Cybersecurity Checklist for Small Businesses (2026)

Want This Done For You?

BadgerLayer provides managed cybersecurity services for small businesses in Wisconsin and Chicago. We handle the monitoring, the patches, the training, so you don't have to.

• ✓Use a password manager (Bitwarden, 1Password, or similar) across the organization
• ✓Every account has a unique password. No shared or reused passwords
• ✓Enable multi-factor authentication (MFA) on all email accounts
• ✓Enable MFA on all financial accounts, payroll, and banking
• ✓Enable MFA on remote access tools, VPNs, and cloud services
• ✓Admin accounts use separate credentials from daily-use accounts
• ✓Default passwords changed on all routers, switches, and network devices

MFA alone blocks over 99% of automated account compromise attacks. It's the single highest-impact item on this list.

• ✓Critical business data backed up daily (automated, not manual)
• ✓Backups stored offsite or in cloud storage (not just on the same machine)
• ✓Backup restoration tested at least once per quarter. A backup you've never restored is untested
• ✓At least one backup copy is kept offline or air-gapped. Ransomware can't encrypt what it can't reach
• ✓Backup retention policy defined: how long are backups kept?
• ✓Employee files and cloud data (Microsoft 365, Google Workspace) included in backup scope

60% of small businesses that experience significant data loss close within 6 months. Backups are cheap. Recovery without them is not.

• ✓All employees trained to recognize phishing emails before they start
• ✓Security training refreshed at least annually. Threats change
• ✓Employees know exactly who to contact when they spot something suspicious
• ✓A clear policy exists: never wire money or share credentials based on email alone
• ✓Phishing simulation run at least once per year to test real-world awareness
• ✓Remote and hybrid workers included in all training, not just in-office staff

Phishing causes the majority of small business breaches. Training costs almost nothing compared to what a successful phish costs.

• ✓Business Wi-Fi and guest Wi-Fi are on separate networks. Never share them
• ✓Wi-Fi uses WPA3 or WPA2 encryption. WEP is completely insecure
• ✓Firewall enabled and configured on the perimeter router
• ✓Remote Desktop Protocol (RDP) not exposed directly to the internet
• ✓VPN required for remote employees accessing internal systems
• ✓Network devices (routers, switches, access points) on current firmware
• ✓Unused network ports disabled on managed switches

• ✓Antivirus or EDR (endpoint detection and response) installed on every device
• ✓All company devices enrolled in centralized management (MDM/RMM)
• ✓Automatic screen lock enabled after 5–10 minutes of inactivity on all devices
• ✓Full disk encryption enabled (BitLocker on Windows, FileVault on Mac)
• ✓Personal devices accessing company data subject to a bring-your-own-device (BYOD) policy
• ✓Terminated employees' device access revoked immediately upon departure

• ✓Operating system updates applied within 30 days of release, ideally automated
• ✓Third-party software (browsers, Office, Adobe, etc.) kept current
• ✓No unsupported software in use. Windows 10 reached end of life in October 2025
• ✓Software inventory maintained. You can't patch what you don't know exists
• ✓Unused software and browser extensions removed
• ✓Firmware on routers, printers, and network devices updated regularly

Unpatched software is consistently one of the top attack vectors. Most ransomware exploits vulnerabilities that had patches available months before the attack.

• ✓Principle of least privilege applied: employees only access what they need
• ✓Administrator privileges not used for day-to-day tasks
• ✓Access review conducted when employees change roles or departments
• ✓Offboarding checklist includes immediate revocation of all system access
• ✓Shared accounts eliminated. Every user has their own login
• ✓Vendor and contractor access time-limited and revoked when work is complete

• ✓A basic incident response plan exists and is documented, not just stored in someone's head
• ✓Key contacts identified: IT support, cyber insurance, legal counsel
• ✓Employees know who to call if they suspect a breach or ransomware infection
• ✓Cyber liability insurance policy in place and reviewed annually
• ✓Critical system restore procedures documented and tested
• ✓Wisconsin businesses aware of state data breach notification requirements

An incident response plan doesn't need to be a 50-page document. A one-page reference that answers 'who do we call and what do we do first' is enough to significantly reduce chaos during an actual incident.

Need a Hand With Any of This?

BadgerLayer provides managed cybersecurity services for small businesses in Wisconsin and the Chicago area: monitoring, endpoint protection, training, and more.

What should be on a small business cybersecurity checklist?

At minimum: strong passwords with MFA, automated offsite backups, employee phishing training, network segmentation, endpoint protection on all devices, current software patches, least-privilege access controls, and a basic incident response plan. Work through each category and you'll be significantly better protected than most small businesses.

What are the most important cybersecurity tips for employees?

The most impactful habits: treat unexpected emails with skepticism, use a unique password for every account, enable MFA on everything, lock your screen when you step away, report suspicious emails rather than just deleting them, and never plug in unknown USB drives.

What is the biggest cybersecurity risk for small businesses?

Phishing. The majority of small business breaches start with a deceptive email that tricks an employee into handing over credentials or clicking a malicious link. Employee training and email filtering are the most effective defenses.

How often should a small business review its cybersecurity?

Quarterly at minimum: checking backups, reviewing access, and confirming patches are current. A full vulnerability assessment once a year. Employee security training refreshed annually, with phishing simulations more frequently.

Do small businesses really need managed cybersecurity services?

Not every small business needs a fully managed security provider, but most benefit from one. If you don't have dedicated IT staff monitoring your systems, a managed cybersecurity service provides 24/7 threat detection that would otherwise be impossible to maintain internally.

Want a Free Security Assessment?

BadgerLayer serves small businesses throughout Wisconsin and the Chicago area. We'll review your current setup and tell you exactly where you stand. No sales pressure.