2023 Small Business Cybersecurity Checklist

November 9, 2022

Why do SMBs need a cybersecurity plan?

In a world where cybercrime never sleeps, organizations need an “always on” cybersecurity plan. And for small-to-medium businesses (SMBs), the need is even greater because cybercriminals have significantly increased their focus on smaller organizations in recent years. Between 2021 and 2022, there was nearly a 200% increase in incidents targeting organizations with fewer than 1,000 employees.[1]

The good news for SMBs is that establishing a strong security posture is within reach. Our cybersecurity checklist will help you uncover any risk areas and identify opportunities for improving the security of your operations.

Most Common Cyber Threats to SMBs

Before diving into the checklist, it’s important to understand what you’re trying to keep at bay in the first place. The cyber threat landscape is vast, so it’s probably not a surprise to hear that SMBs need to safeguard against the same attacks and many attack “flavors” that also threaten larger organizations. For SMBs in particular, some of the most common cybersecurity threats of 2022 include:

Yet, unlike larger business counterparts, when an SMB gets hit by ransomware, malware or a data breach, for example, it can have a much greater (and far more damaging) impact to the business. Notably, the average cost of a data breach for small businesses is $2.98 million. [3]

Learn More

Small businesses are often easy prey for cybercriminals on the hunt for sensitive business data and customer information. With CrowdStrike, you get enterprise level-protection and support at a price you can afford – because every SMB deserves protection, regardless of headcount. View: Cybersecurity solutions for SMBs

Now, on to your cybersecurity checklist.

Small Business Cybersecurity Checklist

  1. Understand Your Environment
  2. Train Employees
  3. Implement Security Defenses
  4. Maintain Good IT Security Hygiene
  5. Prepare a Response Plan


Understand Your Environment

The end game for cybercriminals is to gain access to your high-value data. It goes for a pretty penny in dark web marketplaces, so it’s important to take stock of your environment to understand the various devices and systems you have in place and where your valuable data resides.


Expect a breach


When you know your environment well and prepare for a breach, it will give you a much better “leg up” to react quickly if a successful attack occurs. In this case, the old adage holds true: hope for the best, plan for the worst.

An important factor for your planning: your speed to respond. This is essential because attack velocity (i.e., the speed of the attack) is increasing while the time it takes the attacker to steal the desired data is decreasing. For example, it takes an independent cybercriminal only 9.5 hours to obtain illicit access to a target’s network.[4]


Evaluate your device, facility and network landscape


Data breaches can arise from cybercriminals taking advantage of unaware employees or using charm to manipulate a person’s courteous nature to gain access to facilities. Train your employees to lock and physically secure their sensitive documents and computer files. Likewise, encourage good safety practices for your corporate devices and laptops; these can be easily stolen if they’re left unattended. Desktops and servers located in open, public areas or in offices that are unattended and unlocked can also be easily taken.

Expert Tip

Improper document disposal accounts for 14% of data breaches caused by physical attacks. [5]


Identify your IT security resources


Keeping an organization’s infrastructure up and running securely requires a good deal of time and expertise. It’s important to assess your current resources to determine if you have any gaps in knowledge or manpower. If you’re feeling stretched thin, you’re not alone. Two-thirds (67%) of companies report that skills shortage is creating additional cyber risks for the organization.[6]

If cybersecurity is on your never-ending “to do” list that you can’t get to, it’s probably a good sign that it’s time to get more help, whether that’s to hire additional in-house staff or outsource your IT security resources to a managed service provider.


Train Employees

Employees are a company’s best asset but, often, the weakest link in protecting against cyber threats. The human element (e.g., falling for phishing, clicking on a link or simple human error) continues to drive security incidents, contributing to 82% of breaches in 2022.[7] Here are some best practices to put in place to support your employees.


Provide security awareness training


Your employee base can be your greatest ally and resource in protecting your company from cyber threats. That’s why 36% of organizations are planning to provide more security training as part of their talent and technology investments.[8]

Closing your employees’ knowledge gap by providing training on security best practices will mitigate this risk and empower your users to become an active part of your organization’s security defense.


Create and enforce strong passwords


It’s vitally important to use strong passwords for your organization’s router or firewall devices. The last thing you want is for a hacker to gain access to your entire network and all of the files and data within it. Using and enforcing strong password practices with your users is also essential to prevent unauthorized access to your software-as-a-service (SaaS) applications, laptops and devices.

Your policy should require lengthy and complex passwords that use a variety of characters. Left to their own devices, 66% of people reuse the same password across multiple accounts, so require that your employees use unique passwords that aren’t recycled. One way to boost the effectiveness of your password program is to update them every 90 days.


Create, enforce and continuously update a personnel security policy


If there’s one thing that’s consistent in any organization, it’s change — with employees coming, going and moving into new roles within the company. Putting a security policy in place will help align your ever-changing personnel on the expected rules and behavior to follow for meeting minimum IT security and data protection requirements.

Learn More

Looking to better educate your team about common security risks, promote responsible online behavior and outline steps to take when an attack may be in progress?Read: How to create an employee cybersecurity awareness training program


Implement Security Defenses

Security technologies will give you a great defense to safeguard against the many attack vectors bad actors use. While the right tools can become highly customized depending on your specific environment, there are some universal items to include on your checklist:


Install multifactor authentication


Multi-factor authentication (MFA) is a powerful way to enhance your organization’s security by requiring your users to identify themselves with more than a username and password. Those usernames and passwords are important (and keeping up with good password practices), but they’re not a failsafe, alone, against suspicious login activity. That’s why 46% of SMBs (and growing) have adopted MFA.[9]

When you adopt MFA, your users will be asked to provide another “factor” in addition to their passwords, like a PIN or mobile push from their smartphone, which significantly increases the assurance that the person attempting to login is really who they say they are. According to Microsoft, MFA can prevent 99.9% of attacks on your accounts.[10]


Determine how many layers of security to implement


Layered security is the concept of using multiple security components (or layers) to protect your organization’s infrastructure. The purpose of this best practice approach is to ensure that each individual security component has a backup if it doesn’t detect a threat. For example, if a phishing email gets past an email security technology and a user clicks on a malicious URL within the email, your endpoint security product would provide another security layer to stop the threat and protect your organization.

Every layer of additional protection matters. Based on your environment set up, most organization’s layers should include a firewall, patch management, endpoint protection, web and email content filtering, and multi-factor authentication. Determine which of these is missing from your layered security strategy and plan to adopt the appropriate ones that support your IT environment.


Implement employee access limitations to data and software installations


As a best practice, you should limit who has access to your organization’s high-value data. Putting an access control policy in place will help you establish guidelines that outline who can access data and resources for your business. You’ll also want to limit access to software installations; for example, only certain users should have access to applications like your customer relationship management (CRM) software that includes your customer contact details.

Implementing role-based access control (RBAC) will help you enforce data and software access to only your authorized users. In short, RBAC lets you give employees access to only the data, tasks and applications that are necessary for their job function and role.


Install antivirus software across all devices


Protecting your desktops, laptops and users’ mobile devices (all known as your endpoints) from malware, ransomware and other threats has always been an important security practice. With today’s large remote and hybrid workforce, adopting antivirus software, often referred to as endpoint protection, is now even more critical than ever. That’s because your endpoints can serve as doorways for cybercriminals to gain access to a company’s network.

Expert Tip

Antivirus technology is the first line of defense against threats like malware and ransomware. CrowdStrike’s antivirus solution activates in minutes with 24/7 coverage for your small business. Get award winning antivirus for SMBs


Maintain Good IT Security Hygiene


Continuously back up data


In the event of a successful cyberattack, backups often serve as an organization’s “get out of jail free” card — meaning, the damage can be undone by restoring the impacted machine or systems to the latest backup.

Having regular and reliable data backups is an important IT practice for SMBs to adopt. It can prevent long-term damage from lost data due to a security incident, an accidental deletion or a natural disaster. Data backups ensure you have a complete copy of your systems ready to restore, no matter why the data loss occurred.


Update software and patch systems


SMBs must be ready to act quickly during that small window between the discovery of a new flaw in software, hardware or firmware and when a vulnerability exploit leveraging that flaw is released. Why? Because 60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied.[11]

Patch management is the cornerstone for your vulnerability management plan. Ensure you have a strong patch management process that’s always on and connected to provide the visibility you need into which patches are high priority and require immediate deployment to your impacted systems.


Prepare a Response Plan

In the event of a successful attack, having a plan in place will help you act quickly and efficiently to involve the right people, take the necessary actions and mitigate the damage.


Establish an incident response plan leveraging the NIST framework


When it comes to incident response and having a foundation on which to build your plan, the National Institute of Standards and Technology (NIST) provides a solid framework for SMBs to follow. It contains four phases of the incident response lifecycle:

  •   Step #1: Preparation
  •   Step #2: Detection and Analysis
  •   Step #3: Containment, Eradication and Recovery
  •   Step #4: Post-Incident Activity

In terms of executing on your plan, speed is of great importance for detecting and containing a successful attack. That’s because once an attack is isolated (perhaps by disconnecting an impacted machine from the network) you’ll create some helpful breathing room to coordinate and deliver on the rest of your response.

Does your business check all of the boxes? Speak with a cybersecurity expert today to learn more.

Talk with an expert


[1] Verizon. Data Breach Investigations Report. 2022.
[2] Forbes. Most Common Cyber Security Threats In 2022. August 2022.
[3] IBM. Cost of a Data Breach. 2021.
[4] Forbes. The Importance of Time And Speed In Cybersecurity. 2021.
[5] ITRC. Annual Data Breach Report. 2020.
[7] Verizon. Data Breach Investigations Report. 2022.
[8] (ISC)². The (ISC)² Cybersecurity Workforce Study. 2021.
[9] TechRepublic. SMBs are behind in adopting multi-factor authentication. July 2022.
[10] PingIdentity. 8 Benefits of Multi-Factor Authentication (MFA). October 2021.
[11] Ponemon Institute. Costs and Consequences of Gaps in Vulnerability Response. 2019.