Small Business Security Checklist
A plain-English security checklist for accounts, passwords, devices, data access, backups, vendors, and incident response.
Built for: Small businesses that store customer data, payment records, login credentials, or operational documents.

Public guide
A starter security baseline using FTC, CISA, NIST, and SBA guidance.
This page gives you the working version: sequence, checklist, and official resources. The full kit adds prompts, a deeper worksheet, and implementation notes for your inbox.
Keep reading for the public guide, or send the kit when you want the worksheet and prompt pack.
- Reduce obvious account and data risks
- Create an owner-friendly security baseline
- Document what to do when something suspicious happens
- Keep access, devices, and backups from drifting after setup
Run the guide
Work through it in order.
Lock down the basics
Most small businesses need a repeatable baseline before buying advanced security products.
- Turn on multi-factor authentication for email, banking, CRM, website, and ad accounts.
- Use a password manager and remove shared passwords from chats, docs, and spreadsheets.
- List every person with access to customer, payment, website, or ad systems.
- Patch laptops, phones, browsers, website software, and core business apps.
Tighten access changes
Access risk grows when old users and vendors stay connected after the work ends. Make access removal part of the business routine.
- Map each critical account to the people, vendors, devices, and recovery emails attached to it.
- Remove access the same day an employee, contractor, vendor, or tool no longer needs it.
- Check shared inboxes, file folders, ad accounts, website admins, payment tools, and password vaults.
- Verify employment, legal, insurance, regulated-data, and customer-notice questions with the official source or a qualified advisor.
Prepare for the bad day
A simple incident plan reduces panic and helps the business respond faster.
- Write who to call for website, email, banking, legal, insurance, and IT issues.
- Back up critical files and test that one restore actually works.
- Write an offboarding checklist for employees, contractors, and vendors.
- Document how you will notify customers or partners if data may be affected.
Review every quarter
Security baselines decay as staff, devices, vendors, and tools change. A quarterly pass keeps the owner focused on the few controls that matter most.
- Review access for email, banking, website, domain, CRM, ad accounts, payroll, and file storage.
- Test one backup restore and record what worked or failed.
- Confirm devices are patched, still owned, and still allowed to reach business data.
- Update incident contacts, vendor owners, and next review dates.
Final pass
Before you call it done
- MFA enabled
- Password manager in use
- Access list reviewed
- Backups tested
- Incident contacts written
- Offboarding access removed
- Device list checked
- Quarterly review scheduled
Useful resources
Current links to verify the details.
- FTC cybersecurity basicsPlain-language FTC guidance for small businesses.
- CISA small business cyber guidanceFederal cyber guidance for small business leaders.
- NIST CSF 2.0 small business quick startNIST risk-management guide for small and medium businesses.
- SBA strengthen your cybersecuritySBA hub for small business cybersecurity events and resources.
Why this guide exists
Every guide is pulled from a live client engagement. If it is in here, we have run it, measured it, and watched it hold up in the field.
Prefer to walk through it live?
Book a working call. Thirty minutes, mapped to your situation.