The 30-Point SMB Security Baseline Checklist
Most small-business breaches exploit the same handful of gaps. This free checklist walks you through all 30 — and how to close them this week.
- MFA & access control. Where attackers get in first — and the few settings that shut the door.
- Endpoints & patching. Keeping laptops, servers, and phones current without a full IT team.
- Email & Microsoft 365 hardening. The single most attacked surface for SMBs, with concrete settings to flip.
- Tested backups. Not just "we have backups" — backups you've actually restored from.
- Network exposure. What's reachable from the internet that shouldn't be.
- People & incident response. A one-page plan for the day something goes wrong. Each item has a plain "why it matters" and a how-to. Printable and self-scoring.
Send me the free PDF.
Enter your email and we'll send you the full 30-point checklist as a printable PDF — including the self-scoring sheet.
Double opt-in — confirm your email and the PDF is yours. We never share your address. See our privacy policy.
Thirty things that actually stop breaches.
After years of breach investigations and security assessments for small and mid-size businesses, a pattern shows up over and over: the breach almost never involves some exotic zero-day. It's a shared password, an exposed remote-desktop port, a phishing email that landed because multi-factor authentication was never turned on. This checklist is the boring stuff that works — the controls that close the doors attackers actually walk through.
Identity is the new perimeter
The first third of the checklist is about who can log in and how. Multi-factor authentication on email and remote access, killing shared and default accounts, removing local-admin rights, and reviewing who still has access months after they stopped needing it. These are the cheapest, highest-impact controls you can put in place — most cost nothing but an afternoon of configuration.
Keep the doors and windows shut
Next we cover the machines and the network. Automatic patching for operating systems and browsers, endpoint protection that's actually reporting in, and a hard look at what's exposed to the public internet — RDP, old VPNs, forgotten admin panels. We tell you how to find your exposure in minutes, even without specialist tools.
Email and Microsoft 365 hardening
For most SMBs, email is both the crown jewel and the front door. The checklist gives you the specific Microsoft 365 (and Google Workspace) settings that block the bulk of business-email-compromise attacks: MFA enforcement, legacy-auth blocking, SPF/DKIM/DMARC, and the audit logging you'll wish you had turned on before an incident, not after.
Backups you can actually restore
Ransomware is a backup problem as much as a security problem. We walk you through the 3-2-1 rule, why at least one copy must be offline or immutable, and the single most-skipped step: actually restoring from a backup to prove it works. A backup you've never tested is a guess, not a safety net.
People and the plan for a bad day
The last section covers your team and your incident response. Short, practical security-awareness habits, a one-page incident plan with the phone numbers you'll need at 2 a.m., and clear answers to "who do we call?" before you ever have to. Plus the contacts — insurer, counsel, IR firm — to line up in advance.
Self-scoring, so you know where you stand
Every item is a simple yes / no / in-progress, and the checklist tallies a baseline score at the end. Print it, walk it with your team, and you'll have an honest picture of your security posture and a prioritized to-do list — no consultant required. When you're ready to go deeper, that's where we come in.
Want help closing the gaps the checklist surfaces? Red Hound offers pay-as-you-go security consulting for SMBs — no retainer required. Book a 30-minute call and bring your scored checklist.
Get the checklist. Close the gaps this week.
Free PDF. Confirm your email and it's yours.