Small Business Cyber Basics

The first five cyber checks for any small business

Five plain-English checks that quickly show whether a small business has the basics under control.

12 Jun 20262 min readJames MackieUpdated 16 Jun 2026

Small business cyber does not need to start with a huge assessment. The first pass should answer a sharper question: are the basics good enough that the business can keep trading if something goes wrong?

For the wider review shape, see what a small business AI and security review should cover.

These are the first five checks I would run.

1. MFA on the accounts that matter

Email, Microsoft 365 or Google Workspace, finance systems, website admin, cloud storage and social accounts should all have multi-factor authentication enabled. If email is compromised, almost everything else becomes easier to attack.

2. Admin accounts

Who has administrator access? Are old staff, agencies or suppliers still present? Are daily-use accounts also admin accounts? Too many small businesses are one forgotten admin login away from a serious problem.

3. Email and domain security

SPF, DKIM and DMARC are not glamorous, but they matter. They help reduce spoofing and make it harder for someone to impersonate the business by email.

4. Backups

Backups need to be separate, monitored and recoverable. The practical test is simple: if a laptop, mailbox or shared drive was encrypted tomorrow, what could be restored and how long would it take?

5. Supplier access

Suppliers often have more access than anyone remembers: web agencies, IT support, accountants, marketing tools, payment providers and old contractors. Supplier access should be known, limited and reviewed.

What this tells you

These five checks do not prove everything is safe. They do show whether the business has a usable foundation. If the basics are weak, bigger security work will struggle to land.

Related field notes

Back to Insights