Small businesses are not too small to be targeted. They are targeted specifically because they are assumed to have weak defences. Ransomware groups, phishing campaigns, and credential stuffing attacks are largely automated — your size does not protect you.
This checklist covers the 25 most impactful security actions for small businesses in 2026, grouped by area and ordered within each group by priority. Work through the red-bordered items first — they address the highest-probability threats with the lowest implementation cost.
1. Accounts and access control
Accounts & Access — do these first
Enable multi-factor authentication (MFA) on every business account: email, cloud storage, accounting software, banking, and any SaaS tools your team uses.
Audit who has admin access to your critical systems. Remove access for former employees and contractors immediately. Most breaches start with a credential that should have been revoked.
Use a password manager (1Password, Bitwarden, or similar). Shared spreadsheets of passwords are a single-point-of-failure and a compliance risk.
Create a process for revoking access on the same day someone leaves the organisation — not the same week.
Restrict admin accounts to admin tasks. Day-to-day work should happen from a standard account, not an account with full system privileges.
2. Website security
Website Security
Confirm your website is served over HTTPS with a valid certificate. HTTP-only sites rank poorly and expose visitor data.
Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Check yours at securityheaders.com.
Keep your CMS, plugins, and themes updated. Outdated WordPress plugins are the most common entry point for website compromises.
Remove unused plugins, themes, and user accounts from your CMS. Attack surface reduction costs nothing.
Ensure contact forms and any data inputs are protected against injection attacks and are rate-limited to prevent abuse.
3. Customer data protection
Data Protection
Know exactly what customer data you collect, where it is stored, and who has access to it. You cannot protect data you have not mapped.
Do not store sensitive data you do not need. If you do not need card numbers, do not store them. If you do not need ID documents beyond verification, delete them after use.
Ensure any third-party tools you use (CRM, email, analytics) have data processing agreements in place. Required under GDPR for EU customers; good practice everywhere.
Have a simple written privacy policy that accurately describes what you collect and how you use it. Inaccurate privacy policies create legal exposure.
Know how to respond to a data rights request (access, deletion) within 30 days. GDPR and CCPA require this; having a process before you need it is far less stressful.
4. Backups
Backups — the ransomware defence
Follow the 3-2-1 rule: three copies of important data, on two different media types, with one copy offsite (cloud counts). Backups on the same machine as the original are not backups.
Test your backups by restoring from them. A backup you have never restored from is a backup you do not actually have.
Automate your backups. Manual backup processes fail when someone forgets, is sick, or leaves.
Ensure backups are not directly accessible from the machines they back up. Ransomware attacks frequently target connected backup drives and cloud sync folders.
5. Email and employee hygiene
Email & Human Factors
Configure SPF, DKIM, and DMARC records for your domain. This prevents attackers from sending email that appears to come from your domain — a common supplier fraud vector.
Train staff to recognise phishing. A 30-minute annual session covering the most common patterns (urgency, impersonation, suspicious links) meaningfully reduces click rates.
Establish a process for verifying bank detail change requests by phone before acting on them. Business email compromise (BEC) fraud almost always involves a spoofed email changing payment details.
Lock devices with PIN or biometric and configure auto-lock after five minutes of inactivity on all work devices.
Separate work and personal accounts on devices. If a personal email account is compromised on a work laptop, the blast radius is contained.
What to fix first
If you are starting from scratch, the highest-impact actions in order are:
- MFA on email and banking — these are the highest-value targets for attackers.
- Audit and revoke unnecessary admin access.
- Set up a password manager across the team.
- Configure DMARC on your email domain.
- Test your backups by restoring from them.
These five actions address the most common causes of small business security incidents and can typically be completed in a single working day without external help.
When to call in an expert
Self-service security gets you a long way. The cases where external expertise adds clear value:
- You handle sensitive regulated data (health records, financial data, payment cards) and need to demonstrate compliance.
- You have experienced an incident and need to understand the scope of the breach.
- You are building or deploying software and need the code and infrastructure reviewed before launch.
- You want a formal penetration test of your web application or network.
For everything on this checklist, the right starting point is doing it yourself — not hiring a consultant to do it for you.