Steps 1–3: Inventory accounts, devices, and critical data
- List the systems the business cannot operate without: email, file storage, accounting, customer records, line-of-business applications, websites, and remote-access tools. Record who owns each system and which vendor supports it.
- Maintain a device inventory that includes laptops, desktops, servers, phones, and network equipment. An unmanaged device is difficult to patch, monitor, or remove when an employee leaves.
- Identify where sensitive and business-critical data lives, who can access it, and how long it needs to be retained.
The objective is not a perfect asset database on day one. A useful spreadsheet with an owner and review date is better than an ambitious inventory that nobody maintains.
Steps 4–6: Strengthen identity and access
- Require multi-factor authentication for email, financial systems, administration tools, remote access, and cloud services.
- Use unique passwords stored in a business password manager instead of shared documents or browser notes.
- Give people the minimum access their role needs, and use a written offboarding checklist to disable accounts, recover equipment, and transfer ownership promptly.
Steps 7–9: Protect devices, email, and software
- Turn on automatic operating-system and application updates where business compatibility permits, with an owner for exceptions.
- Deploy centrally managed endpoint protection so coverage and alerts do not depend on each employee.
- Configure email protections, review suspicious forwarding rules, and teach staff a simple way to report questionable messages.
Security awareness works best when it is specific. A short exercise about a fake invoice or changed banking instructions is more useful than an annual presentation that employees cannot connect to their daily work.
Steps 10–12: Back up, plan, and verify
- Back up critical data on a schedule that matches how much work the business can afford to lose. Keep at least one recovery path isolated from ordinary user credentials.
- Write a one-page incident plan with decision-makers, technical contacts, legal or insurance contacts, and the first steps for a lost device, compromised mailbox, or ransomware warning.
- Test the controls: restore a file, verify MFA enrollment, review endpoint coverage, and walk through the incident contacts.
How do you use this checklist without stalling?
Assign one owner and one target date to each item. Start with email MFA, privileged accounts, backups, and unmanaged devices because those changes close several common gaps quickly. Then review the list quarterly and whenever the company adds a location, major vendor, or new business system.