A security checklist for small organisations

Security advice for small organisations often feels like it's written for banks. The reality is simpler: a short list of consistent controls will protect you from the vast majority of attacks, without a dedicated security team or enterprise budget.

Here is the checklist I walk through with every client, in order of impact.

1. Multi-factor authentication on every account

This is non-negotiable. Email, file storage, banking, accounting, social media, everything. Microsoft's own figures put it at blocking over 99% of automated account compromise attempts. If you do nothing else, do this.

Use an authenticator app (Microsoft Authenticator or Google Authenticator) rather than SMS where possible. Passkeys or hardware keys are even better for admin, finance and senior accounts.

2. A password manager for the whole team

Humans cannot remember strong, unique passwords for every service. A team password manager (Bitwarden, 1Password or Dashlane for Business) means every password is strong, unique and shared securely. No more Post-it notes, shared spreadsheets or "we all use the same one".

3. Automatic updates on every device

Patching is not glamorous but it works. Enable automatic updates on Windows, macOS, phones, browsers and any installed software. Critical security patches should be applied within 14 days, which is also a Cyber Essentials requirement.

4. Separate admin and everyday accounts

The account you use to read email should not have admin rights over your computers or your cloud tenant. Admin accounts should be used only for admin tasks, and protected with the strongest MFA available.

5. Device encryption and screen lock

Every laptop and phone should be encrypted (BitLocker on Windows, FileVault on Mac) and lock automatically after a short period of inactivity. A lost or stolen unencrypted laptop is a data breach.

6. A clear backup you have tested

Back up your cloud data (Microsoft 365 or Google Workspace) to an independent platform. Back up any local servers or critical local files. Then test a restore. A backup you haven't tested is a gamble.

7. A basic acceptable use policy

You don't need a forty-page document. A single page covering:

• No personal email for business data.
• No sharing passwords except through the password manager.
• Report lost or stolen devices within the hour.
• Report suspicious emails without clicking links.

Sign it, store it, review it annually.

8. Annual review of who has access to what

Staff change, roles change, and old permissions accumulate. Once a year, review:

• Who has admin rights.
• Who still has access to old tools or old shared folders.
• Whether ex-staff access has been fully removed.

9. Disable what you don't need

Old user accounts, unused software licences, abandoned cloud subscriptions, they all create risk you don't need. Close them down.

If you'd like me to run through this checklist against your current setup, get in touch.