Cybersecurity does not need to be overwhelming. This 25-point checklist covers the essential security controls every business with 10 to 200 employees should have in place. It spans seven critical areas — identity, email, network, endpoints, cloud, backups, and people. Work through each section methodically, and you will close the gaps that attackers exploit most frequently. For a printable version with scoring, download our free PDF checklist.
1. Identity and Access Management
Identity is the foundation of modern security. If attackers can compromise credentials, they own your environment. These controls ensure that stolen passwords alone are not enough to breach your systems.
MFA on all accounts: Every user account — no exceptions for executives, IT staff, or service accounts — must use multi-factor authentication. This single control blocks over 99 percent of credential-based attacks.
Eliminate shared accounts: Every user gets a unique identity. Shared accounts make it impossible to audit who did what and create accountability gaps that attackers exploit.
Offboarding within 24 hours: When an employee leaves, disable their accounts across all systems within one business day. Former employees with active credentials are a significant and preventable risk.
Least privilege access: Users should only have access to the systems and data their role requires. Review permissions quarterly and remove anything that is no longer needed. Excessive permissions expand your attack surface unnecessarily.
2. Email and Microsoft 365
Email is the number one attack vector. These controls protect against phishing, spoofing, business email compromise, and data exfiltration through your most critical communication channel.
SPF, DKIM, and DMARC: Configure all three email authentication protocols. SPF defines authorized senders, DKIM signs messages cryptographically, and DMARC enforces policy when authentication fails. Without these, anyone can send email that appears to come from your domain.
Conditional access policies: Enforce context-aware access decisions — block sign-ins from unusual locations, require compliant devices, and escalate authentication requirements based on risk signals.
Audit logging enabled: Unified audit logs must be active and retained for at least 90 days. Without logs, you cannot investigate incidents, detect compromised accounts, or prove compliance.
M365 backup in place: Microsoft's native retention is not backup. Deploy a third-party backup solution that provides independent copies of Exchange, SharePoint, OneDrive, and Teams data with granular restore capabilities.
3. Network and Firewall
Your network is the highway attackers use to move laterally after initial compromise. Proper network security limits what they can reach and how fast they can spread.
Firmware and software updates: Keep firewall firmware, switch operating systems, and access point software current. Unpatched network devices are directly exploitable from the internet and often missed in patching programs focused on servers and workstations.
Network segmentation: Separate your network into zones — user workstations, servers, IoT devices, guest access, and management. Control traffic between zones with explicit rules. A compromised workstation should not be able to reach your backup infrastructure.
Secure WiFi: Use WPA3 or WPA2-Enterprise for corporate wireless. Separate guest WiFi completely from internal networks. Disable WPS and change default SSID names that reveal equipment type or organization name.
IDS/IPS enabled: Intrusion detection and prevention systems monitor network traffic for known attack patterns, anomalous behavior, and policy violations. Enable these features on your firewall and tune them to reduce false positives while catching real threats.
4. Endpoints
Every laptop, desktop, and mobile device is a potential entry point. Endpoint security ensures that even if a device is targeted, the attack is detected and contained before it spreads.
EDR deployed: Endpoint detection and response goes beyond traditional antivirus. EDR uses behavioral analysis to detect novel threats, provides automated response capabilities, and gives visibility into endpoint activity for investigation.
Automated patching: Operating systems and third-party applications should patch automatically with minimal delay. Critical vulnerabilities need remediation within 48 hours. The window between vulnerability disclosure and active exploitation continues to shrink.
Disk encryption: Full disk encryption on all devices ensures that lost or stolen hardware does not become a data breach. BitLocker for Windows, FileVault for Mac — both should be enforced through device management policies.
Mobile device management (MDM): Manage corporate data on mobile devices with MDM or MAM policies. Enforce passcodes, enable remote wipe, and separate corporate data from personal data. Lost phones with unprotected access to email and files are a data breach waiting to happen.
5. Cloud Security
Cloud environments require different security thinking than on-premises. The shared responsibility model means your cloud provider secures the infrastructure — but you secure everything you put in it.
Root and admin account security: Cloud root accounts should have MFA with hardware keys, no access keys, and be used only for break-glass scenarios. Daily administration should use separate accounts with appropriate permissions.
Logging enabled: CloudTrail, Azure Activity Log, or equivalent must be active and sending to a protected, centralized location. These logs are essential for security investigation and compliance.
No public access by default: Storage buckets, databases, and compute instances should never be publicly accessible unless explicitly required and reviewed. Misconfigured public access is one of the most common cloud security failures.
Encryption at rest and in transit: Enable encryption for all data stored in cloud services and ensure all communications use TLS. Most cloud providers offer this at no additional cost — it just needs to be enabled.
6. Backup and Recovery
Backups are your last line of defense against ransomware, accidental deletion, and catastrophic failures. But backups only matter if they actually restore when you need them.
3-2-1 backup strategy: Three copies of critical data, on two different storage types, with one copy offsite or in a separate account. This ensures no single failure — hardware, software, or attack — can destroy all your recovery options.
Immutable backups: At least one backup copy should be immutable — protected against deletion even by administrators. This prevents ransomware from destroying your recovery path. Use WORM storage, Vault Lock, or air-gapped systems.
Restore testing: Test restoring from backups at least quarterly. Verify that restored data is complete, applications function correctly, and document how long recovery actually takes. Your tested restore time is your real RTO — not the number in your plan.
7. People and Process
Technology alone cannot protect your business. Your people and processes determine whether security controls are effective or just checkboxes on paper.
Security awareness training: Train all employees on phishing recognition, password hygiene, social engineering, and reporting suspicious activity. Training should be ongoing — monthly micro-training is more effective than annual hour-long sessions.
Incident response plan: Document what happens when a security event occurs — who to contact, how to contain it, how to communicate, and how to recover. Test the plan with tabletop exercises at least twice per year. An untested plan is unreliable under pressure.
Cyber insurance: Maintain a cyber insurance policy that covers ransomware, business interruption, data breach notification, and legal costs. Review coverage annually and ensure you meet all policy conditions — many claims are denied for non-compliance with stated security controls.
Download the Complete Checklist
This article covers the essentials, but our downloadable PDF includes detailed scoring criteria, implementation priority rankings, and space to document your current status for each control. Use it as a living document to track your security improvement over time. Get the free PDF checklist →
Progress Over Perfection
You do not need to implement all 25 controls simultaneously. Start with the highest-impact items — MFA, backups, and email security — then work through the remaining controls systematically. Every check you complete reduces your attack surface and improves your resilience.