Small Business Security Audit: A Complete DIY Checklist for 2026
Hiring a security consultant for an audit can cost $5,000–$20,000. Here is a comprehensive DIY checklist that covers the same ground — passwords, network, backups, devices, cloud accounts, and employee practices — that you can do yourself in an afternoon.
How to Use This Checklist
Work through each section in order. For each item, mark it Pass ✅, Fail ❌, or Not Applicable ➖. At the end, count your fails — each one is a vulnerability an attacker could exploit. Aim to fix every Fail within 30 days.
Section 1: Passwords & Authentication (10 Checks)
Weak and reused passwords are the most common way small businesses get breached. This section alone fixes the majority of your exposure.
| # | Check | What to Do If You Fail |
|---|---|---|
| 1.1 | Every employee uses a password manager (Bitwarden, 1Password, or similar) | Install Bitwarden for free on everyone's computer and phone. One hour setup for the whole team. |
| 1.2 | No employee reuses passwords across work accounts | Run a password audit in your password manager. Bitwarden and 1Password both have built-in reports. |
| 1.3 | Two-factor authentication (2FA) is enabled on all email accounts | This is the single most impactful change. Enable 2FA in Gmail/Outlook settings today. Takes 5 minutes per account. |
| 1.4 | 2FA is enabled on banking, accounting software, and CRM | Check each service's security settings. Prioritize anything with financial data or customer PII. |
| 1.5 | 2FA is enabled on your domain registrar and DNS provider | If someone hijacks your domain, they own your website and email. Cloudflare, Namecheap, GoDaddy all support 2FA. |
| 1.6 | No passwords are stored in spreadsheets, notes apps, or sticky notes | Move everything into a password manager. Delete the spreadsheet after importing. |
| 1.7 | Default passwords on all devices have been changed (router, printer, security cameras, IoT) | Make a list of every device on your network. Log into each one and change the default password. Document the new passwords in your password manager. |
| 1.8 | Admin accounts are separate from daily-use accounts | Create a separate admin account for each service. Your daily email should not have admin privileges. |
| 1.9 | All passwords are at least 12 characters long | Use your password manager's generator. Set the default to 16+ characters. |
| 1.10 | You have a plan for what happens if an employee leaves (account revocation process) | Write a 5-step offboarding checklist: revoke email access, change shared passwords, revoke app access, collect devices, confirm backup of work files. |
Section 2: Network Security (8 Checks)
Your network is the highway between your devices and the internet. These checks ensure the highway has guardrails.
| # | Check | What to Do If You Fail |
|---|---|---|
| 2.1 | Office Wi-Fi has a strong, unique password (not the default, not shared publicly) | Log into your router admin panel. Change the Wi-Fi password to a random 16+ character string. Share it via password manager. |
| 2.2 | A separate guest Wi-Fi network is configured and isolated from the business network | Most routers have a "Guest Network" setting. Enable it, give it a different name, and enable "AP Isolation" or "Client Isolation." |
| 2.3 | The router admin password has been changed from the factory default | This is step zero. Find your router model's default password online — if yours is still the factory one, change it now. |
| 2.4 | Router firmware is up to date | Log into your router admin panel. Check for updates. If the router is more than 5 years old and not receiving updates, replace it ($100-200). |
| 2.5 | Remote Desktop (RDP, port 3389) is NOT exposed to the internet | This is critical. Use a tool like ShieldsUP (grc.com) to scan your ports. If RDP is open, close it immediately and set up a VPN or zero-trust proxy instead. |
| 2.6 | UPnP (Universal Plug and Play) is disabled on the router | UPnP allows devices to automatically open ports on your firewall — a major security risk. Disable it in router settings. |
| 2.7 | WPA3 or WPA2 encryption is enabled on Wi-Fi (not WEP, not WPA, not open) | Check your router's wireless security settings. Select WPA3 if available, otherwise WPA2-AES. |
| 2.8 | A firewall is active between your network and the internet | Most routers include a basic firewall — verify it is enabled. For stronger protection, consider pfSense (free) or a Ubiquiti device. |
Section 3: Backups & Disaster Recovery (7 Checks)
Backups are your insurance policy. If everything else fails — ransomware, hardware failure, fire — your backups determine whether your business survives.
| # | Check | What to Do If You Fail |
|---|---|---|
| 3.1 | You have at least 3 copies of all critical business data | The 3-2-1 rule: 3 copies, 2 different media types, 1 offsite. This is your minimum acceptable backup posture. |
| 3.2 | At least one backup is immutable (cannot be modified or deleted by ransomware) | Use Veeam Community Edition (free) with immutable storage, or cloud storage with object lock enabled (Backblaze B2, Wasabi, AWS S3). |
| 3.3 | Backups run automatically on a schedule (daily minimum for critical data) | Configure your backup software to run daily. Do not rely on manual backups — someone will forget. |
| 3.4 | You have tested restoring from backup at least once in the past 6 months | A backup you have never restored is a hope, not a backup. Pick a random file, restore it, and verify its contents today. |
| 3.5 | At least one backup is stored offsite (cloud or physical drive at a different location) | If all your backups are in the same building, a fire or flood destroys everything. Use cloud backup (Backblaze, iDrive) or keep an external drive at home. |
| 3.6 | You know your Recovery Time Objective (RTO): how long can you be offline? | Write it down. If the answer is "4 hours," your backup system must be able to restore everything in under 4 hours. Test it. |
| 3.7 | Cloud data (Google Workspace / M365) is backed up separately | Cloud providers do not back up your data by default — they protect against their own failures, not your accidental deletion or ransomware. Use a third-party cloud backup tool. |
Section 4: Devices & Endpoints (8 Checks)
Every laptop, phone, and tablet that accesses your business data is a potential entry point for attackers.
| # | Check | What to Do If You Fail |
|---|---|---|
| 4.1 | Full disk encryption is enabled on all laptops (BitLocker on Windows, FileVault on Mac) | Both are built in and free. Enable in system settings. A stolen laptop without encryption = all your business data exposed. |
| 4.2 | Screen lock activates after 5 minutes of inactivity on all devices | Configure via Group Policy (Windows) or MDM profile (Mac). Require password or biometric to unlock. |
| 4.3 | Operating systems are set to auto-update on all devices | Windows: Settings > Windows Update > Advanced. Mac: System Settings > General > Software Update > Automatic Updates. |
| 4.4 | Antivirus/anti-malware is active and up to date on all computers | Windows Defender is sufficient for most small businesses. Verify it is enabled and not disabled by another program. |
| 4.5 | No employee is using a personal device for work without explicit approval and minimum security controls | BYOD policy: if employees use personal devices, require encryption, screen lock, and updated OS at minimum. Enforce via MDM if possible. |
| 4.6 | All company phones/tablets have remote wipe capability enabled | Google Workspace and M365 both support remote wipe. Verify it works by testing on a non-critical device. |
| 4.7 | No unsupported/end-of-life operating systems are in use (Windows 7, macOS 11 or earlier, old Android/iOS) | EOL systems receive no security patches. Replace or upgrade them. One old machine can compromise your entire network. |
| 4.8 | You maintain an inventory of all devices that access business data | Create a simple spreadsheet: device name, owner, OS version, encryption status, last checked. Update quarterly. |
Section 5: Cloud & SaaS Accounts (7 Checks)
Your business runs on cloud services. These checks ensure your cloud accounts are not the weakest link.
| # | Check | What to Do If You Fail |
|---|---|---|
| 5.1 | You have a complete list of every cloud service your business uses | Audit your bank statements and browser history. List every SaaS subscription, cloud storage, and tool your employees sign into. |
| 5.2 | Every cloud service has a designated admin and at least one backup admin | What happens if your only admin gets hit by a bus? Assign backup admins to every critical service. Document who they are. |
| 5.3 | Third-party app access to your Google Workspace / M365 is reviewed and limited | Check which third-party apps have OAuth access to your email and files. Revoke anything you don't actively use. |
| 5.4 | Email authentication records are configured: SPF, DKIM, and DMARC | These prevent attackers from spoofing emails that appear to come from your domain. Check via MXToolbox.com. Set up in your DNS provider. |
| 5.5 | File sharing settings in cloud storage are reviewed — no public "anyone with link" shares exposing sensitive data | Audit your Google Drive or SharePoint. Look for files shared with "Anyone with the link" and restrict them to specific people. |
| 5.6 | Inactive employee accounts are deactivated within 24 hours of departure | Create an offboarding checklist. The most important item: revoke email and cloud access before the exit interview ends. |
| 5.7 | Audit logging is enabled on critical services (email, file storage, financial apps) | Enable audit logs in Google Workspace Admin or Microsoft 365 Compliance Center. You need to know who did what, when. |
Section 6: People & Processes (6 Checks)
Technology alone cannot secure your business. Your people and procedures are equally important.
| # | Check | What to Do If You Fail |
|---|---|---|
| 6.1 | All employees have completed phishing awareness training in the past 12 months | Run a 15-minute phishing training session at your next team meeting. Use our Phishing Prevention Guide as the material. |
| 6.2 | Your business has a written Incident Response Plan (who does what when things go wrong) | Write a one-page plan: who to call, how to disconnect infected machines, where backups are, when to notify customers. Print it. Keep it offline. |
| 6.3 | You have a clear policy on what data can and cannot be stored on personal devices | Write a one-paragraph policy: "Work data stays in work cloud storage. Do not download customer data to personal devices. Do not email work files to yourself." |
| 6.4 | You know which regulations apply to your business (GDPR, CCPA, HIPAA, PCI-DSS, etc.) | If you handle customer data from the EU (GDPR), California (CCPA), healthcare (HIPAA), or payments (PCI-DSS), research your obligations. Non-compliance fines dwarf security costs. |
| 6.5 | You have considered cyber insurance | Cyber insurance typically costs $500–$2,000/year for small businesses. It covers breach response, legal fees, and sometimes ransom payments. Ask your business insurance broker. |
| 6.6 | Security is on the agenda at least quarterly (not "set and forget") | Schedule a 30-minute security review every quarter. Run through this checklist, review any incidents, update your plan. Put it in the calendar now. |
What to Do With Your Results
Scoring Your Audit
Count your ❌ Fails across all six sections:
- 0–5 Fails: Excellent. Your business is well-protected. Fix the remaining items this month.
- 6–15 Fails: Moderate risk. There are gaps attackers can exploit. Prioritize Section 1 (Passwords) and Section 3 (Backups) first — those fix the most common attack paths.
- 16–25 Fails: High risk. Your business is an easy target. Do not try to fix everything at once. Week 1: password manager + 2FA on email. Week 2: backups. Week 3: updates and encryption. Week 4: everything else.
- 26+ Fails: Critical risk. Act immediately on passwords and backups. Consider bringing in a security consultant for a day to help you get the fundamentals in place. This is not a drill.
How Often Should You Audit?
Run this full checklist once a year at minimum. Run the password and backup sections quarterly. Run a quick spot-check on sections 1 and 3 monthly — those two cover the majority of real-world attacks.
Set a recurring calendar event for the first Friday of every quarter. Call it "Security Checkup." Takes an hour. Could save your business.
Want a Quick Automated Check First?
Take our free 3-minute security assessment to get an instant risk score. Then use this checklist to dive deeper into the areas where you scored low.