A ransomware attack shuts down a local accounting firm on a Tuesday morning. No backups. No recovery plan. Client data encrypted, trust destroyed, and $47,000 in recovery costs later — the owner admits they thought cybersecurity was something only big corporations needed to worry about. That firm had seven employees. According to the 2023 Verizon Data Breach Investigations Report, 43% of all cyberattacks target small businesses. Most of them never saw it coming.

A small business cybersecurity audit is not a luxury. It is the baseline. Here are the 10 points you need to cover — no IT degree required.

Why a Small Business Cybersecurity Audit Matters More Than You Think

Small businesses are not flying under the radar. They are actively targeted because attackers know they typically have weaker defenses, fewer resources, and less security awareness than enterprise organizations. A structured audit gives you a clear picture of where you stand and what needs fixing — before a breach forces the issue.

You do not need to hire an expensive consultant to start. This checklist is designed to be actionable by any business owner or office manager willing to spend a focused afternoon reviewing their setup.

Point 1: Inventory Every Device on Your Network

You cannot protect what you cannot see. Start by listing every device connected to your business network: laptops, desktops, smartphones, tablets, printers, smart TVs, and IoT devices like security cameras or smart thermostats.

• Use a free tool like Advanced IP Scanner (Windows) or Angry IP Scanner (cross-platform) to discover devices on your network.
• Flag any device you do not recognize — unknown devices are a serious red flag.
• Remove or isolate devices that no longer need network access.

Point 2: Audit User Accounts and Access Permissions

Every active user account is a potential entry point. Review who has access to what — and strip back anything that is not essential.

• Disable or delete accounts belonging to former employees immediately.
• Apply the principle of least privilege: each user should only access the systems and data their role requires.
• Identify any accounts with administrator-level access and confirm they are genuinely needed.

Check for Shared Passwords

If your team shares a single login for your accounting software, your CRM, or your email platform, that is a critical vulnerability. Shared credentials make it impossible to trace who did what — and when one person’s device is compromised, every account they share access to is exposed.

Point 3: Enforce Strong Password Policies and MFA

Weak passwords remain one of the leading causes of data breaches. During your small business cybersecurity audit, evaluate your current password practices honestly.

• Require passwords of at least 14 characters combining letters, numbers, and symbols.
• Deploy a business password manager like Bitwarden Teams or 1Password Business — these start at around $3–4 per user per month and eliminate the sticky-note problem entirely.
• Enable multi-factor authentication (MFA) on every account that supports it — email, banking, cloud storage, payroll software, everything.

MFA alone blocks over 99% of automated account takeover attacks, according to Microsoft research. If you do nothing else on this list, do this.

Point 4: Review Your Firewall and Router Configuration

Your router is the front door to your network. Most small businesses plug in a router and never touch the settings again. That is a problem.

• Log into your router admin panel and change the default admin username and password if you have not already.
• Ensure your firmware is up to date — outdated firmware is a known exploit target.
• Disable remote management unless you actively need it.
• Check that your firewall is active and configured to block inbound traffic that is not explicitly needed.

Separate Your Guest Wi-Fi

If customers, clients, or visitors ever connect to your Wi-Fi, they should never be on the same network as your business devices. Set up a dedicated guest network — most modern routers support this in a few clicks.

Point 5: Check Software and Operating System Patch Status

Unpatched software is the digital equivalent of leaving a known broken lock on your door. Attackers actively scan for systems running outdated software because exploits for known vulnerabilities are publicly available.

• Enable automatic updates for operating systems on all business devices.
• Audit third-party software — accounting tools, point-of-sale systems, plugins, and browser extensions all need regular updates.
• Uninstall software that is no longer supported by its developer (end-of-life software receives no security patches).

Point 6: Evaluate Your Backup Strategy

Ransomware is only catastrophic if you have no clean copy of your data to restore from. Your backup strategy needs to follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite or in the cloud.

• Verify that backups are actually running — scheduled backups sometimes fail silently for months.
• Test a restore. A backup you have never tested is a backup you cannot trust.
• Ensure cloud backups are stored in a separate account that ransomware cannot reach from your primary systems.

Point 7: Assess Email Security Controls

Email is the number one delivery mechanism for phishing attacks, malware, and business email compromise (BEC) scams. Your email setup needs more than a spam filter.

• Confirm that SPF, DKIM, and DMARC records are configured correctly for your domain — these authentication protocols prevent attackers from spoofing your email address. Your DNS provider or IT contact can verify this, or use a free tool like MXToolbox.
• Enable email filtering at the provider level — Microsoft 365 Defender and Google Workspace both include built-in threat protection.
• Train your team to spot phishing attempts: check sender addresses carefully, hover over links before clicking, and verify unexpected requests for payments or credential changes by phone.

Point 8: Review Third-Party Vendor Access

Your accountant, your IT support company, your marketing agency — any third party with access to your systems is a potential attack vector. The 2013 Target breach, which exposed 40 million credit card numbers, started through a third-party HVAC vendor with network access.

• List every vendor or contractor with access to your systems, networks, or data.
• Confirm each connection uses secure, auditable access methods — not a shared login tucked in a spreadsheet.
• Revoke access immediately when a vendor relationship ends.

Point 9: Check Your Endpoint Protection Coverage

Every device used for business purposes — including personal phones used for work email — needs endpoint protection. Free consumer antivirus tools are not sufficient for a business environment.

• Deploy a business-grade endpoint protection solution such as Malwarebytes for Teams, Bitdefender GravityZone, or Microsoft Defender for Business.
• Ensure protection covers all operating systems in use, including macOS and mobile devices.
• Confirm that real-time scanning and web filtering are active on all endpoints.

Point 10: Build a Basic Incident Response Plan

An incident response plan does not need to be a 50-page document. It needs to answer three questions clearly: Who do you call when something goes wrong? What steps do you take in the first hour? How do you communicate with customers if their data is involved?

• Document emergency contacts: your IT provider, your internet service provider, your bank (for potential financial fraud), and legal counsel if you handle sensitive client data.
• Know your regulatory obligations — depending on your industry and location, you may be legally required to notify customers or authorities within a specific timeframe after a breach.
• Run a brief tabletop exercise with your team: talk through what you would each do if you arrived at work to find your systems encrypted. Awareness before a crisis changes outcomes dramatically.

Completing Your Small Business Cybersecurity Audit: What Happens Next

Work through this list and you will almost certainly find gaps. That is the point. A small business cybersecurity audit is not about achieving perfection — it is about finding your weaknesses before someone else does and systematically closing them.

Prioritize fixes based on impact: MFA and backups first, then access controls and patching, then the rest. Document what you find, what you fix, and when. That paper trail matters if you ever face a compliance review or an insurance claim.

Cybersecurity for small businesses does not require an enterprise budget. It requires consistent habits, the right tools, and the discipline to check in regularly. Schedule this audit every six months — your business data, your clients’ trust, and potentially your entire operation depend on it.

Need help working through any of these points? Browse the Techbytes resource library for step-by-step guides on password managers, MFA setup, backup strategies, and more — all written for real business owners, not IT professionals.