Small business cybersecurity is no longer optional. Attackers increasingly target smaller organisations precisely because they often have weaker defences — yet the protections that make the biggest difference are practical and affordable. This checklist covers the essentials every small business should have in place, and how to build them into a lasting security baseline.
Why small businesses are targeted
Smaller firms hold valuable data — customer records, payment details, logins — but frequently lack dedicated security staff. Most attacks are not personal: automated tools scan the internet indiscriminately for known weaknesses, then exploit whatever they find. That makes “we’re too small to be a target” one of the most dangerous assumptions a business can make. The cost of an incident — downtime, recovery, lost trust — is often far higher for a small business that cannot easily absorb it.
The essential cybersecurity checklist
1. Strong authentication
Enforce multi-factor authentication (MFA) everywhere it is available, especially on email, banking and remote access. Use a password manager so staff can have unique, strong passwords without memorising them. Most account breaches start with a stolen or reused password — MFA stops the majority of them.
2. Keep everything patched
Apply security updates promptly to operating systems, applications, browsers and devices. Turn on automatic updates where you can. Unpatched software is one of the most common ways attackers get in.
3. Reliable, tested backups
Keep regular, off-site (or cloud) backups, and — crucially — test that you can actually restore them. Follow the 3-2-1 rule: three copies, on two types of media, with one off-site. Good backups are your best defence against ransomware.
4. Endpoint protection
Run reputable, centrally managed anti-malware on every device, including laptops and mobiles. Centralised management means you can see threats and respond across the whole business, not device by device.
5. Email and phishing defences
Email is the most common entry point. Use spam and phishing filtering, and be cautious with attachments and links. Pair the technology with awareness so staff can spot what slips through.
6. Train your people
Most incidents involve human error. Brief, regular training on phishing, passwords and safe practices dramatically reduces risk — and costs very little.
7. Control access
Give staff only the access they need (the principle of least privilege), and remove it promptly when roles change or people leave. Limit who has administrator rights.
Build a security baseline
Frameworks like the UK’s Cyber Essentials provide a practical baseline that covers most of the above, and certification signals trust to customers and partners. Start with a security review to find your gaps, fix the highest-risk issues first, then maintain the standard over time rather than treating security as a one-off project.
Frequently asked questions
What is the most important cybersecurity step for a small business?
If you do only one thing, turn on multi-factor authentication everywhere — especially email. It blocks the large majority of account-takeover attacks at very little cost.
How much should a small business spend on cybersecurity?
There is no fixed figure, but the essentials in this checklist are mostly low-cost or built into tools you already pay for. The aim is to reduce the most likely risks first, not to buy everything.
Do we need cyber insurance?
Cyber insurance can help cover the cost of an incident, but insurers increasingly expect basic protections (like MFA and backups) to be in place first. It complements good security — it does not replace it.
What should we do if we are breached?
Contain it (disconnect affected systems), preserve evidence, restore from clean backups, and seek expert help. Having a simple incident response plan written down in advance saves critical time.
Get help from Progressive Robot
We help small and growing businesses put the right protections in place without enterprise complexity — from assessments and Cyber Essentials to ongoing monitoring. Explore our IT solutions and services or get in touch for a security review.
