What are the first five cybersecurity steps for a small business?

Multi-factor authentication on every business account using an authenticator app rather than SMS. A business password manager rolled out to every user. Conditional access on Microsoft 365 or Google Workspace blocking sign-ins from countries you do not operate in and disabling legacy authentication. SPF, DKIM, and DMARC records on your domain at p=quarantine or higher. Full-disk encryption on every laptop confirmed actually on. If you do these five things and stop, you will be ahead of roughly eighty percent of small businesses your size.

What can a small business do for free or near-free?

Turn on MFA across every account, which is free for most platforms. Configure SPF, DKIM, and DMARC at your domain registrar at no cost. Enable the external-sender warning banner in Microsoft 365 or Google Workspace. Confirm BitLocker on Windows Pro or FileVault on Mac is actually enabled, not just available. Build a one-page asset inventory in a spreadsheet. Tape an incident-response checklist to the wall listing who calls who when something breaks. None of these requires new vendors or budget, and together they raise the bar meaningfully.

When should a small business hire a vCISO?

When you push past roughly thirty employees, when you hold customer data subject to a regulator like HIPAA or a contractual framework like SOC 2, when a customer asks for a security questionnaire you cannot answer, when you are about to take cyber insurance with meaningful coverage, or when an incident has shown that nobody actually owns the program. A part-time CISO engagement costs less than the salary of one entry-level analyst and buys executive ownership of the security program. The deliverable is leadership, not another tool.

What should a small business spend on cybersecurity tooling each month?

Realistic monthly per-user budget for a business under fifty employees lands around four to eight dollars for a business password manager, five to ten dollars per device for endpoint detection and response, two to four dollars per user per year for awareness training (so monthly that is small), and the cost of Microsoft 365 Business Premium or Google Workspace Business Plus which already bundle several controls. Total per-user is typically in the low double digits per month for the controls that matter, plus separate spending on cloud-data backup and any compliance-driven add-ons.

Is cyber insurance worth it for a small business?

Often yes, with caveats. Read what the policy actually covers before buying. Most small-business policies exclude social-engineering wire fraud unless you specifically endorse it, and the social-engineering sub-limit is usually a small fraction of the overall cyber limit. Insurers will require MFA, dual-control on wires, and email-spoofing protection in the application, and false answers can void coverage. Coverage pairs best with a pre-arranged incident-response retainer because the policy almost always points you at a panel firm that may not be the right fit.

What can a small business reasonably ignore for now?

SOAR and SIEM tools are overkill below roughly fifty employees. Penetration testing is useful eventually but is rarely the first five thousand dollars of spend, because the things a pen test will find are the controls listed earlier in the checklist. ISO 27001 and SOC 2 certifications are only worth the spend when a customer is actually asking for them in a contract. Zero-trust branded products are mostly buzzword repackaging of identity controls already in the checklist. Defer those, get the basics right, then revisit.

What is the highest-ROI control for a small business?

Multi-factor authentication on every business account, paired with a business password manager that the team actually uses. The single most common cause of small-business compromise we see is a reused password and a missing or SMS-only second factor. Implementing both controls is cheap, fast, and stops the majority of credential-driven attacks before they start. Everything else on the checklist matters, but if budget and attention are limited, identity controls are where you start and where you keep investing first.

Small Business Cybersecurity Checklist | Practical Guide Under 50 Employees

All articles·10 min read·April 22, 2026

The order matters more than the list

Most small-business cybersecurity advice is a giant pile of equally-weighted bullets, and the result is that owners do nothing. Below is what to actually do, in the order that moves the security needle the most for the least money. If you do steps 1-5 and stop, you will be ahead of 80% of small businesses your size.

1. Identity, before anything else

Multi-factor authentication on every business account. Microsoft 365, Google Workspace, your bank, your accounting software, your domain registrar, your payroll. Use an authenticator app (1Password, Authy, Microsoft Authenticator), not SMS.
One business password manager. 1Password Business, Bitwarden Business, or Dashlane Business. Around $4-8 per user per month. This is the highest-ROI controlyou will buy.
Conditional access on Microsoft 365 / Google Workspace. Block sign-ins from countries you do not operate in. Block legacy authentication protocols. The setting is buried but takes 15 minutes.

2. Email — the attack surface that pays attackers the most

SPF, DKIM, and DMARC records on your domain. Without DMARC at p=quarantineor p=reject, anyone can spoof your CEO. Easydmarc, dmarcian, and Postmark have free starters.
External-sender warning banner enabled. Microsoft 365 and Google Workspace both let you flag any email from outside your domain. This single banner stops most BEC scams.
Anti-phishing rule for executive impersonation. Configure your tenant to flag emails that claim to be from your CEO/CFO but come from outside.

3. Endpoints — workstations and laptops

Full-disk encryption on every device. BitLocker (Windows Pro), FileVault (Mac). Confirm it is actually on; "ready" is not "on."
Real EDR, not just consumer antivirus. Microsoft Defender for Business (under M365 Business Premium), CrowdStrike Falcon Go, SentinelOne Singularity Core. Around $5-10 per device per month.
Auto-patch. OS auto-updates on for every device. Microsoft Intune or Jamf if you have over ~10 devices.
Inventory. A spreadsheet listing every device, who it belongs to, and its serial number. You cannot protect what you do not know about.

4. Backups

3-2-1 backups. Three copies, two media, one off-site. Cloud backup counts as off-site only if it is immutable / versioned.
Test restore quarterly. An untested backup is a hope, not a control.
Cloud-data backup, not just sync. OneDrive sync is not a backup. Use Backupify, Spanning, or Datto SaaS Protection to back up Microsoft 365 / Google Workspace separately.

5. People

Security awareness training, quarterly. KnowBe4, Hoxhunt, or Curricula. Around $25-50 per user per year.
Phishing simulation, monthly. Same vendors. Track click rates over time as your KPI. See phishing simulation.
Incident response checklist taped to the wall. Who calls who, in what order, when something goes wrong. Three pages, max.

6. The legal/insurance layer (do this before incident, not during)

Cyber insurance. Read what it actually covers. Most small-business policies exclude social-engineering wire fraud unless you specifically endorse it.
Pre-arranged incident-response retainer. Knowing who to call at 3am when ransomware hits is worth more than any tool. We hold retainer agreements for SMB clients — see incident response.
Data inventory. A short list of what sensitive data you hold (PII, PHI, payment, IP) and where it lives. Required by most regulators after a breach anyway.

What you can ignore for now

SOAR / SIEM tools — overkill below ~50 employees
Penetration testing — useful eventually, not your first $5K of spend
ISO 27001 / SOC 2 — only if a customer is asking for it
"Zero trust" branded products — most are buzzword repackaging of identity controls you already need

If you'd rather buy this as a service

We deliver this checklist (and the ongoing operations behind it) as managed cybersecurity for SMB clients, with a vCISO as the leadership layer when the program starts pushing past 30 employees.