Cyber attacks are no longer just a problem for large multinationals. SMEs have become a favorite target precisely because they are often less well protected while managing valuable data. With this practical checklist, you can protect your business against the most common threats without needing to be an IT expert.
Why this checklist?
Cybercriminals are becoming increasingly sophisticated and attacks are growing more refined by the day. Where large companies were once the primary targets, attackers are now massively focusing on SMEs. The reason is simple: smaller businesses often have fewer resources for security, yet they manage valuable customer data, financial information, and intellectual property. For cybercriminals, this is an attractive combination of low resistance and potentially high returns.
The consequences of a cyber attack can be devastating. Ransomware can shut down your entire business operations, sometimes for weeks on end. Phishing attacks lead to stolen login credentials that provide access to sensitive systems. Data breaches result not only in direct financial damage but also in reputational damage and potential GDPR fines. Research shows that a substantial percentage of SMEs that fall victim to a serious cyber attack must close their doors within two years, simply because they cannot bear the financial and operational impact.
The good news is that with relatively simple measures, you can prevent the vast majority of attacks. You don't need to be a security expert or spend a fortune on advanced tools. Getting the basics right - that's where the most benefit can be achieved. This checklist helps you step by step to establish that foundation and make your business more resilient against today's and tomorrow's threats.
Basic security: passwords and MFA
The first and perhaps most important line of defense against cyber attacks consists of strong passwords and Multi-Factor Authentication. It may sound obvious, but in practice, weak or reused passwords are still the cause of a large number of successful attacks. Criminals often don't even need to hack - they simply log in with stolen or guessed credentials.
The problem with passwords is that people have to remember them. This leads to predictable choices: pet names, birth dates, or simple patterns like 123456 and password123. Even when people choose strong passwords, they often use the same password for multiple services. As soon as one of those services is hacked, criminals have access to all other accounts with the same password. This is why a password manager and MFA have become so crucial in modern security approaches.
Password rules
Multi-Factor Authentication (MFA)
MFA requires a second verification in addition to your password, such as a code on your phone. Even if a hacker has your password, they cannot log in without this second factor.
99.9%
of attacks
blocked by MFA
Email security: recognizing phishing
Phishing remains the most used attack method by cybercriminals year after year, and for good reason: it works. In phishing, criminals send emails that appear to come from trusted senders - your bank, a colleague, Microsoft, or a package courier - to lure you into clicking a malicious link or sharing login credentials. The emails are becoming increasingly sophisticated and are sometimes barely distinguishable from genuine messages.
Where phishing emails used to be full of spelling errors and written in broken English, modern attacks are often professionally designed. Criminals use artificial intelligence to write convincing texts, copy company logos and corporate styles, and even incorporate personal details they've gathered from social media or previous data breaches. This makes it all the more important that your employees are trained in recognizing suspicious messages - because technical filters alone are not sufficient to stop all attacks.
Phishing recognition points
Backup strategy: the 3-2-1 rule
A solid backup strategy is your last resort when all other security measures have failed. In a ransomware attack, your files are encrypted and criminals demand ransom for the decryption key. Without good backups, you face an impossible choice: pay (without any guarantee you'll get your data back) or accept that your business data is lost. With reliable backups, you have a third option: clean the infected systems and restore your data.
The 3-2-1 rule is the gold standard for backup strategies and is easy to remember. This rule prescribes that you always have three copies of your data, stored on at least two different media, of which at least one is at an external location. This may sound excessive, but each component of this rule serves a specific purpose to protect you against different data loss scenarios.
3
copies
of your data
2
media
different storage locations
1
offsite
external location
Backup checklist
Network security: firewall and updates
Your business network is the gateway to all your systems and data. Every computer, server, and smart device connected to this network potentially forms an entry point for attackers. A well-secured network prevents malicious actors from getting in at all, and limits the damage if they do by preventing attackers from moving freely between systems.
Network security is about multiple layers of defense. A firewall is the first layer: it checks all traffic entering and leaving your network and blocks suspicious activities. Additionally, it's essential to segment your network. This means separating different parts of your network from each other, so that an attacker who gains access to one system doesn't automatically have access to everything. A separate guest network for visitors is the most well-known example, but internal segmentation between departments or between regular workstations and servers also contributes to better security.
Essential network security
Updates are crucial
Software updates often contain security patches. Set up automatic updates for:
The complete cybersecurity checklist
Now that we've covered all the important aspects of cybersecurity, it's time to bring everything together in a clear checklist. Use this list to map the current status of your security. Go through each point and honestly note whether this is well arranged in your organization. The points you cannot check off form your priority list for improvements.
It's important to realize that cybersecurity is not a destination but an ongoing process. Threats constantly evolve, and your security must evolve with them. Therefore, schedule a time each quarter to go through this checklist again. Check whether all measures are still active and effective, and whether new risks have emerged that require attention.
