A cybersecurity audit sounds like something only large companies do, with consultants and expensive tools. In reality, a practical self-assessment that catches the most important vulnerabilities takes about half a day and requires nothing more than access to your business systems and this checklist.

The goal isn’t to achieve enterprise-grade security. It’s to make sure you’re not leaving obvious doors open — the ones attackers look for first because they’re easy.

Section 1: Accounts and authentication

This is where most small business compromises begin. Work through these checks for your own accounts and then for your team.

[ ] Multi-factor authentication is enabled on business email. Email is the master key. If an attacker gets into your email, they can reset passwords for every other service that sends password resets to that address. MFA on email is non-negotiable.

[ ] MFA is enabled on financial accounts (bank, payroll, accounting software).

[ ] MFA is enabled on cloud storage (Google Drive, OneDrive, Dropbox).

[ ] MFA is enabled on your domain registrar. A compromised domain registrar account lets an attacker redirect your website and email to their own servers.

[ ] No one is using weak or reused passwords for business accounts. The only realistic way to confirm this is using a team password manager where passwords are generated and stored. If you’re not using one, you probably have reused passwords.

[ ] A password manager is in use for the team.

[ ] Former employee accounts have been disabled. List every platform your business uses. Confirm that employees who have left no longer have active accounts on any of them. This one is frequently overlooked and is a real vulnerability.

[ ] Admin access is limited to people who need it. Who has admin access to your Microsoft 365 or Google Workspace? Your CRM? Your website? Admin roles should be the minimum number of people who need them.

Section 2: Devices

[ ] All devices used for work have current operating system updates installed. Windows and macOS updates, phone OS updates. These patch known vulnerabilities.

[ ] Disk encryption is enabled (BitLocker on Windows, FileVault on Mac). If a laptop is lost or stolen, encryption makes the data on it inaccessible.

[ ] A screen lock is configured on all devices — computers lock automatically after 5 minutes of inactivity, phones require a PIN or biometric.

[ ] Antivirus/endpoint protection is installed and current on Windows devices (Windows Defender, Malwarebytes, or a business endpoint protection product).

[ ] Personal devices used for work email or files are managed with at least basic security policies (screen lock, encryption).

[ ] A process exists for wiping devices when an employee leaves. If an employee’s laptop had access to company accounts and they left six months ago, has the device been accounted for?

Section 3: Network

[ ] The router admin password has been changed from the default.

[ ] Wi-Fi uses WPA2 or WPA3 encryption with a strong password.

[ ] A guest network exists for visitors, contractors, and non-company devices — isolated from the main business network.

[ ] Router firmware is current. Log into the router admin panel and check for updates.

[ ] The Wi-Fi password has been changed since any employees left who knew it.

Section 4: Software and data

[ ] All business software is on current versions with automatic updates enabled where possible.

[ ] Data backups are running and have been tested. Don’t assume — verify by actually restoring a file from the backup.

[ ] You know where your sensitive data lives. Customer data, financial records, employee information — do you know what you have, where it’s stored, and who can access it?

[ ] Software you no longer use has been uninstalled or deprovisioned. Old software with active licenses is often unpatched and a potential entry point.

[ ] Your website software is current (especially if it runs WordPress — WordPress plugin vulnerabilities are a common attack vector).

Section 5: People and processes

[ ] The team has received basic phishing training — what a phishing email looks like and what to do when they receive one.

[ ] There’s a clear process for reporting suspicious emails or activity. Who do employees tell? How quickly? Is there a specific email address or Slack channel for security concerns?

[ ] There’s a documented process for what to do if you’re hacked. Even a simple one-pager: who to call, what to do first, how to assess what was accessed.

[ ] Vendor access is reviewed. Third-party contractors, accountants, IT consultants — who has access to your systems? Is that access still appropriate and limited to what they need?

Scoring your audit

Count how many items you checked. A rough guide:

  • Under 10 checked: Your business has significant gaps. Prioritize MFA on email and financial accounts immediately, then work through the rest.
  • 10–17 checked: Reasonable foundation with some gaps. Focus on the unchecked items from sections 1 and 2 first.
  • 18–25 checked: Good security hygiene. Address remaining gaps as maintenance items.
  • All checked: Strong baseline. The next step is annual reviews and staying current as threats evolve.

Don’t use this audit to generate a perfect score — use it to find and fix the gaps. One unchecked item in Section 1 (accounts) represents more real-world risk than five unchecked items in Section 4 (software). Prioritize accordingly.

Redo this audit once a year. Security is a maintenance discipline, not a one-time project. Things change — new employees, new software, old passwords — and the gaps that weren’t there last year appear as your business evolves. An annual half-day review catches them before they become problems.