Resources

Is Your Business Actually Secure?

12 things SMBs most often get wrong — and what to do about each one.

You don't need a security degree to protect your business. You need to know where the gaps are and fix the ones that matter most. Work through this checklist honestly — if you can't check an item, that's where to start.

  1. Multi-factor authentication (MFA) on email and admin accounts. Passwords alone aren't enough. Enable MFA on Microsoft 365, Google Workspace, and every account with admin access. This single step stops the majority of account takeover attacks.
  2. Automatic security updates enabled on all devices. Unpatched software is how most breaches start. Turn on automatic updates for operating systems, browsers, and business applications — don't leave it to employees to click "remind me later."
  3. Regular, tested backups stored off-site. Backups you haven't tested aren't backups — they're wishful thinking. Verify backups run daily, are stored separately from your network, and that you can actually restore from them.
  4. Email filtering and phishing protection active. Phishing is the #1 entry point for ransomware and fraud. Use a business email provider with built-in filtering, or add a dedicated email security layer.
  5. Endpoint protection on every device. Every laptop, desktop, and server needs modern antivirus/EDR — not the free version from 2019. Include remote workers' personal devices if they access company data.
  6. Strong password policy (or a password manager). "Password123" and reused passwords across accounts are how attackers pivot from one breach to your entire business. Provide a business password manager and require unique passwords.
  7. Network firewall with default settings changed. Factory-default router passwords are publicly documented. Change default credentials, disable remote admin access, and segment guest Wi-Fi from your business network.
  8. Employee security awareness training. Your team is both your biggest risk and your best defence. Run quarterly phishing simulations and brief training — it takes 15 minutes and prevents the most common attacks.
  9. Access controls — people only see what they need. Former employees with active accounts, shared admin passwords, and unrestricted file access are all unnecessary risk. Review who has access to what, and remove what isn't needed.
  10. Incident response plan — even a one-page document. If something happens tonight, who do you call? What do you shut down first? Write it down now, while you're calm. Include your MSP, legal counsel, and insurance provider.
  11. Vendor and third-party access reviewed. Every vendor with access to your systems is a potential entry point. Know who has access, review it quarterly, and require MFA on vendor accounts.
  12. Cyber insurance — and you understand what's covered. Read your policy. Many require specific security controls (MFA, backups, EDR) to be in place before they'll pay out. Make sure you meet the requirements before you need them.

Checked fewer than 8? You're not alone — but you are exposed. A security assessment takes about an hour and gives you a prioritised plan to close the gaps that matter most for your business.

Want a professional assessment?

We'll review your environment and give you an honest picture of where you stand — no sales pressure.

Get a Security Assessment