Cybersecurity Checklist Every Small Business Should Follow

A Small Business Cybersecurity Checklist Helps You Stop Avoidable Mistakes

A small business cybersecurity checklist helps you protect your business from the simple mistakes that can lead to expensive downtime, data loss, and customer trust problems. If you run a small business, you probably do not have time to become a cyber security expert. You just need clear steps that reduce risk without slowing everyone down.

In my years as a CTO and technology consultant, I have seen one pattern again and again. Cyber security works best when it is practical, understood by the team, and tied to real business outcomes. The Australian Cyber Security Centre recommends small businesses start with multi-factor authentication, software updates, and backups, which is a sensible foundation for most SMEs.

Takeaways

Why Cybersecurity Matters for Small Businesses

Small businesses often think cyber criminals only chase large companies. That is a risky assumption.

Attackers usually look for easy targets. A small business with weak passwords, old software, shared logins, or no tested backups can be easier to attack than a large company with dedicated security staff.

The impact can be painful. You might lose access to emails, customer records, accounting files, booking systems, online stores, or cloud documents. Even a short outage can create stress for staff and customers.

Cyber security is not just a technology issue. It is a people, process, and trust issue. That is why I always come back to people before technology. The goal is not to make your business feel locked down and awkward. The goal is to help your people work safely, serve customers, and keep the business moving.

If you want help reviewing your current risk, my Cybersecurity Advice service is designed for practical business conversations, not scare tactics.

The Small Business Cybersecurity Checklist

Here is the checklist I would use as a starting point for most SMEs.

Area	What To Check	Why It Matters
Accounts	Multi-factor authentication is turned on	Protects logins if passwords are stolen
Passwords	Staff use strong, unique passwords	Stops one leak becoming a bigger problem
Software	Devices and apps are updated	Fixes known security weaknesses
Backups	Important data is backed up and tested	Helps you recover from accidents or attacks
Access	Staff only have access they need	Limits damage if an account is misused
Email	Staff can spot suspicious messages	Reduces phishing and invoice scam risk
Devices	Laptops, phones, and tablets are protected	Keeps business data safer when devices move
Cloud tools	Admin settings are reviewed	Protects files, email, and shared systems
Payments	Banking and invoice processes are checked	Reduces fraud risk
Incident response	You know what to do if something goes wrong	Saves time during a stressful event

This is not about becoming perfect. Perfect is expensive, slow, and usually fictional. The aim is to make the common mistakes harder to exploit.

1. Turn On Multi-Factor Authentication

Multi-factor authentication, often called MFA, asks for more than a password when someone logs in. This might be a code, an authenticator app, or a prompt on a trusted device.

The ACSC describes MFA as a security measure requiring two or more proofs of identity before access is granted. It also notes that MFA is one of the most effective ways to protect accounts against unauthorised access.  

Start with your most important systems:

• Email accounts: Email is often the front door to everything else.
• Banking and accounting tools: Protect payments, payroll, and invoices.
• Cloud storage: Keep customer documents and business files safer.
• Website admin accounts: Stop attackers changing your site.
• Social media accounts: Protect your brand and customer communication.

Avoid SMS codes where you have better options. An authenticator app or security key is usually stronger. Still, SMS-based MFA is better than no MFA.

For staff, explain the reason. Do not just say, “IT said so.” Say, “This protects your account and helps keep customer data safe.” People are more likely to follow a rule when they understand who it helps.

2. Use Strong Passwords and a Password Manager

Passwords are still a weak spot for small businesses. The problem is not that people are careless. The problem is that people are busy.

If someone has to remember twenty passwords, they will reuse them. That is normal human behaviour. The fix is to stop relying on memory.

Use a password manager. It stores strong, unique passwords for each account. Your staff only need to remember one strong master password.

A good password habit looks like this:

• Use a different password for every important account.
• Use long passphrases where possible.
• Do not share passwords by email, chat, or spreadsheet.
• Remove shared admin accounts where you can.
• Change passwords quickly when someone leaves the business.

Shared passwords are common in SMEs, especially for social media, booking tools, or supplier portals. They feel convenient until a staff member leaves or the password leaks.

Give people their own accounts instead. It makes access easier to manage and gives you a clearer record of who did what.

3. Keep Software and Devices Updated

Software updates are not just annoying pop-ups. They often fix security holes.

Attackers pay attention to known weaknesses. If your laptop, website, accounting system, browser, or plugin is out of date, you may be leaving a door open.

The ACSC lists software updates as one of the key starting measures for small businesses. It also recommends small businesses move toward Maturity Level One of the Essential Eight after completing basic guidance.  

Focus on:

• Laptops and desktop computers.
• Mobile phones and tablets.
• Web browsers.
• Email apps.
• Accounting and payroll software.
• Website platforms and plugins.
• Point-of-sale systems.
• Cloud apps used by staff.

Set updates to run automatically where possible. For business-critical systems, plan updates carefully. You do not want a surprise update breaking your point-of-sale system at 8:55 am on a busy Saturday. That is not security. That is chaos with a progress bar.

If you rely on older systems that no longer receive updates, treat that as a business risk. You may not need to replace everything today, but you should know what is exposed and what it would cost to fix.

4. Back Up Your Important Information

Backups are your safety net. They help you recover from ransomware, accidental deletion, hardware failure, staff mistakes, and cloud sync problems.

The ACSC includes backing up information as one of its three starting measures for small businesses.  

A useful backup plan answers four questions:

• What information must we protect?
• How often is it backed up?
• Where are the backups stored?
• Have we tested recovery?

That last question matters. A backup you have never tested is a hope, not a plan.

For a small business, backup priorities might include:

• Customer records.
• Financial data.
• Contracts and legal documents.
• Website files and databases.
• Product images and marketing assets.
• Rosters, bookings, and operational documents.
• Email and cloud documents.

Use automated backups where possible. Keep at least one backup separate from your main systems. If ransomware can reach your live files and your backup files, recovery becomes much harder.

For more structure, connect this with Disaster Recovery Planning and Business Continuity Planning. Backups are the technical part. Recovery planning is the business part.

5. Control Who Has Access

Access control sounds technical, but the idea is simple. People should only have access to what they need for their role.

A casual employee may need the roster system. They probably do not need payroll access. A marketing contractor may need social media access. They probably do not need full admin access to your website.

Review access regularly:

• Who has access to email?
• Who can approve payments?
• Who can view customer records?
• Who can export data?
• Who has admin rights?
• Which ex-staff or old suppliers still have access?

Remove access when people leave. Change shared passwords if you cannot yet move away from them. Better still, set up named accounts and remove shared access over time.

Admin accounts deserve extra care. An admin account can change settings, add users, delete data, or weaken security. Keep admin rights limited to people who genuinely need them.

This is where IT Governance can help. Governance does not need to be heavy. For an SME, it can be as simple as clear rules for who approves access, who reviews it, and how changes are recorded.

6. Train Staff to Spot Phishing and Scams

Phishing emails try to trick people into clicking links, opening files, sharing passwords, or paying fake invoices. They often look like normal business communication.

Staff training does not need to be scary. It should be practical and regular.

Teach your team to pause before acting on messages that involve:

• Urgent payment requests.
• Changed bank details.
• Password reset links.
• Unexpected attachments.
• Gift card requests.
• Fake delivery notices.
• Messages claiming to be from the owner or manager.
• Requests to keep something secret.

The best training uses examples from your business. A retail business may see fake supplier invoices. A healthcare provider may see fake patient document links. A tradie may see scam quote requests or fake job attachments. A professional services firm may see fake DocuSign or Microsoft 365 messages.

Make reporting easy. Staff should know who to ask if something feels wrong. They should not feel embarrassed. If someone reports a suspicious message, thank them. That one small action may prevent a bigger problem.

Cyber security improves when people feel safe asking questions. That is people before technology in action.

7. Protect Business Devices

Your business data moves around. It sits on laptops, phones, tablets, USB drives, and sometimes personal devices.

That creates risk, especially for mobile teams, remote workers, salespeople, field staff, consultants, and local businesses where people work from home after hours.

At a minimum:

• Use screen locks on every device.
• Turn on device encryption where available.
• Keep operating systems updated.
• Use antivirus or endpoint protection.
• Avoid using unsupported devices.
• Do not let staff share work devices casually.
• Have a process for lost or stolen devices.

For phones, make sure staff use a PIN, password, fingerprint, or face unlock. Business email on an unlocked phone is a risk. If the phone is lost, someone may get access to client messages, files, and reset links.

If staff use personal devices for work, set clear rules. Personal devices can be fine for some businesses, but only if you understand the risk. You may need mobile device management, or at least basic standards for updates, screen locks, and remote wipe.

8. Secure Your Email and Cloud Tools

For most small businesses, email and cloud tools are the centre of daily work. Microsoft 365, Google Workspace, Dropbox, Xero, MYOB, Shopify, Square, HubSpot, and similar platforms hold valuable data.

The problem is not the cloud itself. The problem is poor settings, weak access, and unclear ownership.

Review these settings:

• MFA for all users.
• Admin accounts limited and protected.
• External file sharing checked.
• Old users removed.
• Shared mailboxes reviewed.
• Forwarding rules checked.
• Suspicious login alerts enabled where available.
• Recovery email and phone details kept current.
• Backups or export options understood.

Email forwarding rules deserve special attention. If an attacker gets into an email account, they may set rules that forward invoices, password resets, or customer messages to another address. The business may not notice straight away.

If you use Microsoft 365 or Google Workspace, a configuration review can be very useful. You can learn more about Microsoft 365 Consulting and Google Workspace Consulting if those tools are central to your business.

9. Lock Down Payments and Invoices

Payment fraud is one of the most practical cyber risks for SMEs. It does not always involve complex hacking. Sometimes it is a convincing email at the wrong moment.

Common examples include:

• A fake supplier asks you to change bank details.
• An attacker sends a fake invoice from a lookalike email address.
• A staff member receives a message pretending to be the owner.
• A customer receives altered payment details.
• A compromised email account is used to send real-looking payment requests.

Create simple payment rules:

• Confirm bank detail changes by phone using a trusted number.
• Require approval for new suppliers.
• Use two-person approval for larger payments.
• Separate invoice creation from payment approval where possible.
• Watch for email addresses that look slightly wrong.
• Keep accounting software access limited.

This is less about fancy technology and more about good habits. A five-minute phone call can stop a five-figure mistake.

10. Have an Incident Response Plan

An incident response plan tells your team what to do when something goes wrong. It does not need to be huge. It just needs to be clear.

The ACSC says organisations should have a cyber security incident response plan to support effective response and recovery when controls do not prevent an incident. It also says the plan should be tested and reviewed regularly.

Your plan should cover:

• Who makes decisions during an incident.
• Who contacts your IT provider.
• Who talks to staff.
• Who talks to customers if needed.
• Which systems matter most.
• How backups are restored.
• Where key passwords and recovery details are stored.
• Who contacts banks, insurers, or legal advisers if required.

Write this down before the incident. During a cyber incident, people are stressed. That is a terrible time to work out who has the login for the domain name account.

Test the plan with a simple scenario. For example: “What would we do if our main email account was compromised?” Walk through the steps. You will quickly find gaps.

11. Review Your Website Security

Your website is often your public front door. If you run WordPress, Shopify, WooCommerce, Squarespace, Wix, or a custom web app, security should not be ignored.

For a website, check:

• Admin accounts use MFA where possible.
• Old users are removed.
• Plugins, themes, and platform software are updated.
• Backups are running.
• Forms are protected from spam and abuse.
• Hosting access is limited.
• SSL is active.
• Website changes are logged where possible.
• Unused plugins or extensions are removed.

For WordPress sites, plugin overload can become a risk. Every plugin adds code. Some are excellent. Some are abandoned. Some were useful once but now just sit there like a dusty box under the stairs.

If your website handles payments, memberships, bookings, or customer data, treat it as a business system, not a brochure. That means updates, backups, monitoring, and clear ownership.

For deeper review work, IT Risk Management can help connect website risk to business impact.

12. Check Supplier and Contractor Access

Small businesses often rely on suppliers, contractors, bookkeepers, marketing agencies, web developers, IT providers, and software vendors. That is normal. It can also create hidden cyber risk.

Ask:

• Which suppliers have access to our systems?
• Do they still need that access?
• Are they using named accounts?
• Do they use MFA?
• Can they access customer data?
• What happens if their account is compromised?
• Who reviews supplier access?

You do not need to treat every supplier like a threat. You do need to know who can get into your systems.

If a web developer built your site three years ago, they may still have admin access. If a marketing agency managed ads last year, they may still have access to your Facebook page or Google Ads account. If a contractor helped with accounting setup, they may still have access to financial data.

Clean this up. It is usually quick and it reduces risk.

13. Document the Basics

A small business does not need a giant cyber security manual. It does need a few clear notes that staff can follow.

Start with short documents for:

• Password and MFA rules.
• New starter and leaver access.
• Payment approval rules.
• Backup and restore steps.
• Lost device process.
• Suspicious email reporting.
• Website update process.
• Incident response steps.

Keep each one short. One page is often enough.

Good documentation helps when key people are away. It also helps new staff understand what “safe” looks like in your business.

This is where documentation supports people. It removes guesswork. It lowers stress. It helps the team act consistently without needing to ask the owner every time.

4. Do a Quarterly Cyber Security Review

Cyber security is not a one-time job. Your business changes. Staff join and leave. Software changes. New tools appear. Suppliers change. Risks move.

Set a quarterly review. Keep it simple.

Review:

• Staff access.
• Admin accounts.
• MFA coverage.
• Backup status.
• Software updates.
• Website updates.
• Supplier access.
• Recent suspicious emails.
• Security incidents or near misses.
• Upcoming business changes.

This review can take less than an hour for a small business. The point is to keep risk visible.

A quarterly rhythm is much better than waiting until something breaks. It also helps you make steady improvements without overwhelming the team.

15. Prioritise the Biggest Risks First

You do not need to fix everything this week. In fact, trying to fix everything at once can create confusion.

Start with the controls that reduce the most risk:

1. Turn on MFA for key accounts.
2. Check backups and test recovery.
3. Update devices, software, and websites.
4. Remove old staff and supplier access.
5. Train staff on phishing and payment scams.
6. Document what to do during an incident.

That is a strong first pass.

After that, you can improve over time. Cyber security is a set of habits, not a single project with a finish line.

The ACSC’s Essential Eight is a useful guide for organisations that want a more structured baseline, and it advises a risk-based approach when implementing the controls.

Common Mistakes Small Businesses Make

Here are the mistakes I see most often.

• Waiting for a scare before acting: Prevention is calmer and cheaper than panic.
• Relying on one technical person: Cyber security should not live in one person’s head.
• Sharing passwords: Convenient today, painful later.
• Ignoring old accounts: Former staff and suppliers should not keep access forever.
• Never testing backups: Recovery needs proof, not hope.
• Treating staff as the problem: Staff are part of the defence when trained and supported.
• Forgetting the website: Your website can be a business-critical system.
• Skipping payment controls: Invoice fraud often targets process gaps, not technology gaps.

The fix is not shame. The fix is clarity.

Most SMEs are not careless. They are busy. The right checklist gives busy people a way to improve without turning cyber security into a full-time job.

Keep Cybersecurity Practical and Human

Cyber security does not need to feel mysterious. Start with the basics, explain the reasons to your team, and improve one step at a time. The best cyber security habits protect your people, your customers, and the trust your business has worked hard to earn.

If you want a calm, practical review of your current risks, you can book a free consultation and we can talk through what matters most for your business. A safer business starts with a clear small business cybersecurity checklist.

Frequently Asked Questions

What should be included in a small business cybersecurity checklist?

A small business cybersecurity checklist should cover MFA, passwords, software updates, backups, staff training, access control, device security, cloud settings, payment controls, website security, and incident response.

How often should a small business review cyber security?

A quarterly review works well for most small businesses. You should also review cyber security when staff leave, new systems are added, suppliers change, or your business starts handling more sensitive data.

Do small businesses really need multi-factor authentication?

Yes. MFA is one of the simplest ways to protect business accounts if a password is stolen. Start with email, accounting software, banking, cloud storage, and website admin accounts.

Are backups enough to protect against ransomware?

Backups help, but they are not enough by themselves. You also need MFA, updates, access control, staff awareness, and a recovery plan. Backups should also be tested so you know they actually work.

What is the first cyber security step I should take?

Start by turning on MFA for your key accounts. Then check that your important data is backed up and that your software is up to date. Those three steps give most small businesses a stronger foundation.