The numbers are hard to ignore.

According to the FBI's 2024 Internet Crime Report, cybercrime losses reached $16.6 billion in the United States alone—a 33% increase from the previous year. In Canada, cybersecurity recovery spending doubled from $600 million in 2021 to $1.2 billion in 2023, according to Statistics Canada. And the 2025 Verizon Data Breach Investigations Report found that ransomware appeared in 88% of breaches involving small and medium-sized businesses.

Yet according to industry surveys, fewer than one in three SMBs rate their cyber defenses as mature enough to protect against breaches, and the majority of small business owners either self-manage their cybersecurity or rely on someone without formal security training.

If your organization hasn't conducted a thorough review of its security posture recently, this checklist is a starting point. It covers the core protections that security professionals generally consider essential for businesses operating in today's threat environment—organized so you can assess where your organization stands and identify areas that may warrant attention.

1. Endpoint Protection: Securing Every Device

Every laptop, desktop, and server in your organization is a potential entry point for attackers. Traditional antivirus software alone is no longer considered sufficient against modern threats.

Key considerations

  • Endpoint Detection and Response (EDR): Unlike traditional antivirus that relies on known threat signatures, EDR solutions monitor device behavior in real time—identifying suspicious activity even from previously unknown threats. This is particularly relevant given the rise of AI-generated malware that can evade signature-based detection.
  • Managed Detection and Response (MDR): EDR generates alerts, but someone needs to act on them. MDR combines the technology with 24/7 human monitoring from a Security Operations Center (SOC), meaning threats can be identified and contained even outside business hours.
  • Mobile device coverage: According to the 2025 Verizon DBIR, 46% of systems compromised by infostealer malware were unmanaged devices—personal phones and tablets that mixed business and personal credentials. If employees access company email or data from mobile devices, those devices may warrant protection as well.

Questions to ask: Are all company devices covered by modern endpoint protection? Is someone monitoring alerts around the clock, or only during business hours? Are employee mobile devices accessing company data without security controls?

2. Email Security: Protecting the Primary Attack Vector

Email remains the number one entry point for cyberattacks. According to the FBI's IC3 report, phishing losses jumped 274% in a single year—from $18.7 million in 2023 to $70 million in 2024. Business Email Compromise (BEC) accounted for $2.77 billion in losses in 2024 alone, often targeting small businesses that lack layered email defenses.

Key considerations

  • Advanced threat filtering: Solutions that scan incoming email for malicious links, attachments, and impersonation attempts—going beyond basic spam filters. Modern phishing emails are increasingly sophisticated, often generated with AI tools that eliminate the spelling errors and awkward phrasing that once made them easier to spot.
  • Email authentication protocols: SPF, DKIM, and DMARC help prevent attackers from spoofing your domain to send fraudulent emails to your customers, partners, and employees. These protocols are increasingly expected by major email providers.
  • Account compromise detection: Monitoring for signs that an email account has been compromised—unusual login locations, mass forwarding rules being created, or suspicious sending patterns.

Questions to ask: Does your email security go beyond basic spam filtering? Are SPF, DKIM, and DMARC configured for your domain? Would you know if an employee's email account were compromised?

3. Patching and Updates: Closing Known Vulnerabilities

One of the most common ways attackers breach organizations is through known vulnerabilities that have patches available but haven't been applied. The 2025 Verizon DBIR reported that 20% of breaches began with exploited vulnerabilities—a 34% increase year-over-year.

Key considerations

  • Automated OS patching: Windows, macOS, and Linux systems all require regular security updates. Manual patching is time-consuming and easy to postpone, which is why automated patch management is generally recommended.
  • Third-party application updates: Operating systems aren't the only targets. Applications like browsers, PDF readers, video conferencing tools, and productivity software all receive security patches that need to be applied.
  • Patch prioritization: Not all patches carry equal urgency. Critical security patches—especially those addressing actively exploited vulnerabilities—may warrant faster deployment than routine updates.

Questions to ask: Is patching automated or manual? How quickly are critical security updates typically applied across your organization? Are third-party applications included, or just operating systems?

4. Employee Security Awareness Training

Technology alone can't prevent every attack. According to the 2025 Verizon DBIR, the human element—errors, social engineering, and misuse—played a role in 60% of breaches. The same report found that organizations investing in regular security training saw a 4x improvement in employee phishing reporting rates.

Key considerations

  • Ongoing training, not one-time sessions: Annual compliance training alone is generally insufficient. Regular, short training modules help keep security awareness current as threats evolve.
  • Phishing simulations: Simulated phishing campaigns give employees practice recognizing real-world attacks in a safe environment and help organizations identify who may need additional support.
  • Role-specific guidance: Employees handling financial transactions, sensitive data, or administrative credentials may face different risks than the general workforce and could benefit from targeted training.

Questions to ask: When did employees last receive security training? Are phishing simulations conducted regularly? Can you measure whether training is actually changing employee behavior?

5. Password Management and Multi-Factor Authentication

Stolen credentials were the most common initial access vector in the 2025 Verizon DBIR, used in 22% of breaches. Brute force attacks against web applications nearly tripled year-over-year.

Key considerations

  • Multi-Factor Authentication (MFA) everywhere: MFA adds a second verification step beyond passwords—something the attacker typically doesn't have even if they've stolen the password. The Canadian Centre for Cyber Security continues to list MFA as one of the top defenses for organizations of all sizes. Priority areas include email, VPN, cloud services, and any administrative accounts.
  • Updated password policies: As we covered in our post on NIST's updated password guidelines, security guidance around passwords has evolved. Longer passphrases are now preferred over complex-but-short passwords, and mandatory periodic password changes are no longer universally recommended.
  • Password managers: Encouraging or providing enterprise password managers helps employees maintain unique, strong credentials for every account without resorting to reuse or sticky notes.

Questions to ask: Is MFA enabled on all critical systems and cloud accounts? Are password policies aligned with current best practices? Do employees have tools to manage credentials securely?

6. Backup and Disaster Recovery

When a ransomware attack hits—or when hardware fails, or an employee accidentally deletes critical files—backups are what determine whether it's an inconvenience or a catastrophe. According to the 2025 Verizon DBIR, 64% of ransomware victims refused to pay the ransom, but that's only possible when reliable backups exist.

Key considerations

  • The 3-2-1 rule: Maintain at least three copies of critical data, on two different types of storage media, with one stored offsite or in the cloud.
  • Backup testing: Backups that haven't been tested may not work when needed. Regular restoration tests help verify that data can actually be recovered within acceptable timeframes.
  • Immutable backups: Ransomware increasingly targets backup systems themselves. Immutable backup solutions prevent backups from being encrypted or deleted by attackers.

Questions to ask: Are backups running automatically and regularly? When was the last time a backup restoration was tested? Are backups protected against ransomware encryption?

7. Incident Response Planning

According to IBM's 2025 Cost of a Data Breach Report, it took organizations an average of 241 days to identify and contain a breach. Organizations that used AI and automation cut their breach lifecycle by 80 days and saved nearly $1.9 million on average. Having a plan before something happens makes a meaningful difference.

Key considerations

  • Documented response procedures: Who does what when a breach is suspected? Clear roles, communication chains, and decision authorities help reduce confusion during high-stress situations.
  • External resources identified in advance: Legal counsel, forensics firms, cyber insurance carriers, and law enforcement contacts are easier to coordinate when they've been identified before an incident occurs.
  • Regular tabletop exercises: Walking through breach scenarios helps teams practice their response and identify gaps in the plan before a real incident tests it.

Questions to ask: Does your organization have a written incident response plan? Does your team know their roles during a security incident? When was the plan last tested or updated?

8. IT Governance: Onboarding, Offboarding, and Access Control

Some of the most preventable security exposures come from basic IT housekeeping—former employees retaining access, shared credentials, or lack of visibility into who has access to what.

Key considerations

  • Structured onboarding and offboarding: Every new hire should receive appropriately scoped access from day one, and every departure should trigger prompt revocation of all access—email, cloud applications, VPN, and physical access.
  • Least privilege access: Employees should have access only to the systems and data they need for their role. Administrative privileges should be limited and closely monitored.
  • Asset management: Maintaining an inventory of all hardware and software helps ensure nothing falls through the cracks—unmanaged devices are a common blind spot.

Questions to ask: How quickly is access revoked when an employee leaves? Do you have a current inventory of all devices and software in use? Are administrative privileges regularly reviewed?

9. Third-Party and Supply Chain Risk

Your security posture is only as strong as the weakest link in your supply chain. According to IBM's 2025 report, supply chain compromises represented 15% of all breaches. As we explored in our analysis of the Notepad++ supply chain compromise, even widely trusted software can become a vector for attack.

Key considerations

  • Vendor security assessment: Understanding how your vendors and service providers handle security—especially those with access to your data or systems—is an important part of managing third-party risk.
  • Software supply chain awareness: Knowing what software your organization depends on, including the open-source components embedded in commercial tools, helps you respond faster when vulnerabilities are disclosed.
  • Contractual protections: Service agreements with vendors should include security requirements, breach notification obligations, and data handling provisions.

Questions to ask: Do you evaluate the security posture of vendors before granting data access? Would you know if a critical piece of software your business depends on were compromised? Do vendor contracts include security and breach notification requirements?

10. AI Tool Governance

AI adoption has outpaced security controls in most organizations. According to IBM's 2025 Cost of a Data Breach Report, shadow AI—the unsanctioned use of AI tools by employees—was a factor in 20% of breaches, adding an average of $670,000 to breach costs. Among organizations reporting AI-related breaches, 97% lacked proper access controls.

Key considerations

  • AI usage policies: Clear guidelines defining which AI tools are approved, what data can be shared with them, and how outputs should be verified.
  • Shadow AI visibility: Understanding whether employees are using unapproved AI tools—and what company data may be flowing into them—is an emerging security priority.
  • Data classification for AI: Not all data carries the same risk. Defining what's acceptable to use with AI tools and what isn't helps employees make informed decisions.

Questions to ask: Does your organization have a formal AI usage policy? Do you know which AI tools employees are using for work? Have you classified what data is and isn't acceptable to share with AI tools?

Where to Start

This checklist covers a lot of ground, and no organization needs to address everything simultaneously. For businesses that are early in their security journey, a few areas tend to offer the highest return on effort:

  1. Enable MFA on all email, cloud, and administrative accounts—this single step blocks a significant percentage of credential-based attacks.
  2. Deploy modern endpoint protection with at least EDR capabilities on all business devices.
  3. Implement advanced email security beyond basic spam filtering.
  4. Verify your backups work by conducting a test restoration.
  5. Start employee security training with regular phishing simulations.

For organizations looking at this list and recognizing that managing all of it in-house would stretch their resources, that's a common realization—and it's exactly why managed IT and security services exist. As we explored in our cost comparison, outsourcing security and IT management can provide access to enterprise-grade tools and 24/7 expertise at a fraction of the cost of building equivalent capabilities internally. If you're considering that route, our guide on how to evaluate and choose a managed IT and cybersecurity provider covers what to look for and what red flags to avoid.

Wondering what all of this actually costs? Our cybersecurity budgeting guide breaks down typical price ranges by company size so you can plan accordingly.

The threat landscape in 2026 is more complex than it's ever been. But the fundamentals of good cybersecurity remain consistent: protect your devices, secure your email, train your people, maintain your systems, and have a plan for when things go wrong. The businesses that get these basics right are significantly better positioned to withstand whatever comes next.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified professionals to assess their specific circumstances and develop appropriate protective measures.