The 60-minute security review any business can complete today.
You do not need a security team to assess your basic cyber hygiene. This checklist covers the essentials that every small business should have in place, and you can work through the entire thing in about an hour. It is designed to be practical, honest, and useful regardless of whether you have an IT team of one or twenty.
Be honest as you go through each item. The goal is not to tick every box. It is to identify where your business might be exposed, so you can prioritise the gaps that matter most. A half-completed checklist with genuine answers is worth far more than a perfect score built on assumptions.
Grab the person who manages your technology, whether that is a dedicated IT lead, an office manager who handles the systems, or a director who wears multiple hats. Work through each section together. Write down every item you cannot confidently confirm. That list becomes your starting point for improvement.
Accounts and access
Identity is the new perimeter. In a world where most business applications live in the cloud, controlling who can log in and what they can access is the single most important security control you have. This section covers the fundamentals of account security that protect your business from the most common attack vectors.
MFA is enabled on Microsoft 365 or Google Workspace
All users, not just admins. No exceptions granted for convenience. If someone can log in without a second factor, that account is a target. Attackers know that most credential theft starts with the accounts that lack MFA, and they will find them before you do.
MFA is enabled on your accounting software
Xero, QuickBooks, Sage, or whichever platform holds your financial data. This is where the money lives, and it is the first place an attacker will look after compromising a credential. Financial fraud through business email compromise is the most costly cyber incident for SMEs in the UK.
You know exactly who has admin access
Can you produce a list, right now, of every person with administrator rights to your systems? If the answer involves checking with someone or searching through settings, that is a gap. Untracked admin accounts are one of the most exploited weaknesses in small business environments.
Former staff accounts are disabled
Check for anyone who has left in the past twelve months. Dormant accounts with active credentials are a common entry point. If an ex-employee can still log into your systems today, you have an open door that nobody is watching.
No shared passwords or logins
There should be no shared login for the office account, the social media accounts, or any other system. Every person should have their own credentials. Shared accounts make it impossible to audit who did what, and they create a single point of compromise that affects everyone.
Email and phishing protection
Email is the front door for the vast majority of cyber attacks. Phishing, business email compromise, and malware delivery all start in the inbox. These checks cover the technical controls and human processes that reduce your exposure to email-based threats.
Spam and malware filtering is active
At minimum, the built-in filtering from Microsoft or Google should be turned on and properly configured. Better still, a dedicated email security layer that catches the threats that native filtering misses. Email remains the primary delivery mechanism for malware, phishing, and business email compromise.
Staff can recognise a phishing attempt
Has your team received any awareness training in the past year? Not a one-off slide deck, but genuine, practical guidance on identifying suspicious emails, links, and requests. The majority of successful attacks begin with a person clicking something they should not have. Training does not eliminate the risk, but it significantly reduces it.
Bank detail changes are verified by phone
If someone emails requesting a change to payment details, whether a supplier, a client, or what appears to be a colleague, do you have a documented process to verify by phone before acting? Invoice redirection fraud costs UK businesses millions each year, and the scams are increasingly convincing.
External email warnings are enabled
Emails arriving from outside your organisation should be flagged with a visible banner. This is a simple configuration change in Microsoft 365 or Google Workspace that gives staff an immediate visual cue when a message did not originate internally. It is one of the easiest security improvements you can make.
“Security is not about perfection. It is about knowing where your gaps are, understanding which ones matter most, and closing them before someone else finds them.”
Devices and updates
Every device that connects to your business systems is an entry point. Laptops, desktops, phones, and tablets all need to be running current software with active protection. Unpatched, unmanaged, or unknown devices are among the most common ways attackers gain a foothold in small business environments.
All computers run supported operating systems
Windows 10 or 11, macOS Ventura or later. No machines running Windows 7 or 8 should be connected to your network. Unsupported operating systems do not receive security patches, which means every known vulnerability remains permanently exploitable. This is non-negotiable.
Automatic updates are enabled
Windows Update and macOS Software Update should be configured to install automatically. Delaying patches because they are inconvenient is a false economy. The window between a vulnerability being disclosed and attackers exploiting it has shrunk to days. Manual patching simply cannot keep pace.
Anti-malware protection is installed and active
Windows Defender at minimum, or a third-party endpoint protection solution, on every device. Not just installed but actively running, regularly updated, and centrally monitored. A protection tool that nobody is watching provides a false sense of security rather than genuine defence.
Laptop encryption is enabled
BitLocker on Windows, FileVault on Mac. If a laptop is lost or stolen, encryption is the difference between losing a piece of hardware and losing all the data on it. Without encryption, anyone who finds that device can access everything stored locally, including cached credentials and offline files.
You have a list of all company devices
A basic asset inventory, even a spreadsheet, that records every device used for work. You cannot protect what you do not know about. Shadow devices, personal laptops used for work email, old phones with company apps installed, are among the most common blind spots in small business security.
Backups and recovery
Backups are your last line of defence. When everything else fails, when ransomware encrypts your files, when a system crashes beyond repair, when someone accidentally deletes critical data, your ability to recover depends entirely on the quality of your backup strategy. These four checks determine whether your safety net is real or imaginary.
Critical data is being backed up
Company files, email archives, accounting data, CRM records, and any other information your business would struggle to operate without. If a system failed tomorrow, would you lose data? If you are not certain, that uncertainty is itself the answer.
Backups are stored separately from primary systems
Cloud backup or offsite storage, not just a copy on the same server or the same network. Ransomware attacks specifically target backup locations that are accessible from the compromised environment. If your backups live alongside your production data, they will be encrypted along with everything else.
Backups have been tested with a real restore
Have you actually restored something from backup in the past six months? A backup that has never been tested is not a backup. It is a hope. The only way to know your recovery process works is to run through it before you need it under pressure.
You know your recovery time
If everything was lost today, how many hours or days until your business is fully operational again? If you do not know the answer, you cannot plan for the impact. Recovery time is a business decision, not just a technical one, and it should be understood at board level.
Quick wins
These are the items that take minimal effort but have an outsized impact on your overall security posture. They are often overlooked because they seem too simple to matter. In practice, they are among the most effective controls a small business can implement, and each one can be addressed in minutes.
Router admin password has been changed from default
The default password printed on your router is public information. If it has never been changed, anyone who knows the make and model of your device can access your network configuration. This takes thirty seconds to fix and eliminates one of the most basic network vulnerabilities.
Guest WiFi is separated from the business network
Visitors, contractors, and personal devices should connect to a separate network segment that cannot reach your internal systems, file shares, or printers. Most modern routers support guest networks. If yours does not, it is time for an upgrade.
Someone is responsible for IT security
It does not need to be a dedicated role or a qualified professional. But someone in your organisation should be named as the person who keeps an eye on security, stays informed about threats, and acts as the point of contact when something needs attention. Without ownership, security becomes nobody's job.
Staff know who to report suspicious activity to
There should be a clear, known reporting line for security concerns. If someone receives a suspicious email, notices unexpected behaviour on their machine, or clicks a link they should not have, they need to know exactly who to tell and feel safe doing so without blame.
items across five categories covering the essentials of small business security
to complete. Designed to fit into a single meeting with your IT lead
of common cyber attacks are preventable with basic security controls in place
How did you score?
Count every item you can confidently confirm. Be honest with yourself. A gap you acknowledge is a gap you can fix. A gap you ignore is a vulnerability you are choosing to accept.
Strong foundation
You have the basics well covered. Focus on any remaining gaps and consider formalising your security practices with regular reviews. This is the standard most small businesses should be working towards.
Gaps to address
Some fundamentals are in place, but notable weaknesses remain. Prioritise the missing items by risk and tackle the highest-impact changes first. A structured improvement plan will help you close these gaps efficiently.
Significant exposure
Your business has meaningful security gaps that leave you vulnerable to common attacks. Consider getting professional help to assess your risks and build a practical remediation plan. The sooner you start, the better.
“Keep this checklist and revisit it quarterly. Security is not a one-time project. It is an ongoing practice that improves every time you come back to it with fresh eyes.”
What to do next
If you scored well, your focus should be on maintaining what you have and formalising your security practices so they do not depend on any single person remembering to do the right thing. Document your processes, schedule regular reviews, and keep your team informed about the threats that are most relevant to your industry.
If you identified significant gaps, resist the temptation to tackle everything at once. Prioritise by impact. MFA on critical systems, encryption on laptops, and tested backups will address the most dangerous exposures first. From there, work through the remaining items methodically, one per week if needed.
If you want a more comprehensive assessment, or if the gaps you found are beyond what you can address internally, professional help can turn this checklist into a structured improvement plan with clear timelines, accountability, and measurable progress.
Want a deeper assessment?
This checklist covers the basics. For a comprehensive security review that goes beyond surface-level checks, our team can assess your environment in detail, identify the risks specific to your business, and build a practical improvement plan you can actually follow through on.
Book a call to talk through your results. We will give you an honest view of where you stand and what the most effective next steps would be for your organisation.