Small Business Cybersecurity Checklist Part 1–Bare Minimum

Small businesses and organizations are generally lagging behind their enterprise sized counterparts when it comes to cybersecurity.  Over the next three posts we will look at the actions small business owners and managers should undertake to security their digital assets.

A large part of the reason that small businesses are lagging in cyber security is due to the fact that small owner-managed businesses are generally focusing time, energy, and capital resources at the core purpose of their business:  selling more of whatever it is that the business does to create income.  Another reason is that small business owners as a group tend to be inexperienced or unversed in the more technical aspects of computer, server, and network services and functionality, much less security. 

In many cases there is no IT professional on staff, and these support functions are handled by a third party company specializing in small business IT support, and even when the are well-versed in security principals, they may not be good at making a business case for budgeting more for security.  These factors make small business cybersecurity an often neglected aspect of business operations.

The following list we are identifying as cybersecurity basics, but they really are must have items for your organization.

  • Train your employees in cybersecurity basics and close the single biggest source of security breaches.  Hire a professional cybersecurity trainer.  This will be the best money you spend.
  • Install Internet Security software on all computers and servers, and set them up in real-time mode or so that there are daily full system scans for malware.
  • Install a hardware firewall, or turn on the firewall features on your cable or DSL modem, or wireless access point.
  • Make sure your computers are using a software firewall.  This is part of the Windows operating system, and most security suites include them as well.
  • Set up and run all updates for Windows, Adobe Reader and Flash, and other software that provides regular security updates and patches
  • Set up backups for all your important files.  This includes whatever is stored in file shares as well as the Windows Libraries on individual computers.  Verify that they are running as scheduled.
  • Control physical access to your computers, servers, and network equipment.  People to consider are not just your employees sharing each others equipment, but access by vendors, outsourced IT staff, and even the overnight cleaning crew.
  • Secure your wireless network equipment, by turning on the WPA2 encryption and setting up other security factors.  See my earlier post for details.
  • Set up and use individual computer accounts for each employee and each application.  Shared credentials are poor security.
  • Limit employee authority to access data, giving them access to what they need to perform their jobs, but nothing else.
  • Limit employees ability to install programs.  Lots of popular freeware programs open security holes in the name of advertising, and some are just a disguise for malware.

You might start your cybersecurity journey by printing out this list and having a conversation with your computer support professional to see how many of these essentials are in place, and make plans to implement those that are not.

For a deeper look at this issue, please check out the following link.

NIST:  Small Business Information Security: The Fundamentals


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.