The 11-Point IT Security Checklist for Small Businesses

Data hacking trends are making IT security for small business more critical.

Large data breaches at corporations make headlines just about every month. But small businesses have become the favorite target of hackers. We created this security checklist for small businesses like yours to fight back.

Security best practices that will enhance your business's resilience against cyber threats and productivity-killing IT issues.

Use these security best practices to enhance your business’s resilience against cyber threats and productivity-killing IT issues.

Did you hear about the Hennepin County’s email system being hacked (or any large data breach, really) and thought:

“That’s a huge organization. My business is too small for hackers to bother with.”

Trust me, hackers welcome that kind of thinking.

According to Verizon’s 2023 Data Breach Investigations Report, 55% of the small organizations in 2022 experienced data breaches. And it’s easy to see why: Most small businesses don’t have the security resources and/or expertise of large organizations, so they’re more vulnerable.

Here’s more from the Verizon report that is significant for small business owners:

Verizon report that is significant for small business owners.

Over the years of working with our small business clients, Teal has put together the following cybersecurity checklist.

Some of this you may find overly techy. Whether you have in-house IT staff or an outside IT security specialist help you, the following issues should be addressed at least once per year.

Protect Your Small Business with These IT Security Best Practices

1. Scan network firewall and update security subscriptions.

Basically, a firewall is a set of rules that dictate which types of traffic will be allowed into and out of your network.  

  • Check the rules for elements such as Remote Desktop Protocol (RDP) traffic to certain servers or internal computers, and non-secure traffic to internal web servers or phone systems. 
  • Update your security subscriptions regularly to help inspect traffic going in/out and block the bad stuff.

2. Review user accounts and security groups.

Hackers gain access to networks through inactive accounts, often finding them by searching LinkedIn or other social networks to find people who have recently left organizations.  

  • Check all user accounts and disable any that are no longer active. 
  • Review your “security groups” — groups of users who have the same permissions and access to network resources — and make any necessary changes.

3. Run domain name system (DNS) lookup.

The DNS is something like the Web’s phone book, storing information about IP addresses and domain names.  

  • Run a DNS lookup and make sure you have an SPF record. This record guards against spam and phishing emails that use “spoofing,” which misleads the email recipient about where the email came from.

4. Activate group policy lockout.

A “brute-force” login is an attack in which a hacker tries repeated combinations for user IDs and passwords to get onto your network. Certain tools help attackers use multiple ID/password combinations in quick succession.  

  • Activate the setting that locks out accounts after a certain number of attempts within a certain period.

5. Enable two-factor authentication (2FA) wherever possible.

2FA adds a second layer of security to passwords, to make it more difficult for attackers to gain access to a network or a device. For example, in addition to entering a password on a laptop, a user is required to enter a code that’s texted to the user’s cellphone, or provided by an app.  

  • Make sure you’re protecting your email account with 2FA – Office 365 and Gmail support this. 
  • Audit your online accounts and turn on 2FA for any that support it. ( will show you those that do.) 

6. Review/replace vulnerable legacy software and hardware.

Older software and hardware are more vulnerable to security breaches than newer stuff. A typical setup is an old desktop PC running Windows XP running an old version of Adobe that you keep solely to run a printer.  

  • Review older software and hardware components if they’re connected to your network, and download security patches and other updates if they haven’t loaded automatically. 
  • Replace anything that’s no longer supported by the manufacturer.

7. Activate Windows 10 BitLocker.

Encrypting your users’ PC hard drives protects their contents if stolen or lost. It also helps fully erase data from hardware that you’re getting rid of.  

  • Turn on Windows 10 BitLocker (a free feature of Windows 10 Pro), which requires an admin account. 
  • Make sure your BitLocker Recovery Keys are backed up!

8. Check your data backup.

This may be the most critical security measure, because if everything else fails, you’ll be able to scrub your network and devices and re-install your data. Be able to answer “yes” to these questions:  

  • Is your backup an automatic process? 
  • Have you performed a restore recently? 
  • Is the backup data encrypted? 
  • Does your backup copy data off site every day? 
  • Is it automatic or is there an automatic off-site copy? Is it working? And is the backup itself encrypted? 
3 2 1 Backup Method

9. Install business-grade endpoint security software.

Every desktop, laptop, and mobile device your employees use to connect to your network is an “endpoint” — and a potential security risk.  

  • If you haven’t already, install a business-grade endpoint security product-not just an antivirus program-to protect all your systems. 
  • In addition to endpoint security software installed on your network, each remote device must have corresponding software installed and updated regularly.

10. Conduct security awareness training and testing.

Keeping your business’s network and data secure is as much about people as it is about controls, settings and processes.  

  • Schedule regular security training for managers and employees. It’s smart to train new hires, but too often that’s the last security training they receive (until it’s too late). 
  • Test the training. For example, consider a training/testing program such as KnowBe4’s simulated phishing program.

11. Establish and enforce password policy.

Password habits die hard, so weak passwords remain a primary security risk. Hackers know all the tricks for creating easily memorized passwords, like using a row or column of keys on a keyboard. And they have software that finds these passwords in no time.  

  • Review your network users’ passwords, and if they’re weak or short, reset them. 
  • Use your operating system’s password enforcement settings to prevent users from creating weak passwords. 
  • Require passwords to be reset periodically – but not too often. (Annually is generally fine) Users who must come up with a new password every couple of months, for example, might try to keep passwords mostly the same by changing one or two characters. Or they might store their passwords somewhere off your network, probably on a less secure device or private email account.

How to Use This IT Security Checklist: Next Steps

Tech people. We do love checklists, don’t we? But in this case, I’m not expecting you to go through this list and check off each item as you knock down each item badda bing, badda boom. Here’s what you can do with this information.

If you know what you’re doing, get these actions on a calendar now.

If you or an internal IT staffer has the ability and administrative access to take care of these items, or some of them, put a due date on your calendar now for each item you plan to address.

Hire an outside firm to handle what you can’t.

If you don’t have the knowledge or resources to address any of this, consider getting a professional IT security audit. You can use the checklist as a guide to see if the auditors address each of these areas. Or if you have an IT support firm already in place, hand off this IT security checklist and letem at it.

Stay vigilant.

Perhaps the most important to-do for the checklist is to update it regularly. Computer technology and fraud threats change rapidly — your IT security program needs to evolve with them. Your small business doesn’t have to be a pushover for cyber criminals. They’re just like many other kinds of thieves: If you put some basic protections in place, they’ll move on to easier targets.

Latest Teal News

Subscribe to Our Newsletter

Join Teal Exclusive now to be notified of the latest news, tech tips, and more.

Recent Articles
Don’t Stop Here

More To Explore