The $0 Cybersecurity Checklist Every Small Business Should Follow

The most dangerous belief in small business cybersecurity is that meaningful protection requires enterprise budgets. It doesn't. The majority of successful attacks against small businesses exploit basic, preventable weaknesses — and closing those gaps costs little or nothing. This checklist covers the foundational controls that eliminate the most common attack paths.

Identity and Access

• Enable multi-factor authentication (MFA) on everything. Email accounts, especially. Microsoft 365 and Google Workspace both include MFA at no extra cost. A compromised password is not enough to access an account protected by MFA. This single control prevents a large percentage of account takeover attacks.
• Use a password manager. Reused passwords across services mean one breach compromises many accounts. A password manager (1Password, Bitwarden) makes unique, strong passwords practical for your entire team. Bitwarden has a free tier for individuals and low-cost teams plans.
• Audit who has admin access. List every account with administrator privileges across your systems. Remove access for anyone who doesn't need it. Former employees are a common and overlooked risk — their accounts should be disabled the day they leave.
• Apply the principle of least privilege. Users should have access only to what they need to do their jobs. Limiting scope limits the blast radius of a compromised account.

Devices and Software

• Keep everything patched and updated. Enable automatic updates on operating systems and software where possible. Most successful attacks exploit known vulnerabilities that patches already exist for. This is non-negotiable.
• Enable disk encryption. Windows (BitLocker) and macOS (FileVault) both include full-disk encryption at no cost. If a laptop is lost or stolen, encrypted drives are unreadable without the decryption key. Turn this on.
• Use endpoint protection. Windows Defender (built into Windows) is significantly better than it used to be and is free. For businesses with compliance requirements or higher risk profiles, commercial EDR solutions offer more detection and response capability.
• Don't use personal devices for work without a policy. Personal devices accessing business systems are a significant risk vector. If you allow BYOD (bring your own device), establish minimum security requirements.

Backups

• Follow the 3-2-1 rule. Three copies of your data, on two different media types, with one copy off-site. For most small businesses, this means: local copy, cloud backup, and an immutable or offline backup that ransomware can't reach and encrypt.
• Test your backups. A backup you've never tested is a backup you don't have. Perform a recovery test at least twice a year to confirm your backups are complete and restorable.
• Isolate backup systems. Ransomware actively searches for and encrypts backup destinations it can reach over the network. Ensure at least one backup copy is not accessible from your primary environment.

Email Security

• Enable spam and phishing filtering. Microsoft 365 and Google Workspace both include meaningful phishing protection. Make sure it's enabled and configured. Consider additional filtering for higher-risk environments.
• Configure SPF, DKIM, and DMARC. These DNS records prevent attackers from sending emails that appear to come from your domain. Your IT provider or domain registrar can help configure these — they're technical, but not expensive.
• Train your team to recognize phishing. Phishing remains the top initial access vector for attacks against small businesses. Regular, brief training — even just reviewing real-world examples together — meaningfully reduces susceptibility.

Incident Preparedness

• Know who to call. Have a short list of contacts ready before something happens: your IT provider, your cyber insurance carrier's incident response line, and (if applicable) legal counsel familiar with data breach notification requirements.
• Document your critical systems. A simple inventory of your key systems, accounts, and recovery procedures dramatically speeds up response after an incident.

Start Today

You don't need to implement everything on this list simultaneously. Pick the items you haven't done yet and rank them by how quickly and cheaply you can get them done. MFA and patching should be first — they have the highest impact per hour of effort.

If you'd like an honest assessment of where your business currently stands against this checklist — and what your real risk exposure looks like — a cybersecurity assessment is a practical starting point.