Skip to content
Security60 minutesStarter

Small Business Security Checklist

A plain-English security checklist for accounts, passwords, devices, data access, backups, vendors, and incident response.

Built for: Small businesses that store customer data, payment records, login credentials, or operational documents.

Small business security checklist with laptop lock screen, account controls, keys, and review notes.

Public guide

A starter security baseline using FTC, CISA, NIST, and SBA guidance.

This page gives you the working version: sequence, checklist, and official resources. The full kit adds prompts, a deeper worksheet, and implementation notes for your inbox.

Get the full kit

Keep reading for the public guide, or send the kit when you want the worksheet and prompt pack.

  • Reduce obvious account and data risks
  • Create an owner-friendly security baseline
  • Document what to do when something suspicious happens
  • Keep access, devices, and backups from drifting after setup

Run the guide

Work through it in order.

01

Lock down the basics

Most small businesses need a repeatable baseline before buying advanced security products.

  • Turn on multi-factor authentication for email, banking, CRM, website, and ad accounts.
  • Use a password manager and remove shared passwords from chats, docs, and spreadsheets.
  • List every person with access to customer, payment, website, or ad systems.
  • Patch laptops, phones, browsers, website software, and core business apps.
02

Tighten access changes

Access risk grows when old users and vendors stay connected after the work ends. Make access removal part of the business routine.

  • Map each critical account to the people, vendors, devices, and recovery emails attached to it.
  • Remove access the same day an employee, contractor, vendor, or tool no longer needs it.
  • Check shared inboxes, file folders, ad accounts, website admins, payment tools, and password vaults.
  • Verify employment, legal, insurance, regulated-data, and customer-notice questions with the official source or a qualified advisor.
03

Prepare for the bad day

A simple incident plan reduces panic and helps the business respond faster.

  • Write who to call for website, email, banking, legal, insurance, and IT issues.
  • Back up critical files and test that one restore actually works.
  • Write an offboarding checklist for employees, contractors, and vendors.
  • Document how you will notify customers or partners if data may be affected.
04

Review every quarter

Security baselines decay as staff, devices, vendors, and tools change. A quarterly pass keeps the owner focused on the few controls that matter most.

  • Review access for email, banking, website, domain, CRM, ad accounts, payroll, and file storage.
  • Test one backup restore and record what worked or failed.
  • Confirm devices are patched, still owned, and still allowed to reach business data.
  • Update incident contacts, vendor owners, and next review dates.

Final pass

Before you call it done

  • MFA enabled
  • Password manager in use
  • Access list reviewed
  • Backups tested
  • Incident contacts written
  • Offboarding access removed
  • Device list checked
  • Quarterly review scheduled

Why this guide exists

Every guide is pulled from a live client engagement. If it is in here, we have run it, measured it, and watched it hold up in the field.

Prefer to walk through it live?

Book a working call. Thirty minutes, mapped to your situation.