Table of contents
- Introduction
- Quick takeaways
- SMB cybersecurity: 2025 snapshot
- NIST cybersecurity framework
- GOVERN: Establish your cybersecurity foundation
- IDENTIFY: Know what you need to protect
- PROTECT: Implement your core defenses
- DETECT: Monitor for suspicious activity
- RESPOND: Plan for a security incident
- RECOVER: Ensure business continuity
- Frequently Asked Questions
- Conclusion
Introduction
60% of small businesses that suffer a cyberattack shut down within six months. That is a reality documented by the U.S. Securities and Exchange Commission.
Small and medium-sized businesses have become prime targets for cybercriminals. The reason? These organizations hold valuable customer data, financial records, and intellectual property, yet they often lack the dedicated security teams and enterprise-grade defenses of larger corporations.
But here's the good news: you don't need a Fortune 500 budget to build robust defenses. What you need is a systematic approach, starting with the fundamentals and building from there.
This guide provides a comprehensive, step-by-step cybersecurity checklist based on the National Institute of Standards and Technology (NIST) framework — the same standard used by government agencies and major corporations. We'll walk you through everything from securing passwords and training employees to creating an incident response plan, with a focus on practical solutions that actually work.
Quick takeaways
The 7 most critical actions to protect your business:
- Enable multi-factor authentication (MFA) on all business accounts and systems
- Train your team quarterly on phishing recognition and security best practices
- Implement the 3-2-1 backup rule and test your backups monthly
- Create an incident response plan before you need it
- Conduct a risk assessment to identify your most valuable assets and biggest vulnerabilities
- Deploy a password manager to eliminate weak and reused passwords across your organization
- Keep all software patched and updated with automatic updates wherever possible
SMB cybersecurity: 2025 snapshot
SMBs are prime targets
46% of all cyber breaches impact businesses with fewer than 1,000 employees, and 43% of SMBs faced at least one cyber attack in the past 12 months (October 2025). These statistics represent real businesses, many of which never recovered.
Cybercriminals target small businesses because they’re often the path of least resistance. These organizations have valuable data but typically lack dedicated security staff, making them an attractive target with a high probability of success.
Financial impact
The average cost of a data breach for a small business ranges from $120,000 to $1.24 million, according to research from Verizon. IBM's 2025 Cost of a Data Breach Report places the global average even higher at $4.44 million.
But the financial damage extends beyond immediate costs. Factor in lost business, damaged reputation, legal fees, regulatory fines, and the operational disruption of recovering from an attack, and the true cost becomes existential for many small businesses.
Top threats in 2025
Ransomware: Ransomware remains the most damaging attack type for small and medium-sized businesses. In 2025, 88% of all SMB breaches involved ransomware attacks, significantly exceeding the 39% rate seen in larger enterprises. 47% of small businesses (with annual revenue under $10 million) were hit by ransomware in the last year, with 75% of SMBs stating they could not continue operating if successfully attacked.
Phishing and social engineering: Deceptive emails and messages designed to trick employees into revealing credentials or transferring money. 95% of breaches involve human error, making this the most common attack vector.
Business Email Compromise (BEC): Sophisticated scams where attackers impersonate executives or vendors to authorize fraudulent wire transfers. The FBI reported BEC losses of $2.77 billion in 2024 across 21,442 complaints.
NIST cybersecurity framework
Rather than approaching security in an ad hoc manner, this guide follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework — a structured, systematic approach used by organizations worldwide.
The framework consists of six core functions:
- GOVERN: Establish policies, assign responsibilities, and understand your risk landscape
- IDENTIFY: Know what assets you need to protect and where your vulnerabilities lie
- PROTECT: Implement safeguards to ensure delivery of critical services
- DETECT: Develop capabilities to identify cybersecurity events quickly
- RESPOND: Take action when a security incident is detected
- RECOVER: Restore capabilities and services impaired by an incident
This systematic approach ensures you're not just implementing random security measures, but building a comprehensive defense strategy that addresses all aspects of cybersecurity.
GOVERN: Establish your cybersecurity foundation
Step 1. Create a cybersecurity policy
A cybersecurity policy is your organization's rulebook for security. It defines acceptable behavior, establishes standards, and sets clear expectations for everyone in your company.
Your policy should cover:
- Acceptable use: What employees can and cannot do with company devices, networks, and data. This includes guidelines on personal use of company equipment, prohibited websites, and acceptable software installations.
- Password policy: Requirements for password strength, uniqueness, and management. Specify that employees must use unique passwords for each account, never share credentials, and store passwords only in approved password managers.
- Data handling: How to classify, store, share, and dispose of different types of company and customer data. Define what constitutes confidential information and how it should be protected.
- Incident reporting: Clear procedures for reporting suspected security incidents, including who to contact and what information to provide.
Step 2. Conduct a risk assessment
A risk assessment helps you identify your most valuable assets and your biggest vulnerabilities so you can prioritize your security investments.
Start by asking:
- What data would be most damaging if stolen or destroyed? (Customer records, financial data, intellectual property, employee information)
- Which systems are critical to daily operations? (Email, CRM, payment processing, file servers)
- What are our biggest vulnerabilities? (Outdated software, lack of MFA, untrained employees, poor backup procedures)
- What would be the business impact of various incidents? (Ransomware, data breach, extended downtime)
Step 3. Address compliance requirements
Depending on your industry and location, you may have legal obligations for data protection:
- GDPR (General Data Protection Regulation): If you handle data of EU residents, you must comply with strict data protection and privacy requirements, including breach notification within 72 hours.
- HIPAA (Health Insurance Portability and Accountability Act): Healthcare providers and their business associates must protect patient health information with specific technical, physical, and administrative safeguards.
- PCI DSS (Payment Card Industry Data Security Standard): If you accept credit card payments, you must comply with PCI DSS requirements for protecting cardholder data.
- SOX (Sarbanes-Oxley Act): Publicly traded companies must implement controls to ensure the accuracy and security of financial data, including IT systems that store or process financial information.
Step 4. Consider cyber insurance
Cyber insurance can help cover the costs of a breach, including forensic investigation, legal fees, customer notification, credit monitoring services, and business interruption losses.
However, insurance isn't a substitute for good security practices. Insurers increasingly require evidence of basic security controls, like MFA, employee training, and regular backups before issuing coverage. Premiums have also risen significantly, with some businesses seeing increases of 50-100% in recent years.
IDENTIFY: Know what you need to protect
Step 5. Inventory your hardware and software
Create and maintain an inventory of all devices and applications connected to your network:
- Hardware: Computers, laptops, servers, mobile devices, routers, switches, printers, IoT devices
- Software: Operating systems, business applications, cloud services, browser extensions
Include details like device owner, operating system version, software version, and last update date. This inventory serves multiple purposes: identifying outdated or unsupported systems, tracking devices when employees leave, and understanding your attack surface.
Step 6. Classify your data
Not all data requires the same level of protection. Classify your data into categories to prioritize security efforts:
- Public: Information intended for public consumption (marketing materials, published content)
- Internal: Information for internal use that wouldn't cause significant harm if disclosed (internal memos, general business documents)
- Confidential: Sensitive information that could cause significant harm if disclosed (customer data, financial records, employee information, trade secrets, intellectual property)
- Restricted: Highly sensitive information subject to regulatory requirements (payment card data, health records, personally identifiable information)
PROTECT: Implement your core defenses
Step 7. Secure your passwords
Weak and compromised credentials are the leading cause of data breaches. 86% of breaches involved stolen or compromised credentials, according to Verizon's 2024 Data Breach Investigations Report.
The problem is simple: humans are terrible at creating and remembering strong, unique passwords. The average person has 100+ online accounts but uses the same handful of passwords across many of them. When one site is breached, attackers use those credentials to access other accounts — a technique called credential stuffing.
The solution: Password managers
A password manager is the single most impactful security tool you can deploy. It generates strong, unique passwords for every account, stores them in an encrypted vault, and automatically fills them when needed.
For businesses, a password manager like Passwork provides:
- Centralized password management: Store all company credentials in a secure, encrypted vault accessible only to authorized team members.
- Password generation: Create cryptographically strong passwords of 15+ characters with mixed case, numbers, and symbols — passwords that are virtually impossible to crack through brute force.
- Secure sharing: Share credentials with team members without exposing the actual password. When an employee leaves, revoke access instantly without changing dozens of passwords.
- Security dashboard: Identify weak, reused, or compromised passwords across your organization. Passwork's Security Dashboard provides visibility into your password hygiene and helps prioritize remediation efforts.
- Audit trail: Track who accessed which credentials and when, providing accountability and helping investigate potential security incidents.
Even with a password manager, establish minimum standards:
- Minimum 15 characters (longer is always better)
- Unique for every account (never reuse passwords)
- Randomly generated (no dictionary words, personal information, or predictable patterns)
- Stored only in the password manager (never in browsers, spreadsheets, or sticky notes)
Step 8. Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication requires two or more verification methods to access an account: something you know (password), something you have (phone or security key), or something you are (fingerprint or face).
Enable MFA immediately on:
- Email accounts (your email is the key to resetting all other passwords)
- Financial and banking systems
- Cloud storage and file sharing
- Administrative and privileged accounts
- Any system containing sensitive data
Step 9. Train your employees
Technology alone cannot protect your business. 95% of breaches involve human error — an employee clicking a phishing link, falling for a social engineering scam, or misconfiguring a system.
Training program structure:
- Onboarding training: All new employees should complete security awareness training within their first week. Cover the basics: password security, phishing recognition, physical security, acceptable use policy, and incident reporting.
- Annual refresher training: Security threats evolve. Conduct comprehensive refresher training at least annually to cover new threats, reinforce fundamentals, and update employees on policy changes.
- Phishing simulations: Send simulated phishing emails quarterly to test employee awareness and identify individuals who need additional training. This provides measurable data on your organization's security posture and keeps security top-of-mind.
- Targeted training: When employees fall for simulated phishing or make security mistakes, provide immediate, constructive training rather than punishment. The goal is learning, not blame.
Key topics to cover:
- Phishing recognition: How to identify suspicious emails, including checking sender addresses, hovering over links before clicking, watching for urgency and fear tactics, and verifying requests through alternative channels.
- Social engineering: Tactics attackers use to manipulate people into divulging information or taking actions, including pretexting, baiting, and tailgating.
- Password security: The importance of unique passwords, using the company password manager, never sharing credentials, and reporting suspected compromises.
- Physical security: Locking screens when away from desks, securing mobile devices, proper disposal of sensitive documents, and challenging unknown individuals in the office.
- Incident reporting: How to report suspected security incidents, who to contact, and the importance of reporting quickly even if unsure.
Step 10. Secure your network
Your network is the foundation of your digital infrastructure. Securing it prevents unauthorized access and protects data in transit.
Firewall: A firewall acts as a barrier between your internal network and the internet, blocking unauthorized access while allowing legitimate traffic. Modern firewalls provide additional features like intrusion prevention, application control, and threat intelligence integration.
Ensure your firewall is:
- Properly configured with rules that follow the principle of least privilege
- Regularly updated with the latest firmware
- Monitored for suspicious activity
Wi-Fi security: Wireless networks are convenient but create additional security risks.
- Use WPA3 encryption (or WPA2 if WPA3 isn't available)
- Change the default administrator password on your router
- Disable WPS (Wi-Fi Protected Setup)
- Hide your SSID if appropriate for your environment
- Create a separate guest network isolated from your business network
VPN (Virtual Private Network): With remote work now standard, VPNs are essential. A VPN encrypts all internet traffic between remote employees and your business network, protecting sensitive data from interception.
Step 11. Protect your endpoints
Endpoints (computers, laptops, mobile devices) are where employees interact with your systems and data. They're also common entry points for malware and other threats.
Antivirus and Endpoint Detection and Response (EDR): Traditional antivirus is no longer sufficient. Modern threats require more sophisticated detection capabilities.
EDR solutions go beyond signature-based detection to identify suspicious behavior, contain threats automatically, and provide detailed forensics for investigation. While enterprise EDR can be expensive, several vendors now offer affordable solutions designed for small businesses.
At minimum, ensure every device has:
- Modern antivirus/anti-malware software
- Real-time scanning enabled
- Automatic updates configured
- Regular full system scans scheduled
Patch management: 60% of breaches involve unpatched vulnerabilities. Attackers actively scan for systems running outdated software with known vulnerabilities.
Implement a patch management process:
- Enable automatic updates for operating systems and applications wherever possible
- Prioritize critical security patches (apply within 48 hours of release)
- Test patches in a non-production environment if possible, but don't let testing delay critical security updates
- Maintain an inventory of all software to track patch status
- Pay special attention to internet-facing systems and applications
Mobile Device Management (MDM): If employees use mobile devices for work, implement MDM to enforce security policies, encrypt data, enable remote wipe capabilities, and ensure devices stay updated.
Step 12. Back up your data
The 3-2-1 Backup Rule:
- 3 copies of your data (the original plus two backups)
- 2 different media types (e.g., local disk and cloud storage)
- 1 copy offsite (protected from physical disasters like fire or flood)
What to back up:
- All business-critical data and databases
- Email systems and archives
- Financial records and customer data
- Configuration files and system images
- Intellectual property and work product
Backup frequency:
- Critical systems: Daily or continuous
- Important data: Daily
- Less critical data: Weekly
Retention period: Keep multiple versions spanning at least 30 days. This protects against ransomware that remains dormant before activating, ensuring you have clean backups from before the infection.
Immutable backups: Configure backups to be immutable (cannot be modified or deleted) for a specified period. This prevents ransomware from encrypting your backups along with your production data.
Test your backups: Untested backups are just expensive storage. Conduct restoration tests quarterly to verify:
- Backups are completing successfully
- Data can be restored within acceptable timeframes
- Restored data is complete and usable
- Restoration procedures are documented and understood
Step 13. Control access to data
Not everyone needs access to everything. The Principle of Least Privilege states that users should have only the minimum access necessary to perform their job functions.
Role-Based Access Control (RBAC): Define roles based on job functions and assign permissions to roles rather than individuals. When someone changes positions, you simply change their role assignment rather than adjusting dozens of individual permissions.
Regular access reviews: Conduct quarterly reviews of who has access to what. Remove access for departed employees immediately, adjust access for employees who changed roles, and revoke unnecessary permissions.
Privileged account management: Administrative accounts have extensive system access and are prime targets for attackers.
- Limit the number of users with administrative privileges
- Use separate accounts for administrative tasks (never use admin accounts for daily work)
- Require MFA for all privileged accounts
- Log and monitor all privileged account activity
- Implement just-in-time access that grants elevated privileges only when needed and automatically revokes them after a specified period
Shared account elimination: Eliminate shared accounts wherever possible. Every user should have their own credentials for accountability and audit purposes. When shared accounts are unavoidable (legacy systems), use a password manager like Passwork to control access and maintain an audit trail of who accessed the credentials and when.
DETECT: Monitor for suspicious activity
Assume that determined attackers will eventually find a way in. Your goal is to detect and respond before they can cause significant damage.
Step 14. Monitor your systems
Implement logging and monitoring for:
- Failed login attempts: Multiple failed logins may indicate a brute-force attack or compromised credentials.
- Unusual access patterns: Logins from unexpected locations, access to unusual resources, or activity outside normal business hours.
- System changes: New user accounts, permission changes, software installations, or configuration modifications.
- Network traffic anomalies: Unusual outbound traffic, connections to suspicious IP addresses, or large data transfers.
For small businesses without dedicated security staff, consider:
- Security Information and Event Management (SIEM): Cloud-based SIEM solutions designed for SMBs can aggregate logs, identify anomalies, and alert you to potential incidents. Many offer affordable pricing tiers for small businesses.
- Managed Detection and Response (MDR): Outsource monitoring to a security provider who watches your systems 24/7 and alerts you to threats. This provides enterprise-grade detection capabilities at a fraction of the cost of building an internal security operations center.
Step 15. Implement intrusion detection (For advanced SMBs)
As your business grows and your security maturity increases, consider deploying Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).
These systems monitor network traffic for malicious activity and known attack patterns. IDS alerts you to threats, while IPS can automatically block malicious traffic.
RESPOND: Plan for a security incident
Having a plan in place before an incident occurs dramatically reduces response time, limits damage, and improves recovery outcomes. Yet 47% of SMBs lack an incident response plan.
Step 16. Create an Incident Response (IR) plan
An incident response plan is your playbook for handling security incidents. It defines roles, establishes procedures, and ensures everyone knows what to do when an incident occurs.
The 6-step incident response lifecycle:
1. Preparation
- Develop and document your IR plan
- Assemble your IR team and define roles
- Establish communication procedures
- Prepare tools and resources needed for response
- Conduct training and tabletop exercises
2. Detection and analysis
- Identify potential security incidents through monitoring, alerts, or user reports
- Determine if an actual incident has occurred
- Assess the scope, severity, and type of incident
- Document all findings and actions taken
3. Containment
- Short-term containment: Immediately isolate affected systems to prevent spread (disconnect from network, disable compromised accounts)
- Long-term containment: Implement temporary fixes to allow systems to continue operating while preparing for recovery
- Preserve evidence for investigation and potential legal action
4. Eradication
- Remove the threat from your environment (delete malware, close vulnerabilities, remove unauthorized access)
- Identify and address the root cause
- Ensure the threat is completely eliminated before proceeding to recovery
5. Recovery
- Restore systems and data from clean backups
- Verify systems are functioning normally
- Monitor closely for signs of persistent threats
- Gradually return systems to production
6. Lessons learned
- Conduct a post-incident review within two weeks
- Document what happened, what worked, and what didn't
- Update your IR plan based on lessons learned
- Implement improvements to prevent similar incidents
Key components of your IR plan:
Incident classification: Define severity levels (Low, Medium, High, Critical) with clear criteria and corresponding response procedures.
Contact information: Maintain an updated list of internal team members, external partners (IT support, legal counsel, cyber insurance provider, law enforcement), and key vendors.
Communication procedures: Who communicates what to whom? How do you notify customers of a breach? What's your media response strategy?
Legal and regulatory requirements: Understand breach notification requirements for your jurisdiction and industry. Many regulations require notification within specific timeframes (GDPR: 72 hours, many U.S. state laws: 30-60 days).
Evidence preservation: Document procedures for preserving evidence for investigation and potential legal action.
RECOVER: Ensure business continuity
Step 17. Develop a Business Continuity Plan (BCP)
While your incident response plan focuses on the technical response to a security incident, your business continuity plan addresses how your business will continue operating.
Your BCP should address:
- Critical business functions: Identify which business functions are essential and must continue during an incident (e.g., customer service, order processing, payroll).
- Recovery Time Objectives (RTO): How quickly must each system or function be restored? Different systems have different priorities.
- Recovery Point Objectives (RPO): How much data loss is acceptable? This determines your backup frequency.
- Alternative procedures: How will you perform critical functions if primary systems are unavailable? This might include manual processes, alternative systems, or temporary workarounds.
- Communication plan: How will you communicate with employees, customers, vendors, and partners during an extended outage?
- Succession planning: Who makes decisions if key personnel are unavailable?
Step 18. Test your recovery procedures
Plans that aren't tested are just documents. Conduct regular tests of your recovery procedures:
- Tabletop exercises: Gather your team and walk through incident scenarios. Discuss how you would respond, identify gaps in your plan, and clarify roles and responsibilities. Conduct these exercises at least annually.
- Technical tests: Actually restore systems from backups, fail over to alternative systems, and verify that recovery procedures work as documented. Test quarterly for critical systems.
- Full-scale simulations: For mature organizations, conduct realistic simulations that test your entire response and recovery capability. These are resource-intensive but provide invaluable insights.
Frequently Asked Questions
How much should a small business spend on cybersecurity?
Industry guidelines suggest allocating 3-10% of your IT budget to cybersecurity, with the percentage increasing based on your risk profile and industry. For a small business with a $50,000 annual IT budget, this translates to $1,500-$5,000 per year.
However, don't let budget constraints prevent you from implementing basic security. The fundamental controls — password manager, MFA, employee training, and backups — cost less than $5,000 annually for most small businesses and provide the majority of risk reduction.
What is the most common cyber attack on small businesses?
Phishing is the most common attack vector, involved in 85% of breaches according to Cyber security breaches survey 2025. Phishing attacks trick employees into revealing credentials, downloading malware, or transferring money.
Ransomware is the most damaging attack type for small businesses, with attacks increasing 68% in 2024. The average ransomware payment demanded from small businesses is $200,000, though many organizations pay significantly more when downtime costs are included.
Do I need cyber insurance?
Cyber insurance can be valuable, but it's not a substitute for good security practices. Insurance helps cover costs after a breach, but it doesn't prevent the operational disruption, reputational damage, and customer trust issues that come with an incident.
Consider cyber insurance if:
- You handle sensitive customer data
- You're in a high-risk industry (healthcare, finance, retail)
- You have significant revenue that would be impacted by downtime
- You want to transfer some financial risk
Before purchasing, implement basic security controls. Many insurers now require evidence of MFA, employee training, and regular backups before issuing coverage.
What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. It provides a common language and systematic approach to cybersecurity through six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
The framework is flexible and scalable, making it appropriate for organizations of all sizes, from small businesses to large enterprises and government agencies.
How often should we conduct security training?
At minimum, conduct comprehensive security awareness training annually for all employees. However, best practice includes:
- Initial training during onboarding (within first week)
- Annual comprehensive refresher training
- Quarterly phishing simulations
- Immediate targeted training when employees fail simulations or make security mistakes
- Ad-hoc training when new threats emerge
Security awareness is not a one-time event—it's an ongoing process. Regular reinforcement keeps security top-of-mind and helps employees recognize evolving threats.
What should we do if we're hit by ransomware?
If you suspect a ransomware infection:
- Immediately isolate affected systems from the network
- Do not pay the ransom (payment doesn't guarantee data recovery and funds criminal activity)
- Activate your incident response plan
- Contact law enforcement (FBI, local authorities)
- Notify your cyber insurance provider if you have coverage
- Engage cybersecurity experts to contain the threat and investigate
- Restore from clean backups once the threat is eradicated
This is why having tested backups and an incident response plan is critical — they provide options other than paying the ransom.
How do we know if our current security is adequate?
Conduct a security assessment using the NIST Cybersecurity Framework or the CIS Critical Security Controls as a benchmark. Ask:
- Do we have a password manager and is MFA enabled on all critical systems?
- Do we conduct regular security training and phishing simulations?
- Do we have tested backups following the 3-2-1 rule?
- Do we have an incident response plan?
- Are all systems patched and up-to-date?
- Do we monitor systems for suspicious activity?
- Have we conducted a risk assessment in the past year?
If you answered "no" to any of these questions, you have gaps to address. Consider engaging a third-party security assessor for an objective evaluation of your security posture.
Conclusion
Cybersecurity can feel overwhelming, especially for small businesses without dedicated IT security staff. But the reality is that you don't need enterprise-grade tools or a massive budget to significantly reduce your risk.
What you need is a systematic approach: start with the fundamentals, build from there, and continuously improve. The NIST Cybersecurity Framework provides that structure, guiding you through governance, identification, protection, detection, response, and recovery.
The threats are real, and the statistics are sobering. But so is the opportunity. By implementing the controls outlined in this checklist, you'll be far ahead of most small businesses, and far less attractive to attackers who seek the path of least resistance.
Cybersecurity is an ongoing process of assessment, implementation, monitoring, and improvement. Start today with the highest-impact, lowest-cost controls: deploy a password manager, enable MFA, train your team, and implement robust backups.
Further reading
Eirik Salmi
Eirik Salmi
Ana Moore
