Guide

The small-business security checklist

Twelve practical security checks that close the gaps most small businesses leave open — no jargon, no expensive tools.

Get help with this All resources

You don't need an enterprise budget to be hard to breach. Most small-business exposures come down to a handful of basics that nobody got around to. Work through this list and you'll be ahead of the vast majority of businesses your size.

The checklist

  1. Turn on multi-factor authentication everywhere it's offered — email, banking, admin panels, cloud accounts.
  2. Use a password manager so every account has a unique, strong password.
  3. Remove access for people who left. Old accounts are a favourite way in.
  4. Keep no secrets in code. API keys and passwords belong in a secrets store, never in your website or a repo.
  5. Lock down your databases. Nothing should be reachable from the open internet without a login.
  6. Patch and update. Most attacks use known holes that a update would have closed.
  7. Back up — and test the restore. A backup you've never restored is a guess.
  8. Limit who can access what. People should have the least access they need to do their job.
  9. Secure your website. HTTPS everywhere, no credentials in the front-end code.
  10. Vet your vendors. Your data is only as safe as the tools you give it to.
  11. Know what you hold. You can't protect data you haven't mapped.
  12. Have a plan for "what if." Decide now who does what if something leaks.

Stuck on any of these, or want someone to verify them for you? That's exactly what an exposure audit covers.

Want us to just handle it?

Send the details to [email protected] or book a call. We'll check it for you and fix what's exposed.

Request an audit Book a 15-min call