Checklist
SMB Security Checklist
A practical checklist of controls for businesses with 1–50 employees. Covers identity, endpoints, backups, phishing, and documentation — no dedicated IT team required.
How to use this
Work through each category with your IT vendor or in-house contact. For any item you can't confirm with documented evidence — a screenshot, a report, a log — treat it as a gap. The goal isn't to pass a test. It's to know what you actually have.
Identity & Access
CriticalMFA enforced on email — M365 or Google Workspace — not just offered as optional
A user who can log in without MFA is an unmitigated risk. Conditional Access or equivalent must block logins without a second factor.
MFA enforced on any remote access: VPN, RDP, remote management tools
Remote access without MFA is the most common ransomware entry point. If someone can get in from outside without a second factor, they will.
Admin accounts are separate from daily-use accounts
Privileged access used for email creates an avenue for attackers who compromise an email session to gain admin rights.
Offboarded employees removed from all systems within 24 hours of departure
Dormant accounts are credential risks. Define a checklist: email, VPN, shared passwords, cloud services.
Shared passwords documented and stored in a password manager, not a spreadsheet or sticky note
Endpoints
CriticalAll workstations have endpoint protection with behavioral detection (not just antivirus)
Traditional signature-based antivirus misses most modern attacks. EDR tools that monitor process behavior catch what antivirus doesn't.
Device inventory exists — every machine on the network is known and assigned
Devices you don't know about don't get patched. Unpatched devices are the most common ransomware entry point.
OS and software patches applied within 30 days of release
A patch management report from your IT vendor showing last-patch dates is what your insurer will ask for.
Automatic screen lock configured on all devices
Unattended workstations in professional services environments are a physical access risk.
Personal devices accessing company email or data are covered by a mobile device policy
Backups
CriticalAll critical data is backed up at least daily
RPO (recovery point objective) matters: how much data can you afford to lose? Daily is the minimum for most professional services firms.
Backups are stored offsite or in the cloud — not only on the same network as the original data
Ransomware encrypts what it can reach. On-site-only backups are frequently encrypted alongside the production data.
Backup immutability is configured — data cannot be modified or deleted for the retention period
Immutable backups are now a standard underwriting question. If your backup provider doesn't support this, that's a gap.
A restore was tested within the last 6 months and the test result was documented
A backup with no tested restore is untested recovery. Document the date, what was restored, and whether it completed successfully.
The person responsible for backup monitoring is identified and aware of the role
Phishing & Awareness
HighA phishing simulation has been run in the last 12 months
Without a simulation, you don't know your click rate. Insurers are beginning to ask whether phishing testing occurs.
Staff know what to do when they receive a suspicious email — there's a clear procedure
Knowing not to click is different from knowing where to report. A functional report mechanism improves your detection posture.
New employees receive security orientation within their first 30 days
New hires are 44% more likely to click phishing links in their first three months. Onboarding is a risk window.
Security awareness training occurred in the last 12 months and attendance is documented
Documented training attendance is what insurers want to see — not just a policy saying training should happen.
Documentation
HighA current network diagram exists showing devices, VLANs, and WAN connections
If you don't know what's on your network, you can't protect it, patch it, or recover it.
A device and software inventory is maintained and updated when changes occur
This is the foundation for patch management, insurance documentation, and incident response.
Credentials for critical systems are stored in a password manager, not personal email or notes
Runbooks exist for the two or three most likely failure scenarios — internet down, server down, key person out
Runbooks are how you recover without the one person who set everything up.
Incident Response
MediumA written incident response plan exists with roles, escalation contacts, and steps for common scenarios
Insurers ask for this. More importantly, it tells your staff what to do at 2am when something breaks.
The IR plan has been reviewed or tested in the last 12 months
A tabletop exercise — a two-hour internal session — satisfies this requirement and is genuinely useful.
After-hours contacts for your IT vendor, ISP, and key software vendors are documented
If your ISP goes down at 10pm, do you know who to call? Is that number written down somewhere?
State breach notification obligations are understood — who to notify and within what timeframe
Most states have breach notification laws with specific timelines. Ignorance doesn't extend them.
What to do with gaps
Found items you can't confirm?
A 30-minute consultation is enough to review your checklist results, identify which gaps carry the most risk for your specific firm, and discuss which Battice tier — if any — makes sense to close them.