Do
Enable 2FA on your email, bank accounts, and any app holding sensitive data. Look for it under Security or Account Settings.
Why it matters
A stolen password can't get attackers in if 2FA is on. It's the single highest-impact upgrade most small businesses haven't made yet.
Do
Pick 1Password, Bitwarden, or Dashlane and move your most critical accounts into it this week.
Why it matters
Reusing one password across sites means a single breach anywhere puts everything at risk. A password manager fixes this in one afternoon.
Do
When anyone leaves — employee, contractor, or bookkeeper — disable their accounts and change shared passwords the same day they walk out.
Why it matters
A former employee with active credentials is the most common preventable insider incident. Same-day revocation closes the window entirely.
Do
Turn on automatic updates for your OS, browser, and business software on every work device — then verify it's actually running.
Why it matters
Most successful attacks exploit security holes that already have patches. Keeping software current closes the door before attackers walk through it.
Do
Enable FileVault (Mac) or BitLocker (Windows) on every business laptop. It's built into the OS and takes about five minutes to turn on.
Why it matters
A stolen unencrypted laptop hands every file, password, and client record to the thief with no login required. Encryption makes it worthless.
Do
Set up a dedicated guest Wi-Fi network for visitors and personal devices, completely isolated from your business computers and files.
Why it matters
Every non-business device on your main network is a potential path to your data. A guest network is a five-minute fix that closes it.
Do
Set every work device to lock automatically after 5 minutes of inactivity and require a password, PIN, or biometric to unlock.
Why it matters
An unlocked screen left unattended for two minutes — in a waiting room, a coffee shop, or your own office — can be accessed or infected in seconds.
Do
Set up automated daily backups of client records, financials, and contracts to at least two separate locations.
Why it matters
Ransomware and hardware failure both ask the same question: where's the backup? Without one, your only options are to pay or start over.
Do
Keep at least one backup copy disconnected from the internet — an external drive you unplug after backup, or an isolated cloud vault.
Why it matters
Modern ransomware finds and destroys connected backups before it reveals itself. An offline copy is your guaranteed path to recovery.
Do
Once a year, actually restore a real file from your backup to confirm it works. Don't assume the software is running correctly.
Why it matters
Backup systems fail silently. Discovering the problem during an actual crisis is the worst possible time to find out it was broken.
Do
Make it a firm rule: never paste client names, financial figures, medical info, or confidential business data into free AI tools like ChatGPT.
Why it matters
Data entered into free AI tools may be stored and used for training. One paste of a client spreadsheet can constitute a reportable data breach.
Do
Before any AI-drafted message, document, or report goes to a client, vendor, or court — have a human read it for accuracy and appropriateness.
Why it matters
AI tools confidently produce errors and invented facts. Sending AI-generated content unchecked creates real professional and legal liability.
Do
Find out which AI tools your team is using and create a simple one-page approved list. Even an informal policy counts.
Why it matters
AI adoption in small businesses is outpacing policy. An approved list takes 30 minutes and closes real exposure before something goes wrong.
Do
Go to HaveIBeenPwned.com and enter your business email addresses. It's free, instant, and shows every known breach containing your email.
Why it matters
If your email and an old password appeared in a breach, attackers are automatically testing that combination against your other accounts right now.
Do
Search your name on Spokeo, WhitePages, and BeenVerified, then use each site's opt-out form to remove your home address and personal details.
Why it matters
Data brokers sell your home address and family details to anyone who pays. Attackers use these profiles to craft convincing, targeted scams.
Do
Any emailed request to change a vendor's bank account, redirect a wire transfer, or modify payroll routing must be confirmed by a live phone call — no exceptions.
Why it matters
Business email compromise — fake emails impersonating your vendor or your boss — costs US businesses more than all other cybercrime combined.
Do
Hold a one-hour security awareness session with your full team every year. Cover phishing, passwords, and what to do when something looks suspicious.
Why it matters
One hour of training meaningfully reduces the chance that an employee falls for a phishing attack or hands an attacker access to your systems.
Free newsletter
Get the PDF & go deeper every month.
Subscribe to the Roadrunner Cybersecurity, AI, and Privacy Brief and we'll email you the PDF version of this checklist — plus one plain-English email a month covering threats, AI tools, and privacy issues that matter to small business owners.
↓ You'll receive the 17-Point Checklist PDF in your first email
No spam. Unsubscribe any time.