The 10-Point Cybersecurity Checklist for Small Businesses
Prevvi Team
Small businesses get breached by boring things. Not nation-state exploits aimed at you personally: an unpatched firewall, a reused password, a convincing invoice email. That’s good news, because boring attacks have boring, affordable defenses. Here are the ten controls that matter, ordered by what the actual 2026 breach data says, with sources for every number.
One number up front, because “we’re too small to be a target” is still the most expensive sentence in business: in the Verizon 2026 Data Breach Investigations Report, about 96% of ransomware victims were small and mid-sized businesses. Attackers don’t pick targets; their scanners do.
The checklist
1. Patch on a schedule, not a mood
This is now the top of the list, and that’s not our opinion. The Verizon 2026 DBIR found exploitation of vulnerabilities is the most common way attackers first get in, at 31% of breaches. Meanwhile Google’s M-Trends 2026 research found the mean time-to-exploit has dropped to an estimated negative seven days: exploitation routinely starts before a patch even ships. Most companies are losing this race; Verizon found only 26% of critical vulnerabilities were fully remediated in 2025. Operating systems, browsers, and especially firewalls and VPN appliances need updates applied automatically and verified, with a report someone actually reads.
2. Multi-factor authentication, everywhere
Credential abuse shows up in 39% of breaches, more than any other single technique across the attack chain (Verizon DBIR 2026), and Microsoft’s research shows MFA can block more than 99.2% of account compromise attacks. Turn it on for email, banking, VPN, and every admin account. CISA’s guidance is blunt: phishing-resistant MFA (authenticator apps and hardware keys) is the gold standard, and SMS codes “should only be used as a last resort.” Most platforms include MFA free. Zero excuses on this one.
3. Endpoint detection and response (EDR)
Traditional antivirus matches known bad files. EDR watches for attacker behavior (credential dumping, lateral movement, encryption sprees) and can isolate a machine automatically at 3 a.m. In 2026 this is table stakes, and it’s a standard component of any serious managed cybersecurity service.
4. Backups you have actually restored
Ransomware’s business model depends on your backups failing. Veeam’s ransomware research found attackers targeted backup repositories in 93% or more of attacks. The defense is the 3-2-1 rule documented in US-CERT’s data backup guidance: three copies, two media types, one offsite (and today, immutable). It works: in Sophos’ State of Ransomware 2026 survey, 66% of victims with encrypted data recovered via backups, up 12 points in a year. Then test a restore quarterly and time it. The metric that matters isn’t “do we have backups,” it’s “how many hours to working systems.”
5. Email security beyond the spam filter
Email is still the front door for extortion: Sophos found malicious email (26%) and phishing (24%) together started about half of ransomware incidents. Layer advanced filtering, link and attachment scanning, and publish SPF, DKIM, and DMARC records so criminals can’t spoof your own domain at your customers. Those three records are a one-time setup a provider handles in an afternoon.
6. A password manager for the whole team
People reuse passwords because remembering ninety unique ones is impossible. A business password manager makes the secure path the lazy path. Pair it with MFA and you’ve closed most of the credential attack surface that 39% figure describes.
7. Least privilege and no shared admin accounts
Day-to-day work should happen in standard accounts; admin rights live in separate, monitored accounts used only when needed. When someone’s “temporary” admin access becomes permanent furniture, malware they click runs with their privileges. Keep the blast radius small.
8. Security awareness training that isn’t a checkbox
The human element was present in 62% of breaches (Verizon DBIR 2026). Short, regular, and specific beats an annual hour of compliance video. Simulated phishing with instant feedback changes behavior; shame doesn’t. Your team is a sensor network if you train them to report instead of delete-and-pretend.
9. An offboarding process that runs the same day
Departed employees’ accounts are a classic quiet breach. Access ends the hour employment does: email, VPN, cloud apps, and any shared credentials they knew (which the password manager from point 6 just made rotatable in minutes). This matters doubly for regulated industries, where orphaned accounts are also audit findings.
10. A one-page incident response plan
When something happens, the cost is set by your first hour, and the stakes are real: IBM’s Cost of a Data Breach Report 2025 put the average US breach at a record $10.22 million (the global average is $4.44 million; small-business incidents are smaller but proportionally just as painful). Write down: who to call (internally and your IT provider), what to disconnect, how to communicate if email is compromised, and where the cyber-insurance policy lives. The FTC’s small business cybersecurity guidance is a solid free reference for shaping this.
If you can only do three this quarter
Do patching (1), MFA (2), and backups (4). Those three map directly onto the top documented attack paths: vulnerability exploitation (31% of initial access), credential abuse (39% of breaches overall), and ransomware extortion (48% of all breaches and climbing, per DBIR 2026). Everything else on the list makes you harder to hit; these three make you survivable.
One more blind spot: your vendors
The DBIR 2026 also found third-party involvement in 48% of breaches, and 55% among small businesses specifically. Your bookkeeper’s remote access tool and your website contractor’s admin login are part of your attack surface. Ask every vendor with access to your systems which of the ten controls above they run. (Yes, including your IT provider; here’s how we think about that responsibility.)
Where a provider fits
Every control above can be bought and configured individually, but the operational half (monitoring the EDR alerts, reading the patch reports, running the restore tests, chasing the DMARC failures) is where DIY security quietly dies. That ongoing operation is the actual product of managed cybersecurity, and it’s included in a proper managed IT agreement rather than bolted on. Our pricing guide shows what that coverage costs.
Want to know which of the ten you’re missing? Book a free assessment and we’ll walk your environment against this exact list, no scare tactics included.
Sources
- Verizon, 2026 Data Breach Investigations Report
- Microsoft, Mandatory multifactor authentication documentation (99.2% figure)
- CISA, Implementing Phishing-Resistant MFA fact sheet
- CISA, Turn On MFA (Secure Our World)
- Google Cloud / Mandiant, M-Trends 2026
- Sophos, State of Ransomware 2026
- Veeam, 2023 Ransomware Trends research announcement
- US-CERT / CISA, Data Backup Options (the 3-2-1 rule)
- IBM, Cost of a Data Breach Report 2025
- FTC, Cybersecurity for Small Business
Frequently asked questions
Start with ten controls: multi-factor authentication, scheduled patching, endpoint detection and response, tested backups following the 3-2-1 rule, email security with SPF, DKIM, and DMARC, a password manager, least-privilege access, security awareness training, same-day offboarding, and a one-page incident response plan. These target the attack paths documented in real breach data.
Very. Microsoft research shows MFA can block more than 99.2% of account compromise attacks. CISA calls phishing-resistant MFA (app-based or hardware keys) the gold standard and says SMS codes should only be a last resort.
Keep three copies of your data, on two different types of media, with one copy offsite. The rule comes from US-CERT guidance and it matters because attackers target backups in the vast majority of ransomware attacks; an offsite, immutable copy is what keeps a bad week from becoming a closed business.
Yes, disproportionately. In the Verizon 2026 Data Breach Investigations Report, about 96% of ransomware victims were small and mid-sized businesses. Attackers automate their scanning, so a 15-person company with an unpatched firewall is exactly as findable as a Fortune 500.
Faster than most companies do. Google's M-Trends 2026 research found exploitation now routinely begins before a patch is even released, and Verizon found only 26% of critical vulnerabilities were fully remediated in 2025. Automated patching within days, not months, is the defensible standard.
Want this handled for you?
Talk to a real engineer about your environment: no sales script, just straight answers.
