Assessment 12 min read

Small Business Security Audit: A Complete DIY Checklist for 2026

Hiring a security consultant for an audit can cost $5,000–$20,000. Here is a comprehensive DIY checklist that covers the same ground — passwords, network, backups, devices, cloud accounts, and employee practices — that you can do yourself in an afternoon.

How to Use This Checklist

Work through each section in order. For each item, mark it Pass ✅, Fail ❌, or Not Applicable ➖. At the end, count your fails — each one is a vulnerability an attacker could exploit. Aim to fix every Fail within 30 days.

Section 1: Passwords & Authentication (10 Checks)

Weak and reused passwords are the most common way small businesses get breached. This section alone fixes the majority of your exposure.

# Check What to Do If You Fail
1.1 Every employee uses a password manager (Bitwarden, 1Password, or similar) Install Bitwarden for free on everyone's computer and phone. One hour setup for the whole team.
1.2 No employee reuses passwords across work accounts Run a password audit in your password manager. Bitwarden and 1Password both have built-in reports.
1.3 Two-factor authentication (2FA) is enabled on all email accounts This is the single most impactful change. Enable 2FA in Gmail/Outlook settings today. Takes 5 minutes per account.
1.4 2FA is enabled on banking, accounting software, and CRM Check each service's security settings. Prioritize anything with financial data or customer PII.
1.5 2FA is enabled on your domain registrar and DNS provider If someone hijacks your domain, they own your website and email. Cloudflare, Namecheap, GoDaddy all support 2FA.
1.6 No passwords are stored in spreadsheets, notes apps, or sticky notes Move everything into a password manager. Delete the spreadsheet after importing.
1.7 Default passwords on all devices have been changed (router, printer, security cameras, IoT) Make a list of every device on your network. Log into each one and change the default password. Document the new passwords in your password manager.
1.8 Admin accounts are separate from daily-use accounts Create a separate admin account for each service. Your daily email should not have admin privileges.
1.9 All passwords are at least 12 characters long Use your password manager's generator. Set the default to 16+ characters.
1.10 You have a plan for what happens if an employee leaves (account revocation process) Write a 5-step offboarding checklist: revoke email access, change shared passwords, revoke app access, collect devices, confirm backup of work files.

Section 2: Network Security (8 Checks)

Your network is the highway between your devices and the internet. These checks ensure the highway has guardrails.

# Check What to Do If You Fail
2.1 Office Wi-Fi has a strong, unique password (not the default, not shared publicly) Log into your router admin panel. Change the Wi-Fi password to a random 16+ character string. Share it via password manager.
2.2 A separate guest Wi-Fi network is configured and isolated from the business network Most routers have a "Guest Network" setting. Enable it, give it a different name, and enable "AP Isolation" or "Client Isolation."
2.3 The router admin password has been changed from the factory default This is step zero. Find your router model's default password online — if yours is still the factory one, change it now.
2.4 Router firmware is up to date Log into your router admin panel. Check for updates. If the router is more than 5 years old and not receiving updates, replace it ($100-200).
2.5 Remote Desktop (RDP, port 3389) is NOT exposed to the internet This is critical. Use a tool like ShieldsUP (grc.com) to scan your ports. If RDP is open, close it immediately and set up a VPN or zero-trust proxy instead.
2.6 UPnP (Universal Plug and Play) is disabled on the router UPnP allows devices to automatically open ports on your firewall — a major security risk. Disable it in router settings.
2.7 WPA3 or WPA2 encryption is enabled on Wi-Fi (not WEP, not WPA, not open) Check your router's wireless security settings. Select WPA3 if available, otherwise WPA2-AES.
2.8 A firewall is active between your network and the internet Most routers include a basic firewall — verify it is enabled. For stronger protection, consider pfSense (free) or a Ubiquiti device.

Section 3: Backups & Disaster Recovery (7 Checks)

Backups are your insurance policy. If everything else fails — ransomware, hardware failure, fire — your backups determine whether your business survives.

# Check What to Do If You Fail
3.1 You have at least 3 copies of all critical business data The 3-2-1 rule: 3 copies, 2 different media types, 1 offsite. This is your minimum acceptable backup posture.
3.2 At least one backup is immutable (cannot be modified or deleted by ransomware) Use Veeam Community Edition (free) with immutable storage, or cloud storage with object lock enabled (Backblaze B2, Wasabi, AWS S3).
3.3 Backups run automatically on a schedule (daily minimum for critical data) Configure your backup software to run daily. Do not rely on manual backups — someone will forget.
3.4 You have tested restoring from backup at least once in the past 6 months A backup you have never restored is a hope, not a backup. Pick a random file, restore it, and verify its contents today.
3.5 At least one backup is stored offsite (cloud or physical drive at a different location) If all your backups are in the same building, a fire or flood destroys everything. Use cloud backup (Backblaze, iDrive) or keep an external drive at home.
3.6 You know your Recovery Time Objective (RTO): how long can you be offline? Write it down. If the answer is "4 hours," your backup system must be able to restore everything in under 4 hours. Test it.
3.7 Cloud data (Google Workspace / M365) is backed up separately Cloud providers do not back up your data by default — they protect against their own failures, not your accidental deletion or ransomware. Use a third-party cloud backup tool.

Section 4: Devices & Endpoints (8 Checks)

Every laptop, phone, and tablet that accesses your business data is a potential entry point for attackers.

# Check What to Do If You Fail
4.1 Full disk encryption is enabled on all laptops (BitLocker on Windows, FileVault on Mac) Both are built in and free. Enable in system settings. A stolen laptop without encryption = all your business data exposed.
4.2 Screen lock activates after 5 minutes of inactivity on all devices Configure via Group Policy (Windows) or MDM profile (Mac). Require password or biometric to unlock.
4.3 Operating systems are set to auto-update on all devices Windows: Settings > Windows Update > Advanced. Mac: System Settings > General > Software Update > Automatic Updates.
4.4 Antivirus/anti-malware is active and up to date on all computers Windows Defender is sufficient for most small businesses. Verify it is enabled and not disabled by another program.
4.5 No employee is using a personal device for work without explicit approval and minimum security controls BYOD policy: if employees use personal devices, require encryption, screen lock, and updated OS at minimum. Enforce via MDM if possible.
4.6 All company phones/tablets have remote wipe capability enabled Google Workspace and M365 both support remote wipe. Verify it works by testing on a non-critical device.
4.7 No unsupported/end-of-life operating systems are in use (Windows 7, macOS 11 or earlier, old Android/iOS) EOL systems receive no security patches. Replace or upgrade them. One old machine can compromise your entire network.
4.8 You maintain an inventory of all devices that access business data Create a simple spreadsheet: device name, owner, OS version, encryption status, last checked. Update quarterly.

Section 5: Cloud & SaaS Accounts (7 Checks)

Your business runs on cloud services. These checks ensure your cloud accounts are not the weakest link.

# Check What to Do If You Fail
5.1 You have a complete list of every cloud service your business uses Audit your bank statements and browser history. List every SaaS subscription, cloud storage, and tool your employees sign into.
5.2 Every cloud service has a designated admin and at least one backup admin What happens if your only admin gets hit by a bus? Assign backup admins to every critical service. Document who they are.
5.3 Third-party app access to your Google Workspace / M365 is reviewed and limited Check which third-party apps have OAuth access to your email and files. Revoke anything you don't actively use.
5.4 Email authentication records are configured: SPF, DKIM, and DMARC These prevent attackers from spoofing emails that appear to come from your domain. Check via MXToolbox.com. Set up in your DNS provider.
5.5 File sharing settings in cloud storage are reviewed — no public "anyone with link" shares exposing sensitive data Audit your Google Drive or SharePoint. Look for files shared with "Anyone with the link" and restrict them to specific people.
5.6 Inactive employee accounts are deactivated within 24 hours of departure Create an offboarding checklist. The most important item: revoke email and cloud access before the exit interview ends.
5.7 Audit logging is enabled on critical services (email, file storage, financial apps) Enable audit logs in Google Workspace Admin or Microsoft 365 Compliance Center. You need to know who did what, when.

Section 6: People & Processes (6 Checks)

Technology alone cannot secure your business. Your people and procedures are equally important.

# Check What to Do If You Fail
6.1 All employees have completed phishing awareness training in the past 12 months Run a 15-minute phishing training session at your next team meeting. Use our Phishing Prevention Guide as the material.
6.2 Your business has a written Incident Response Plan (who does what when things go wrong) Write a one-page plan: who to call, how to disconnect infected machines, where backups are, when to notify customers. Print it. Keep it offline.
6.3 You have a clear policy on what data can and cannot be stored on personal devices Write a one-paragraph policy: "Work data stays in work cloud storage. Do not download customer data to personal devices. Do not email work files to yourself."
6.4 You know which regulations apply to your business (GDPR, CCPA, HIPAA, PCI-DSS, etc.) If you handle customer data from the EU (GDPR), California (CCPA), healthcare (HIPAA), or payments (PCI-DSS), research your obligations. Non-compliance fines dwarf security costs.
6.5 You have considered cyber insurance Cyber insurance typically costs $500–$2,000/year for small businesses. It covers breach response, legal fees, and sometimes ransom payments. Ask your business insurance broker.
6.6 Security is on the agenda at least quarterly (not "set and forget") Schedule a 30-minute security review every quarter. Run through this checklist, review any incidents, update your plan. Put it in the calendar now.

What to Do With Your Results

Scoring Your Audit

Count your ❌ Fails across all six sections:

  • 0–5 Fails: Excellent. Your business is well-protected. Fix the remaining items this month.
  • 6–15 Fails: Moderate risk. There are gaps attackers can exploit. Prioritize Section 1 (Passwords) and Section 3 (Backups) first — those fix the most common attack paths.
  • 16–25 Fails: High risk. Your business is an easy target. Do not try to fix everything at once. Week 1: password manager + 2FA on email. Week 2: backups. Week 3: updates and encryption. Week 4: everything else.
  • 26+ Fails: Critical risk. Act immediately on passwords and backups. Consider bringing in a security consultant for a day to help you get the fundamentals in place. This is not a drill.

How Often Should You Audit?

Run this full checklist once a year at minimum. Run the password and backup sections quarterly. Run a quick spot-check on sections 1 and 3 monthly — those two cover the majority of real-world attacks.

Set a recurring calendar event for the first Friday of every quarter. Call it "Security Checkup." Takes an hour. Could save your business.

Want a Quick Automated Check First?

Take our free 3-minute security assessment to get an instant risk score. Then use this checklist to dive deeper into the areas where you scored low.