, a formal compliance program, or outside help. Businesses get into trouble when they reverse that order.
If you would rather not work the list alone:
Obsidian Ridge is a CISSP-led managed cybersecurity practice. We operate the controls above end-to-end, so a small team never has to choose between doing security and doing the actual job.
Last updated
June 10, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Start with MFA on the accounts that can reset everything else, tested backups, software updates, admin-account cleanup, written payment-verification, basic staff awareness, and a one-page plan for the first hour of an incident. Those operational basics reduce a large share of common small-business risk before you buy a single tool.
Yes. Attackers use the same fraud, phishing, and account-takeover tactics against a ten-person company that they use against a large enterprise — and a loss that a big company absorbs can end a small one. The FTC and NIST both publish security guidance written specifically for small businesses for exactly that reason.
Not usually. Most of the highest-leverage first steps are operational, not purchased: turning on MFA, testing a backup restore, cleaning up admin access, and teaching people how to verify a suspicious request. Buy the detection-and-response layer after the basics are in place, not before.
No. Basic malware protection helps, but it does not stop the account takeovers, invoice fraud, and identity-layer attacks that drive most small-business losses. It does not replace MFA, backups, payment verification, or a response plan.
Protect the accounts that matter most with MFA, confirm you can actually restore a backup, tighten who has admin access, write a payment-verification rule, and brief staff on suspicious requests. That is meaningful risk reduction in five moves.
Related reading
MDR, EDR, MSSP, and SOC-as-a-service compared honestly for small business buyers — what each delivers, what each costs, and a five-question decision tree that gets to the right answer.
Read articleField-tested hardening guide for the tax software CPA firms actually use — Lacerte, Drake, CCH Axcess, UltraTax, and ATX — covering account hygiene, MFA, server isolation, audit logging, and the e-file PIN problem.
Read articleA field-tested hardening guide for Dentrix, Eaglesoft, and Open Dental — server isolation, account hygiene, backup strategy, audit logging, and the specific defaults that get practices breached.
Read article