
A small business doesn’t need an enterprise security program — it needs about a dozen controls done consistently. This checklist is what we actually deploy for Indiana companies between 10 and 100 employees, in priority order, with the honest note about what you can skip at this size. No fear-mongering: most breaches at small companies come from a stolen password or a convincing email, not sophisticated hacking, and the defenses for those are cheap and well-understood.
Identity: where most breaches actually start
- Multi-factor authentication (MFA) on everything that supports it — email first, then banking, payroll, and remote access. This single control stops the majority of account-takeover attacks. Non-negotiable.
- A password manager for the team — kills password reuse, which is how one leaked site login becomes your problem.
- Offboarding that actually happens — a written 30-minute checklist that disables every account the day someone leaves. Ex-employee access is one of the most common small-business incidents and the cheapest to prevent.
Backups: the control that decides whether ransomware is an outage or a catastrophe
- 3-2-1 backups — three copies, two different media, one off-site (cloud counts). Microsoft 365 and Google Workspace need their own backup too: deleted means deleted after the retention window, and neither vendor is responsible for your data loss.
- Test a restore quarterly. An untested backup is a hope, not a plan. Restore one real folder and one full machine; time it.
Devices and updates
- Automatic patching for operating systems and browsers — most exploited vulnerabilities are ones a patch existed for.
- Real endpoint protection (EDR) on every computer — modern tools that detect behavior, not the consumer antivirus that shipped with the laptop.
- Full-disk encryption on laptops — it’s a checkbox (BitLocker/FileVault), and it turns a stolen laptop from a breach into an inconvenience.
Email and people
- Advanced email filtering — phishing is the #1 delivery mechanism; the built-in filters in 365/Workspace are good, their higher tiers and dedicated tools are better.
- Short, recurring security training — 15 minutes a quarter beats an annual hour nobody remembers. Include “how to report something suspicious” — the report button matters more than the quiz score.
- A financial controls rule: any request to change payment details or wire money gets verified by phone at a known number. Business email compromise costs small companies more than ransomware, and this one rule defeats most of it.
The one-page incident plan
Write down: who to call (IT provider, insurer, attorney), how to isolate a machine (unplug network, don’t power off), and where the backup documentation lives. Print it — if ransomware hits, the plan stored on the encrypted server doesn’t help. That’s genuinely enough at this size.
What you can skip at 10–100 employees
A SIEM, a 24/7 security operations center of your own, penetration tests every quarter, and most things with “zero trust” in the marketing — these are real tools solving real problems you mostly don’t have yet, or that a managed provider delivers as a service far cheaper than you can build. Spend the money on the list above first; it covers the attacks that actually hit companies your size.
Frequently asked questions
What is the single most important security control for a small business?
Multi-factor authentication on email. It stops the majority of account-takeover attacks and costs nothing but setup time.
How much should a small business spend on cybersecurity?
Less than most owners fear: the controls that stop real-world attacks — MFA, tested backups, patching, email filtering — are cheap or bundled with managed IT. Consistency matters more than budget.
What should I do first after a suspected breach?
Isolate the machine (unplug the network cable, do not power it off), then call your IT provider and insurer from your printed incident plan.
Where to start
If you do nothing else this month: turn on MFA for email, verify your backups actually restore, and put the wire-transfer phone rule in writing. Those three take a day and remove the three most common ways Indiana small businesses get hurt. Run a medical practice? HIPAA adds its own requirements on top of this list — we cover them in plain English. If you’d rather have someone assess where you stand against this whole list, that’s a conversation we have with businesses every week — get in touch and we’ll walk through it together.