A Cybersecurity Checklist for Small Businesses

2020 has been especially tough on small businesses, who had to adapt quickly to survive. Many didn’t make it. Of those who did, there was a clear shift in business practices to embrace doing everything online. 

That includes communicating with customers, selling their products or services, and running the business. It also includes a whole slew of cybersecurity risks that these businesses may have never had to deal with before. However, don’t be intimidated. There is a light at the end of the tunnel, and it’s called being proactive. 

Take this handy checklist and apply all of the tips listed here to ensure that the company’s systems and digital assets are kept safe. Some of these tips mention tools that cost money (they provide a valuable service after all), but they’re completely worth it. 

Thankfully, Cyber Monday is just around the corner, and that usually means great deals. Be on the lookout for any good Cyber Monday subscription deals for tools and services that will undoubtedly be competing for more customers this year. 

Small Business Cybersecurity Checklist

1. Do a Risk Assessment

Every business is different, and while some common things should be covered, special security measures may be necessary. Usually, a cybersecurity consultant can effectively measure all of the security vulnerabilities a business has. It can be done by IT and management working in tandem as well, but they might miss some things an expert will know to focus on.

A cybersecurity risk assessment should always include the following:

  • The most common, most critical, and most relevant threats a business is likely to encounter;
  • Vulnerabilities within the company that attackers will be able to take advantage of;
  • How to fix vulnerable points and improve security.

2. Have Multiple Layers of Protection in Place

The only way to keep attackers out is to make it too hard for them to get in, much like any other security type. It starts at the device level by securing devices with pins/passwords and encrypting drives where necessary. Next is the software level, which includes account password security, anti-virus software and firewalls, and end-to-end encryption.

3. Limit Access to Information

There’s no need to provide every employee with access to every account or file. Give each employee their own login and only provide access privilege to the information they need. Make sure to revoke those privileges and change account passwords when an employee is no longer working for the company.

4. Track Where Data Goes

Employees can share files over group messaging apps, emails, or even USB drives. Vendors can be granted access and then send the data they receive or gather to other third parties. See how quickly things can spiral out of control to the point where management doesn’t know who’s hands the data has been through?

Management has to create a system that allows them to be aware of where data is being sent or stored at all times. This requires a combination of policy and software.

5. Secure Networks With a VPN

This fits in with the point made about multiple layers of protection but warrants a special mention. Mainly due to most people having to shift to remote work lately. So virtual private networks have become an essential tool, as they add another layer of protection to networks via encryption.

VPN services use strong encryption protocols to ensure that the data being sent and received over a network is secure. This means that attackers cannot identify any of the information being sent, even if they gain access to the network.

6. Ensure a Cybersecurity Policy is in Place and Complied With

Does the business have a solid cybersecurity policy (also called acceptable use policy) document in place? Is it up to date and compliant with recent laws around data protection? Have employees been given a refresher course on how to protect the data and devices they work with? Studies have shown that employees forget most of the awareness training they’ve done within a few months. 

If the company doesn’t have any measures in place, then it’s time to get a cybersecurity policy drawn up ASAP. An acceptable use policy should include:

  • Rules laid out to stipulate how the business’s digital assets and data may be accessed and used, as well as who is allowed to access this data;
  • What employees, contractors, and vendors who are allowed access to data can do with it;
  • What measures should be taken to protect data, company systems and networks, and devices;
  • What constitutes safe online behavior and procedures that should be followed to keep devices and accounts safe;
  • What someone should do in case of a security incident or when they suspect someone intends harm to them or the company.


This quick guide covers the basics of what every small business should know about cybersecurity. Follow the checklist to ensure that the necessary security measures are in place, but don’t just stop there. Every business has a unique setup, requiring additional steps to ensure a comprehensive digital security system is in place.

Anzhela Sychyk

Anzhela is a seasoned business journalist with a keen eye for spotting industry trends and a knack for explaining complex financial concepts in a clear and accessible way. With over 15 years of experience covering the world of finance and economics, Anzhela has established herself as a respected authority on all things business.