New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
SCARLET RISK

← Blog

The SMB Cybersecurity Checklist: 20 Questions That Reveal Your Real Risk Exposure

Cybersecurity · May 11, 2026

Most small businesses either think they're secure when they're not, or they're paralyzed by complexity and do nothing. Below are the 20 questions I use when evaluating a small business's security posture. These map directly to the controls that, when absent, lead to the breaches I've seen take down small companies.

This is the SMB cybersecurity checklist I wish every small business owner would work through honestly. 16+ yes: reasonable shape. Under 12: meaningful exposure to address now.

Identity and access

  1. Is MFA enabled for all email accounts including shared inboxes?
  2. Is MFA enabled for all cloud services containing sensitive data?
  3. Are passwords managed through a company password manager?
  4. When an employee leaves, is access revoked within 24 hours across all systems?
  5. Are admin accounts used only for administrative tasks?

Devices and endpoints

  1. Are all devices running current, supported operating systems with automatic updates?
  2. Is endpoint protection installed on all laptops and desktops?
  3. Are personal devices that access company data subject to security requirements?
  4. Is the company Wi-Fi separate from the guest network?
  5. Are laptops encrypted with full-disk encryption?

Data and backups

  1. Are backups performed at least weekly?
  2. Are backups stored somewhere other than the primary system?
  3. Have you tested restoring from backup in the last 6 months?
  4. Do you know where all sensitive customer data lives?

Policies and awareness

  1. Have employees received security awareness training in the last 12 months?
  2. Do you have a written acceptable use policy employees have acknowledged?
  3. Do you have a process for employees to report suspicious emails?

Incident readiness

  1. Do you have a written incident response plan?
  2. Do you have cyber insurance?
  3. Do you know your legal notification obligations if customer data is compromised?

Scoring

  • 16–20 yes: Fundamentals in order. Focus on documentation and awareness.
  • 11–15 yes: Prioritize MFA, backups, and IR planning immediately.
  • Under 11: Significant exposure. Start with MFA on email, encrypted backups, endpoint protection.

The security tools most small businesses need cost under $100/month combined. The gap between secure and insecure for most SMBs is not money. It's awareness and follow-through. Scarlet Risk can give you a live cybersecurity checklist tied to your risk register in minutes.

← Back to all articles