Take a look at this small business cybersecurity checklist to see where your company stands (and what work needs to be done).
1. Assess your current security posture
Start by running a risk assessment to understand where your biggest threats are. Common ones include phishing, ransomware, and shadow IT. Then, look at the tools you use, who your third-party vendors are, and any software you use for vulnerabilities. Specific vulnerabilities that hackers actively exploit include:
-
Exposed remote desktop protocol (RDP): RDP allows remote access to computers, but when it’s internet-facing without proper protection, it’s a target for brute force attacks. Threat actors use exposed RDP as an entry point to access your network, escalate privileges, and steal data.
-
Weak or reused passwords: Common passwords are among the first things threat actors try, and give them easy access to your systems.
-
Missing multi-factor authentication (MFA): Without MFA, all an attacker needs is a stolen password. Check which external-facing services, like email, payment portals, and VPNs, lack that all-important second authentication factor.
-
Outdated software and patches: Unpatched applications, operating systems, and firmware contain known vulnerabilities that threat actors actively scan for and exploit.
-
Suspicious activity indicators: Watch for red flags like unauthorized changes to security software, unusual domain lookups, unexpected new administrator accounts, or cleared security logs. These are all common signs that an attacker may have already compromised your system.
Take it one step further and create an asset inventory to catalog your systems, software, third-party vendors, and data. This gives you a clear idea of what you’re protecting and where the gaps exist.
2. Set up strong identity & access management
Make multi-factor authentication (MFA) mandatory on all accounts and admin panels. Use least privilege access, where users only have access to the stuff they need. Use a password manager, and do not reuse passwords.
3. Secure your endpoints
Laptops, desktops, smartphones—even BYOD—they’re all endpoints. Protect them by keeping operating systems, software, and firmware updated, and disabling any unused ports and services.
Most importantly, employ a modern, managed endpoint detection and response (EDR) solution like Huntress to provide 24/7 protection with threat detection. Remember, antivirus software is no longer enough, and taking a layered approach to security is your best bet to staying secure. Huntress Managed EDR adds human-backed detection, isolation, and response to stop threats in their tracks.
Want to learn more? We literally wrote the book: The Straightforward Buyer’s Guide to EDR.
4. Back up everything (and test it!)
Cloud backups are cheap, fast, and easy to automate. Encrypt them at both rest and in transit. Set a backup schedule, either daily or weekly, and stress-test your restore process frequently so you know it works when it counts. When combined with Huntress EDR, backups make sure business continues while EDR stops threats before they can encrypt your data.
5. Train your employees—regularly
Run regular phishing simulations and security awareness training. Teach employees how to spot fake login pages, sketchy email attachments, and even QR code scams. Foster a security-first culture where employees feel comfortable and supported when reporting incidents.
More than half of organizations (55%) have immature identity protection.
~ Huntress Managed ITDR Report, 2025
6. Monitor and respond to incidents
Build a simple incident response plan and communicate this to your team. Assign responsibilities for incident detection, communication, containment, and recovery. Finally, implement centralized logging for visibility and for audit trails.
Note: You don’t need an in-house SOC team to do this well, but we’ve got one if you need it. Managed detection and response services will help you fill any gaps.
7. Lock down your network and Wi-Fi
Change default router passwords, including those for guest access. Use WPA3 encryption and isolate guest networks. Add firewalls (software or hardware) to manage the flow of traffic in and out of your network.
8. Don’t forget mobile and remote work
Remote access is necessary for modern business, but it’s also a massive attack vector. Prioritize these:
-
Secure internet-exposed RDP instances: If RDP has to be internet-facing, put it behind a VPN with MFA. Or better yet, disable RDP entirely if you don’t need it or use alternative solutions like Zero Trust Network Access (ZTNA)
-
Audit, track, and monitor remote access tools: Keep tabs on all remote monitoring and management (RMM) software in your environment. Bad actors often use RMM tools to maintain persistence and move laterally across networks.
-
Control business app use on personal devices: Ban business app use on employee personal devices unless you have a mobile device management (MDM) solution in place to manage and secure them.
Need more info on today’s biggest risks? Check out the Huntress 2025 Cyber Threat Report, which breaks down the latest trends in phishing, ransomware, and more.
