Most incidents in small and medium companies do not come from brilliant attacks. They come from things no one did. No MFA, a permanently connected backup, a former employee’s account still active. This checklist puts the basics in order so you can go through them one by one and close them off.

Accounts and access

This is the first thing an attacker takes over, so we start here.

  • MFA enabled for all accounts, not just administrators.
  • Named accounts instead of shared ones, so you can establish who did what.
  • Permissions granted on the principle of least privilege, without handing out the administrator role just in case.
  • A procedure for revoking access on the day an employee leaves.
  • Regular account reviews, at least once a quarter.

The most common hole I find during audits is an active account of someone who left six months ago. It has no owner, no one watches it, and it still works.

Devices and updates

Unpatched hardware is an open door you walk through without making noise.

  • Automatic updates of systems and applications, with a check that they are actually installed.
  • Disk encryption on laptops, so lost hardware does not mean a data leak.
  • Antivirus protection or an EDR layer on workstations and servers.
  • Retiring systems without vendor support.

What about personal devices

If employees read email on private phones, set minimum rules: screen lock, an up-to-date system, the ability to remotely wipe company data. Without this, data leaves the company in a pocket.

Email and network

Email is still the most common attack channel, mainly through phishing.

  • SPF, DKIM and DMARC configured, to limit impersonation of your company.
  • Filtering of content and attachments on the way in.
  • DNS filtering that blocks access to malicious domains.
  • A network segmented so that a guest and a printer are not in the same segment as your servers.

Backups

Backup is the last line of defence, so it has to genuinely work.

  • Copies in the 3-2-1 model, with one copy separated or immutable.
  • Backup covering data in Microsoft 365 or Google Workspace too.
  • A regular restore test, not just a check that the job ran.
  • Defined RTO and RPO for critical data.

People and procedures

Technology will not help if someone clicks a link and enters their password on a fake site.

  1. Short, regular training in recognising phishing.
  2. A clear path for reporting suspicious messages and incidents.
  3. A written procedure for an attack, with phone numbers and the order of actions.
  4. A designated person or company that knows what to do when something happens.

How to use this

You do not have to tick everything off at once. Start with accounts and backup, because that is where most of the risk sits at the lowest cost. Then devices, email, people. Once a quarter, come back to the list and check what has changed, because the company and the threats do not stand still.

If you want to be sure nothing has been missed, it is worth going through this with someone from outside. See what a cybersecurity audit looks like, or entrust the daily watching over these points to our managed IT services. It is better to tick the list off calmly now than in the middle of an incident.