Small Business Cybersecurity Checklist: The Controls That Actually Matter

Key Takeaways

• Small businesses are now targeted more often than large enterprises, because attackers use them as the way into the bigger companies they connect to. Company size isn't a defense.
• The eleven controls in this checklist cover the security areas enterprise customers actually ask about: who has access to what, what's running on every device, how email and browsers are protected, and how those controls are enforced over time.
• A checklist only works if you enforce the controls. Org change, IT infrastructure updates, and active threats keep pulling configuration out of place while dashboards keep showing green.
• Cloud providers already handle most of two controls customers commonly ask about, network configuration and data backup. Cloud-heavy small businesses spend less time on these than on identity, endpoint, and email controls.

Your biggest customer just sent over their annual vendor security review. Forty pages on endpoint protection, encryption, access controls, and incident response. You bought CrowdStrike last year. You're pretty sure encryption is on most laptops. MFA is... probably enforced on most accounts. But "pretty sure" and "probably" aren't answers you can sign your name to.

Saying yes to something that wasn't actually true leads to two conversations you don't want to have: one with the customer about a breach, one with legal about what you wrote on the questionnaire versus what was running. Every commitment on a security questionnaire is a promise. The eleven controls below are the program that lets you stand behind what you sign. The checklist is the version you hand to the auditor.

Ready to secure your small business? Book a demo with Zip.

Why Do You Need a Small Business Cybersecurity Checklist?

Small businesses are now targeted at the same scale as enterprises. The Verizon 2025 DBIR recorded 3,049 incidents and 2,842 confirmed breaches at small businesses, dwarfing the 982 incidents at large organizations. Third-party involvement in breaches doubled to 30%.

As Zip Security founder Joshua Zweig told NYT in its April 2026 reporting on Iran-linked cyberattacks: state-sponsored hackers are going after people connected to government "not through official channels, but through their personal networks: service providers, contractors, the kinds of organizations that handle sensitive day-to-day information." Those contractors and service providers are small businesses. Attackers go around good security by hitting the smaller, less-defended companies connected to bigger ones.

What makes the problem structural is that small businesses run the same threat surface with lean teams and unverified tools. Only 33% of small businesses use mobile device management (MDM, i.e., the software that enforces security policies on devices), compared to 43% of enterprises. The gap between "we have security tools" and "those tools are actually running" is where most breaches start.

That's why a checklist on its own falls short. The real work is a security program that produces one. The eleven controls below map to CIS Controls v8.1 IG1, which the Center for Internet Security designed specifically for organizations with limited cybersecurity expertise. Implementing IG1 defends against roughly three-quarters of ATT&CK techniques (the industry-standard catalog of adversary behaviors) associated with malware and ransomware.

The Checklist: 11 Controls Your Customers Actually Expect

A good checklist shows you what a working security program has to produce. Use the eleven controls below to understand what a credible baseline looks like and to verify what's already running.

The eleven controls follow a deliberate order. Asset inventory and MDM come first because every control after them depends on knowing what devices you have and being able to enforce policies on them. Identity controls like multi-factor authentication (MFA), single sign-on (SSO), and access management come next because they determine who can reach your systems. Endpoint detection and response (EDR) layers on top. Each control closes a question your customers are likely to ask on their next security questionnaire.

1. Asset Inventory (Hardware and Software)

You can't encrypt a device you don't know exists. You can't verify EDR coverage if you don't know how many endpoints you're supposed to be covering. Asset inventory is how you get that visibility, and every control below depends on it.

Start with your MDM console, which inventories devices. For anything not yet enrolled, maintain a spreadsheet of device details and assigned employees. Survey your team on what SaaS tools they use for work; small teams often discover shadow IT (unauthorized apps with access to company data) only after asking employees directly. MDM enrollment (control 2) produces this inventory as a byproduct.

A current inventory also saves time when you answer customer questionnaires, because you know which devices and apps are actually in scope.

2. Mobile Device Management (MDM)

MDM is the enforcement layer that makes most subsequent controls possible. Encryption, patching, firewall configuration, and remote wipe, for example, all flow through your MDM. Enrollment is the foundation every later control sits on.

For Apple-only fleets, use Jamf zero-touch deployment through Apple Business Manager. New devices auto-enroll on first boot with no IT intervention. For mixed fleets, Microsoft Intune manages Windows, macOS, iOS, and Android from a single console. Use non-removable profiles so employees can't unenroll their devices from management. Full fleet coverage is the only version that works.

When MDM is in place, the rest of the checklist becomes faster to deploy and easier to prove to customers. This is why platforms like Zip start with MDM and identity enrollment before anything else: every other control sits on top of the device denominator and the access list.

3. Device Encryption

Full-disk encryption (using BitLocker on Windows or FileVault on macOS) is the baseline data-at-rest protection for every managed device. If a laptop is stolen, device encryption is what keeps the data on it inaccessible.

Enforce encryption fleet-wide through MDM. The Jamf Security 360 report found FileVault disabled on 36% of devices in its research pool, despite the ease of enforcement. Verify recovery key escrow (where the key to unlock an encrypted device lives in central storage) along with encryption status. A device that's encrypted with a lost recovery key is a device you can't recover.

Without encryption, a stolen laptop means a breach notification to every customer whose data was on it. With encryption enforced through MDM, a stolen laptop costs you the hardware and nothing else leaves the building. A platform like Zip enforces encryption and recovery key escrow across every device hand-off automatically, so neither one depends on anyone remembering.

4. Patch Management and OS Updates

Unpatched OS vulnerabilities are among the most exploited entry points. Vulnerability exploitation as an initial access vector grew 34% year-over-year to 20% of all breaches. The Acronis Threat Research Unit found that across small business endpoints managed by a managed service provider (MSP), only 3.6% of Microsoft patches showed as confirmed installed at any given time.

Automate OS patching through MDM rather than relying on employee-initiated updates. Both Intune and Jamf can lock update settings so employees can't defer them indefinitely. Use CISA's Known Exploited Vulnerabilities (KEV) catalog as your priority queue, and target critical security patches within 14 days of release.

The worst version of a breach is one where the patch existed for weeks, and nobody applied it. Automated patching takes that scenario off the table.

5. Multi-Factor Authentication (MFA)

Using stolen credentials is one of the easiest ways for attackers to make their way into your company. MFA makes a stolen password insufficient on its own.

Enforce it across every account that a password unlocks. CISA states: "Any form of MFA is better than no MFA," but the differences between types matter.

SMS-based MFA is better than nothing, but it's vulnerable to interception. Hardware keys (YubiKeys) or platform authenticators (Windows Hello, Touch ID, Face ID) are phishing-resistant MFA and should go to admins and finance staff first.

Disable SMS fallback once you've enrolled everyone in app-based MFA.

If a customer asks whether you protect accounts beyond passwords, this is one of the clearest places to answer yes with evidence.

6. Single Sign-On (SSO) Configuration

SSO is the identity foundation that makes MFA enforcement and offboarding scalable. When every app authenticates through one identity provider, disabling one account revokes access everywhere simultaneously.

Apps on standalone credentials outside your identity provider (Google Workspace, Microsoft Entra ID, or Okta) are where access lingers after offboarding. Start by federating email, CRM, accounting, and HR through your identity provider. Add "Does this support SSO?" to your procurement checklist for every new app.

Without SSO, a departed employee's access to your CRM or accounting tool can stay active for weeks. With SSO, disabling one account cuts access to everything.

7. Account and Access Management

Access removal is as important as access provisioning. Departed employees with active credentials are an underreported exposure. NIST guidance is direct: "Remove access to all the business' information, systems, and devices when an employee leaves."

The reason offboarding breaks is that nobody owns it end-to-end. HR owns the start date, managers own ramp, IT owns the device, and security owns the controls. When something slips between those handoffs, nobody knows whose problem it is.

Offboarding automation turns offboarding from a multi-system checklist into a single action. Disable the identity provider account within one hour of termination, revoke active sessions, remote wipe the device via MDM, and recover hardware keys. CIS IG1 mandates deleting or disabling dormant accounts after 45 days of inactivity. Review monthly.

Platforms like Zip run the whole offboarding sequence automatically across MDM, identity, and EDR, so the answer to the auditor question becomes "one hour, every time" with a log to prove it. An auditor will ask how fast you revoke access when someone leaves. If the answer is "we're not sure," the audit stalls and the exposure stays open.

8. Malware Defenses and Endpoint Detection (EDR)

EDR watches every endpoint for suspicious behavior that traditional antivirus misses: fileless attacks that execute in memory, attacker movement between machines, and credential theft that never drops a file on disk. The CrowdStrike 2026 Global Threat Report found that 82% of detections in 2025 were malware-free, meaning signature-based antivirus would have caught none of them.

Small businesses typically can't buy CrowdStrike directly because the licensing minimums target enterprises. Zip Security is a Built and Managed Security Platform (BMSP) for lean teams: a platform that connects to and manages tools like Jamf, Intune, CrowdStrike, and Okta from one place. Zip procures CrowdStrike at volume pricing and deploys it fleet-wide.

EDR only protects the devices it's actually running on. If an attacker compromises one laptop without EDR, they can move through your network to machines that do have it, and by the time EDR fires an alert, the attacker is already inside. Coverage percentage matters as much as the tool itself.

For customer questionnaires, EDR is proof that you're watching endpoints continuously. Customers will ask for that proof.

9. Browser Security

Most companies manage their devices and their email, but leave the browser completely open. That's where employees install extensions that harvest credentials, reuse passwords across personal and work accounts, and click links that bypass email filters because they arrived through a search result or a Slack message. Security controls belong at the browser level, where the credential paste, the extension install, and the phishing click all happen.

Chrome Enterprise Core is free ($0) and covers the browser fundamentals: block or force-install extensions, enforce Safe Browsing, and get security event reporting on password reuse and unsafe site visits. It bundles into an MDM and EDR deployment at no additional cost. Start by blocking all unapproved extensions and enforcing standard Safe Browsing.

The browser is also where data leaves the organization without anyone noticing. Employees paste customer data, deal terms, or internal documents into AI tools like ChatGPT, or upload files to personal cloud storage, and whoever is managing the company's tools (often a founder, sometimes nobody) has no visibility into either because the activity happens entirely in the browser. Chrome Enterprise Core's policy controls can restrict copy/paste and file uploads to unapproved destinations.

10. Email Security

Email security has two goals: minimize the likelihood that an attacker sends email as if they're your company, and minimize damage if a phishing email lands in someone's inbox.

For goal one, configure SPF, DKIM, and DMARC (three email authentication protocols) on your domain's DNS records. These protocols work together to verify that emails sent from your domain actually came from your authorized mail servers. Microsoft is explicit that SPF alone is not enough and recommends configuring DKIM and DMARC as part of your overall email authentication strategy.

Without these controls, an attacker can spoof your domain in emails to your customers with attacker-controlled wire instructions. The FBI reported $2.8 billion in business email compromise losses in 2024 alone. Verify your configuration with MXToolbox.

For goal two, layer your defenses so a phishing email has to slip past more than one control to do damage:

1. Basic cloud email filtering. Spam and malware scanning included with Google Workspace and Microsoft 365. Catches the obvious stuff.
2. Sandboxed attachment and link analysis. Suspicious files and links open in an isolated environment first, so anything malicious detonates there instead of on the user's laptop.
3. EDR on the endpoint. Contains any malware that does get downloaded before it can spread to other devices.
4. Browser-level credential protection. Catches phishing pages in real time, even the ones that bypass email filters by arriving through Slack, search, or LinkedIn.

Zip's email security module unifies these layers in one dashboard so the gaps between them don't go unnoticed.

Email compromise is the control your customers notice fastest. When an attacker spoofs your domain and wires fraudulent instructions to your clients, the damage lands on them too.

11. Lead With Secure Defaults

Secure defaults invert the standard "train your users" model. The tools prevent the bad behavior rather than asking employees to make the right call every time. Chrome Enterprise Core blocking password reuse, EDR isolating devices when malware executes, MFA making a phished credential insufficient on its own: these controls function even when someone clicks the wrong link.

Training is the backstop. CISA training platform and SMB resource hub are the right starting points for lean teams that want a program. The security program protects employees. That's the job.

Secure defaults keep a small team's security program running even when nobody is actively watching it, because the controls enforce themselves instead of waiting for someone to remember.

Controls Your Cloud Provider Probably Already Handles

Customer questionnaires date from when most companies ran their own infrastructure, so they still ask about controls that became commodity capabilities the moment workloads moved to cloud platforms. Here's how to answer these questions without overinvesting in controls your cloud provider already handles.

Your Cloud Provider Already Handles Network Controls

Network segmentation used to matter because it limited lateral movement in self-hosted environments. If your workloads run in cloud services like Google Workspace, Microsoft 365, or AWS, the provider already handles the underlying network controls. Change default router credentials, segment company Wi‑Fi from guest Wi‑Fi, and rely on your cloud provider's network controls for everything else. Zero Trust Network Access (ZTNA) takes this further by letting users access specific applications without ever connecting to the network itself, so an attacker with a compromised account can't scan the rest of the network.

Cloud Platforms Already Handle Backup

Ransomware made backups the difference between paying and restoring clean. Most small businesses already rely heavily on cloud platform retention, versioning, snapshots, or backup features, but the exact retention and recovery behavior depends on how you configure those settings. Name the platforms where your data actually lives and confirm their retention characteristics. The 3-2-1 rule (three copies, two media types, one offsite) still applies to anything stored locally.

Why DIY, MSPs, and MSSPs All Break Down on Enforcement

A checklist captures a moment. Drift starts the day you finish it: agents go quiet, encryption keys break, devices fall out of enrollment. According to Zip Security's 2026 Security Survey, only 40% to 60% of endpoints that are supposed to have EDR actually have it running, companies properly escrow fewer than 40% of recovery keys in Apple environments, and 64.5% of companies have discovered unsecured devices they thought were covered. Absolute Security and Jamf's own data confirm the pattern across the industry.

Small businesses currently consider three options, and each breaks down:

• DIY works at small scale but collapses fast. One person can't monitor Jamf, Intune, CrowdStrike, and Okta across separate consoles. The alert backlog becomes the normal backlog.
• Managed Service Providers (MSPs) keep computers working and employees logged in. Their mandate is keeping things running. Security is downstream of that. CISA names MSPs as a ransomware infection vector, and Zip has found CrowdStrike at 45% deployment in environments where the MSP charged for full coverage.
• Managed Security Services Providers (MSSPs) monitor alerts but don't build or maintain the security program. For the deeper breakdown, see Zip's MSP vs. MSSP comparison.

Phoebe, a healthcare AI startup, had a compliance tool and a trust center advertising security coverage across device management and EDR. The advertised controls weren't actually running. For a company selling AI to healthcare customers, that gap was a deal-blocker.

After deploying with Zip, Phoebe reached 100% device coverage in under 72 hours with zero engineering tickets and zero workflow interruptions.

BD Emerson, a fractional CISO firm, partnered with Zip to eliminate compliance drift across their client portfolio. They hit a 100% audit success rate across SOC 2, ISO 27001, GDPR, and NIST.

They also cut their clients' CrowdStrike licensing by ~40% and saved clients $200K+ per year without adding headcount.

Get Secure Within 14 Days or Less with Zip Security

These eleven controls work harder when they reinforce each other rather than when they operate in silos: MFA tied to device posture, EDR connected to the identity provider, and browser controls sharing signal with email security.

Zip's Built and Managed Security Platform is the orchestration layer that makes these tools work together. Jamf and CrowdStrike don't natively share data, so a device can fall out of MDM enrollment while CrowdStrike keeps reporting it as healthy. Identity changes in Okta don't automatically propagate to device management, so offboarded employees keep device access. Zip automates the connections between these tools so information flows seamlessly and gaps close themselves instead of waiting for someone to notice.

Zip starts by selecting the right tools for your environment, deploying and configuring them to a proven security baseline, and then running the program continuously with self-healing security that detects drift and remediates it. You hold the licenses in your own name. If you leave, your tools keep running.

For fractional CISOs and vCISOs managing this checklist across multiple client environments, Zip runs these eleven controls from one dashboard across your entire portfolio, so you can deliver the implementation your clients expect without burning hours on per-client configuration work.

The security you have on day one is the security you have at your next audit. Go from kickoff to deployment in 14 days or less.

Get a quote from Zip and see how fast a 14-day deployment really is.

FAQs About Small Business Cybersecurity Checklists

What Cybersecurity Framework Should a Small Business Follow?

Start with CIS Controls v8.1 IG1, which CIS designed specifically for organizations with limited IT and cybersecurity expertise. IG1 includes 56 safeguards that defend against at least three-quarters of the ATT&CK techniques tied to common attacks.

How Much Does a Basic Small Business Cybersecurity Program Cost?

Costs vary widely based on your existing tools, whether you're already using security features bundled into platforms like Microsoft 365, and whether you need outside help to deploy and manage them. A real-world CIS case study found that over 70% of IG1 controls came free using unused features already in their Kaseya 365 and Microsoft 365 environments.

Do Small Businesses Really Need EDR?

Yes. 88% of small business breaches involved ransomware, and 82% of CrowdStrike's 2025 detections were malware-free. For teams without security staff, pair EDR with MDR so human analysts triage alerts rather than leaving them unreviewed.

What's the Difference Between Having Security Tools and Being Secure?

Having security tools means you've purchased and installed them. Being secure means those tools are running on every device, configured correctly, and staying that way over time. Absolute Security found that endpoint security software fails to protect one in five devices at any given time, and the gap between "installed" and "actually protecting" is where most breaches start.