20 Cybersecurity Controls
Every SMB Needs

Enable MFA on every account

Turn on multi-factor authentication for email, Microsoft 365, banking portals, and all cloud applications — no exceptions. MFA blocks over 99% of automated credential attacks.

Deploy a business password manager

Use a shared business password manager (1Password Teams, Bitwarden for Business, Keeper) for your entire team. Eliminate spreadsheets, sticky notes, and shared passwords in email.

Deploy endpoint protection on every device

Install managed EDR or antivirus on every laptop and desktop — including personal devices used for work. Windows Defender alone is not sufficient for a business environment.

Maintain a tested, automated backup

Follow the 3-2-1 rule: 3 copies, 2 different media, 1 offsite or cloud. Automate it. Test recovery at least quarterly — an untested backup is just a hope.

Keep all software and operating systems current

Enable automatic updates or use patch management to keep Windows, macOS, Office, browsers, and third-party apps current. Most ransomware exploits known, patched vulnerabilities.

Replace ISP modem/router with a business-grade firewall

Consumer routers (Netgear, Linksys) and ISP-provided modems lack the security features businesses need. A managed firewall (Meraki, Fortinet, SonicWall) adds intrusion prevention, DNS filtering, and proper segmentation.

Isolate guest Wi-Fi from employee network

Guest devices should never share a network segment with employee devices or servers. Use a separate SSID on its own VLAN. This one change prevents a compromised guest device from reaching your data.

Encrypt all laptops and workstations

Enable BitLocker on Windows and FileVault on Mac for every device. If a laptop is lost or stolen, encryption means the data is unreadable without the login credentials.

Remove local admin rights from standard users

Standard employees don't need local admin access to do their jobs. Admin rights should require a separate admin account. This alone stops the majority of malware from installing successfully.

Disable accounts the same day an employee leaves

Have a written, same-day offboarding process: disable M365 account, revoke access to all systems, reassign licenses. Former employees with active credentials are a documented breach vector.

Change default passwords on all network devices

Routers, switches, access points, printers, and NAS devices all ship with default admin credentials that are publicly documented. Change them. Every one of them. Include this in your device setup checklist.

Enable audit logging in Microsoft 365 or Google Workspace

Audit logs let you answer "who logged in, from where, and what did they access?" after an incident. In M365, enable Unified Audit Log in the Security & Compliance Center. It's off by default on older tenants.

Review user accounts quarterly — remove stale access

Set a quarterly calendar reminder to audit all active accounts. Remove anyone who no longer works there, revoke access to systems people have moved off of, and archive old mailboxes.

Have cyber liability insurance in place

Cyber insurance covers breach response costs, notification requirements, business interruption, and ransomware payments when all else fails. Most policies now require MFA and backup — check your requirements.

Train staff on phishing at least once a year

Send a simulated phishing test, review the results with your team, and run a short training session. Most successful breaches start with a human click — awareness training is your last line of defense.

Document all software subscriptions with renewal dates

Maintain a running list of every SaaS tool, license, and subscription: what it is, who owns it, when it renews, and what it costs. This prevents surprise renewals and orphaned accounts after staff turnover.

Have a written IT security policy employees acknowledge

A one-page policy covering acceptable use, password requirements, incident reporting, and BYOD rules. Have every employee sign it at onboarding and annually. This creates accountability and helps with insurance claims.

Use VPN for remote access — no open RDP to the internet

Remote Desktop Protocol (RDP) exposed directly to the internet is one of the most scanned-for attack surfaces on the planet. Require VPN before any remote access. If you use RDP, restrict it to VPN-only.

Apply MDM or a BYOD policy to mobile devices

Phones and tablets that access company email and data need to be managed. Either enroll them in mobile device management (MDM) or have a written BYOD policy that requires passcode, encryption, and remote wipe capability.

Have a written incident response plan

Know in advance: who do you call if you're breached? Who do you notify? What's the containment process? A one-page IR plan with your MSP's emergency number, your cyber insurance claim line, and a containment checklist is enough to start.