For SMBs / MSPs Listicle

10-Step Cybersecurity Checklist for Small Businesses in 2026

A 10-step cybersecurity checklist for small businesses in 2026: MFA, patching, backups, phishing defence, and the minimum viable security stack that actually works.

10-Step Cybersecurity Checklist for Small Businesses in 2026

Most small business cybersecurity advice is useless. It’s either written for enterprises with a CISO and a seven-figure security budget, or it’s so generic it collapses into “use strong passwords” and walks away. Neither is helpful when you’re running a 12-person business and trying to work out whether the £40-a-month security tool actually does anything.

This checklist is the minimum viable security stack for a UK or US small business in 2026. Not the ideal stack. Not the enterprise-grade stack. The one that would have stopped most of the breaches that actually happened last year — because the UK Government Cyber Security Breaches Survey 2025 shows that 43% of UK businesses experienced a cyber breach or attack in the past 12 months, equating to roughly 612,000 businesses, and the overwhelming majority of those attacks exploited the same small handful of gaps.

Ten items. Ranked in the order you should actually do them. Not alphabetically, not by category — by what stops the most damage for the least money and effort.

1. Turn on multi-factor authentication everywhere it’s offered

If you do nothing else on this list, do this. MFA across all accounts is the single most recommended defensive control against the full range of modern attacks — phishing, ransomware, credential theft, business email compromise, and it’s free on every major platform.

Start with the accounts that would ruin your week if they were compromised: your primary email (Microsoft 365, Google Workspace), your banking portal, your accounting software (Xero, QuickBooks, Sage), any cloud storage (OneDrive, Google Drive, Dropbox), and your domain registrar. Then work outward.

Use an authenticator app rather than SMS codes where possible. SMS-based MFA is better than nothing, but SIM-swap attacks are trivial now. Microsoft Authenticator, Google Authenticator, Authy, or a hardware key like a YubiKey are all meaningfully more secure.

One thing worth internalising: if you tell your cyber insurer you have MFA enabled but it wasn’t actually turned on during the attack, the insurer may deny your claim under the policy’s “failure to follow” clause. Enable it, then verify it’s enabled. Screenshot the admin console if you need to prove compliance later.

2. Get a password manager and use it properly

Passwords are still the front door to most breaches. The fix is straightforward: every account gets a unique, long, randomly generated password, stored in a password manager. Nobody remembers them. The manager handles it.

Bitwarden, 1Password, and Dashlane all work fine for small business use. Bitwarden has a free personal tier and inexpensive business plans; 1Password has better polish and slightly easier onboarding for non-technical staff. Pick one, pay for the business version (you need the audit logs and shared vaults), and get everyone enrolled within 30 days.

The common failure mode here is rolling out the password manager but leaving old weak passwords in place. Don’t do that. When each staff member onboards, have them reset their top 20 account passwords immediately and let the manager generate new ones. The half-measure of “I’ve got a password manager now but I still use Spring2024! for half my accounts” provides approximately zero real protection.

3. Back up everything, and test that the backup actually works

This is the most underrated control on the list. 57% of UK organisations recovered from backups when hit by ransomware in 2025, and UK organisations are now more than three times more likely to recover from backups than pay the ransom. Backups are the difference between “we were offline for two days” and “we went out of business.”

The minimum viable pattern is 3-2-1: three copies of your data, on two different media, with one copy offsite. For a small business, that typically means production data on your main systems, a backup on a local NAS or external drive, and a copy in cloud backup (Backblaze, Acronis, Datto, or similar). For ransomware resilience, at least one of those copies needs to be immutable — meaning the backup software physically cannot overwrite or delete it within the retention window. Ransomware routinely targets backups before encrypting production data, so non-immutable backups are often useless by the time you need them.

For a deeper walkthrough of which backup products actually deliver on ransomware-resistance promises for small business budgets, see our guide on the best backup solutions for small businesses in 2026.

The other half of this step is the part everybody skips: test the restore. A backup you’ve never restored from is a hope, not a backup. Pick a file, restore it to a different machine, verify the contents. Do this quarterly. Write down the date you did it. If this feels like overkill, read any post-mortem from a ransomware victim who discovered their backups hadn’t been running correctly for six months.

4. Patch everything, on a schedule, without exceptions

Unpatched software is how threat actors get in when your credentials don’t help them. The NCSC has consistently identified unpatched vulnerabilities as a top vector for ransomware attacks against UK organisations, and the grim reality is that most exploited vulnerabilities in small business breaches had patches available months before the attack.

For a small business, the patch policy should be boringly simple:

Enable automatic updates on everything that supports them — Windows, macOS, iOS, Android, your browsers, and your main productivity software. This covers 80% of the risk. For the rest (routers, firewalls, line-of-business apps, NAS devices, printers), schedule a monthly patch review. Put it in the calendar. Thirty minutes, once a month, to log into everything and confirm it’s current.

The mistake to avoid is the “we’ll patch after the next quiet period” approach. The quiet period never arrives, and by the time you patch, there’s a proof-of-concept exploit on GitHub and half the internet is scanning for vulnerable instances. For anything labelled critical or exploited-in-the-wild, patch within 72 hours — do not wait for the monthly cycle.

5. Run decent endpoint protection — not just the built-in basics

Windows Defender has become surprisingly good. For micro-businesses with a handful of laptops and no regulated data, it’s genuinely adequate if kept current. But “adequate” and “what I’d recommend” aren’t the same thing.

For any small business above about 10 people, or handling client data of any sensitivity, you want real endpoint detection and response (EDR) — not just antivirus. The distinction matters: antivirus scans files against known malware signatures; EDR monitors process behaviour, network activity, and credential use in real time, so it catches novel attacks signatures haven’t been written for yet.

For SMB budgets, the realistic options are Huntress (managed detection layer on top of Microsoft Defender, often the best value), SentinelOne (strong detection, more self-service), Sophos Intercept X, and Bitdefender GravityZone. Expect to pay £5–£15 per endpoint per month depending on tier. If you’re running a managed service provider (MSP), they’ll likely include EDR as part of the bundle — our MSP RMM comparison covers which MSP stacks include which security layers.

What to avoid: free “antivirus” tools that exist primarily to upsell you to the paid version. They tend to be noisy, resource-heavy, and no better than the built-in Windows protection.

6. Train your people — and simulate phishing attacks at least quarterly

Phishing remains the most prevalent and disruptive type of attack, experienced by 85% of businesses that had any breach in 2025. Every other control on this list is layered defence against what happens when phishing succeeds — because it will, eventually, and the question is only whether your systems contain the damage.

Training works, but only the kind that’s interactive and frequent. A one-off 45-minute slide deck during onboarding is close to useless by month three. The pattern that actually reduces click rates is short, frequent, scenario-based training (5–10 minutes, monthly) combined with quarterly simulated phishing tests. Staff who click a simulation get an immediate teaching moment; staff who report it get recognised.

For small business budgets, tools like KnowBe4, Hoxhunt, Proofpoint Security Awareness, and Mimecast Awareness Training all work. Costs run roughly £1–£3 per user per month. Whichever you pick, the key is actually running the simulations — buying the platform and then never sending a test email is a waste.

One thing that isn’t training but should be: make it safe for staff to report mistakes. If someone clicks a phishing link and is terrified of getting in trouble, they’ll hide it, and you’ll discover the breach three weeks later when it’s ten times worse. The culture around “I think I just clicked something bad” matters more than any training module.

7. Lock down email with DMARC, SPF, and DKIM

Most small businesses have never heard of these three acronyms, which is why their domains get spoofed constantly and their legitimate emails land in spam. All three are free, configured at the DNS level (through your domain registrar), and should have been set up the day you registered the domain.

The short version: SPF says which servers are allowed to send email claiming to be from your domain. DKIM cryptographically signs outgoing email so receivers can verify it hasn’t been tampered with. DMARC tells receivers what to do when an email fails SPF or DKIM checks (reject it, quarantine it, or allow it but report it).

Configuring these once takes maybe an hour if you’ve never done it. Tools like Dmarcian, EasyDMARC, or Cloudflare’s free DMARC reporting will walk you through setup and then monitor your domain for abuse. Once DMARC is in enforcement mode (p=reject), attackers can no longer send email that looks like it’s from your domain — which kills an entire category of business email compromise attack.

If this sounds technical, it is, but it’s a one-off job. Either ask your IT provider to do it, or find a consultant to set it up for a few hundred pounds. The ongoing maintenance is trivial.

8. Get cyber insurance — and actually read the policy

Cyber insurance has changed significantly over the past three years. Premiums stabilised after massive increases from 2020–2023, underwriting got stricter, and the policy wording started mattering much more than the headline limit. For a UK small business, a £1M policy typically costs £500–£2,000 annually depending on industry, revenue, and your security controls.

Two things matter more than price:

First, actually read the technical control requirements. Insurers now mandate specific controls including MFA, endpoint detection and response, privileged access management, and tested backup procedures — missing these basic controls can add 25% to 50% to your premium or disqualify you from coverage entirely. If the policy says “MFA required on all remote access and privileged accounts” and you don’t have it, you’re not really insured — you’re paying premiums for a claim that will be denied.

Second, check what’s actually covered. Policies vary wildly on social engineering fraud (often an add-on rather than included), business interruption calculations, dependent system failure (coverage when a vendor like Microsoft 365 goes down), and ransom payment coverage. The cheapest policy usually has the worst coverage for the attacks you’re most likely to face.

We go much deeper into insurer requirements and pricing factors in our cyber insurance guide for small businesses.

9. Restrict admin access and segment your network

This one takes more effort than the others and is genuinely harder to do in a small business where Bob in accounts is also the IT guy and the HR system admin. But it’s what separates “a contained breach” from “a business-ending breach.”

The rule is simple: nobody has more access than they need to do their job, and critically, nobody uses an admin account for their daily work. Admin accounts should be separate from day-to-day accounts — so if the day-to-day account gets compromised by phishing, the attacker doesn’t automatically own everything.

For your network: separate your guest Wi-Fi from your business network. Separate internet-of-things devices (cameras, printers, smart TVs) from workstations. Most modern business routers support VLANs or guest networks as a built-in feature; UniFi, Meraki, and MikroTik all handle this competently. If you don’t have separation, a compromised smart printer is a foothold into your finance system.

For cloud services: review who has admin rights in Microsoft 365, Google Workspace, and your other critical SaaS every quarter. Former employees, former contractors, and people who’ve changed roles tend to accumulate permissions they no longer need. Prune aggressively.

10. Write an incident response plan before you need one

The last item is the one most small businesses skip, and it’s the one that determines how badly a breach hurts you. Not because the plan itself is some sacred artefact, but because the exercise of writing it forces you to answer questions while you’re calm — questions you really don’t want to be answering in a panic at 2am when production is down.

The minimum plan is one page and answers:

  • Who gets called first when something goes wrong? (Name, mobile, backup contact.)
  • Who’s authorised to take systems offline? (This matters — if nobody has authority, decisions don’t get made.)
  • What’s your insurer’s incident hotline? (Call them before you call anyone else — they often require it, and they have IR firms on retainer.)
  • Who’s your ICO (or relevant data protection authority) notification contact? (UK: 72 hours to notify for personal data breaches.)
  • Where are your offline backups? (Offline, meaning: not reachable by the thing that’s currently encrypting everything.)
  • Who talks to customers, staff, and press?

Stick the plan somewhere accessible that isn’t on your corporate network. A printed copy in the office safe, a document in a personal email account, a page in a shared password manager. It sounds paranoid until you realise that during an active ransomware attack, you may not have access to your own systems.

The deeper version of this — a proper 72-hour response playbook with tabletop exercises — becomes more important as you grow. For now, the one-page version is enough, and dramatically better than nothing.

A note on what’s not on this list

You’ll see more elaborate checklists with 25 or 40 items. Most of the additions are either enterprise controls that don’t make sense at small business scale (full SIEM deployment, dedicated 24/7 SOC, zero-trust network architecture), or they’re subcategories of things on this list dressed up as separate items. If you’ve done the ten above, you’ve covered roughly 90% of the attack surface that small businesses actually face.

The two areas worth flagging as near-future additions: AI-specific controls for staff using tools like ChatGPT with business data (shadow AI is a real and growing risk), and post-quantum cryptography preparedness for anything you’ll still be using in 2030. The latter is still primarily an enterprise concern but it’s worth reading our post-quantum roadmap to understand the timeline.

For UK businesses specifically, there’s one other thing worth considering: Cyber Essentials certification. It’s essentially this checklist, audited and certified by an accredited body — useful for winning government contracts and often a discount-earning control on cyber insurance quotes. We cover the path from self-assessment to Cyber Essentials Plus in our UK Cyber Essentials guide.

Frequently asked questions

How much should a small business spend on cybersecurity?

Realistic spend for a small business implementing this checklist is £40–£100 per employee per month, all-in, including endpoint protection, password manager, backup, cyber insurance, and security awareness training. For a 10-person business, that’s roughly £5,000–£12,000 per year. Compare against the average cost to a UK small business of a single breach, which runs £4,200 in direct costs alone, with the true cost often considerably higher once lost time, lost customers, and reputation damage are factored in.

Do I really need all ten of these, or can I skip some?

Items 1–5 are non-negotiable — MFA, password manager, backup, patching, endpoint protection. Items 6–10 scale with business size and risk. A sole trader with no employees doesn’t need quarterly phishing simulations; a 30-person professional services firm absolutely does. Cyber insurance makes more sense as revenue grows.

Is antivirus enough, or do I need EDR?

For a business of fewer than five people with no regulated data, good antivirus (even Windows Defender, kept current) is probably sufficient. Above that, or for anyone handling client financial or health data, EDR is the right call. The gap between the two matters most during a novel attack that doesn’t match existing signatures.

What about compliance frameworks — Cyber Essentials, ISO 27001, SOC 2?

These aren’t substitutes for this checklist; they’re more formal versions of it. Cyber Essentials is the UK baseline and is genuinely useful for small businesses. ISO 27001 and SOC 2 are substantially more work and generally only worthwhile if clients are demanding them. If you’re implementing this checklist well, you’re already 70% of the way to Cyber Essentials certification.

How often should I review this checklist?

Treat the control state as a running review. Monthly: confirm patches are current, confirm backups are running. Quarterly: review admin access, test a backup restore, run a phishing simulation. Annually: renew cyber insurance, review the incident response plan, audit password manager coverage. The goal is that none of this becomes a once-a-year scramble — it should be ongoing background hygiene.