Basic Cybersecurity Checklist for SMBs: The Minimum You Need

Most SMBs do not need bank-grade security. But they do need basic controls that protect them from 90% of the attacks that actually happen in the region. The good news: most are free or very low cost. The bad news: if they are not in place, you are an easy target.

This is the checklist we deliver at the end of our initial audits for SMBs. If your company has all of these covered, you are better off than most. If you are missing more than 5, there is work to do.

Identities and access

• ☐ All admin accounts use unique strong passwords (minimum 16 characters).
• ☐ Multi-factor authentication (MFA) active on every privileged account.
• ☐ MFA active on the corporate email of every employee, not only leadership.
• ☐ There is a documented process to revoke access when someone leaves the company.
• ☐ Former employee accounts are deleted within 24 hours of their departure.
• ☐ Nobody shares admin accounts — each person has their own.
• ☐ There is a corporate password manager and everyone uses it.

Endpoints and devices

• ☐ Modern antivirus or EDR installed on every device in the company.
• ☐ Disk encryption enabled on laptops (BitLocker on Windows, FileVault on Mac).
• ☐ Automatic screen lock configured after 5–10 minutes.
• ☐ Clear policy on personal devices: if used for work, which controls apply.
• ☐ Automatic operating system updates enabled.

Email

• ☐ DKIM, SPF and DMARC correctly configured on your domain.
• ☐ Anti-phishing and anti-spam filter active on the email provider.
• ☐ Staff know who to report suspicious emails to and they do it.
• ☐ Clear procedure to verify unusual requests (transfers, credential changes) outside email.

Backups and continuity

• ☐ Automatic backups of critical systems exist.
• ☐ Backups are stored outside the primary environment (not on the same server).
• ☐ A successful restore has been tested in the last 3 months.
• ☐ There is a clear inventory of which data is critical and where it lives.
• ☐ There is a documented plan for what to do if everything is lost overnight.

Network and connectivity

• ☐ The Wi-Fi network uses WPA3 encryption or at least WPA2 with a strong password.
• ☐ There is a separate guest network with no access to internal resources.
• ☐ Administrative access to critical equipment only from the internal network or VPN.
• ☐ No services exposed to the internet without need (open RDP, admin panels).
• ☐ Router firewall configured and reviewed periodically.

Applications and software

• ☐ There is an inventory of software installed on each device.
• ☐ Critical patches are applied within 30 days of release.
• ☐ No pirated software or software from unverified sources.
• ☐ Your own web applications use HTTPS correctly configured.
• ☐ The website is under uptime monitoring.

People and procedures

• ☐ Basic security training on onboarding and at least annually.
• ☐ There is a written policy on acceptable use of technology — and staff know it.
• ☐ There is a clear owner of security — even if part-time.
• ☐ At least one phishing simulation has been run in the last year.
• ☐ There is a clear channel to report suspicious security incidents.

Documentation and governance

• ☐ There is an up-to-date asset inventory of technology.
• ☐ There is a basic map of the network and critical systems.
• ☐ Admin password documentation exists in a secure manager.
• ☐ There is a response plan (even a single page) for when something happens.

How to use this list

Print the list, walk it with your IT lead (in-house or external) and check what you already have. Of what is missing, identify the 3–5 most critical for your context and start there.

If you are missing more than 10 items, a formal audit is worth it. Not to add more things to the list, but to understand the priority order based on your real exposure level.

The next step

At Cytlas we offer a free assessment that covers exactly this list (and more) in a 90-minute session. At the end you have clarity on where you stand and what to fix first. No obligation.