Loading
Not sure if your IT infrastructure covers the basics? Use this checklist to identify gaps and prioritize what matters most.
Get Professional IT SupportThis checklist is organized by category with priority levels. If you're starting from scratch, focus on the critical items first — they protect you from the most common and most damaging threats. Then work through high and medium priorities as your budget allows.
Every device that connects to your network or accesses business data is an endpoint — laptops, desktops, phones, and tablets. Each one is a potential entry point for attackers.
Traditional antivirus is not enough. EDR monitors behavior patterns and stops threats that signature-based tools miss.
Unpatched software is one of the top three attack vectors. Automate updates so they happen consistently and on schedule.
BitLocker (Windows) or FileVault (Mac) ensures data on a lost or stolen device cannot be accessed.
Enforce security policies, remotely wipe lost devices, and control which apps can access business data.
Backups are your last line of defense against ransomware, hardware failure, and human error. If you cannot recover your data, nothing else matters.
At minimum, back up file servers, databases, email, and line-of-business applications daily. More frequent for high-transaction environments.
Three copies of your data, on two different media types, with one copy offsite. This protects against ransomware that targets local backups.
A backup you have never tested is a backup you cannot trust. Verify you can actually restore files and systems from your backups.
Cloud providers do not back up your data for you. A deleted email or corrupted SharePoint file needs a third-party backup solution to recover.
Email is the number one attack vector for businesses of all sizes. Over 90% of cyberattacks start with a phishing email.
These DNS records prevent attackers from spoofing your domain to send phishing emails that appear to come from your business.
Built-in filters from Microsoft 365 or Google are a starting point, but a dedicated email security gateway catches significantly more threats.
Regular training with simulated phishing tests. Employees are your first line of defense and your biggest vulnerability.
Your network is the highway that connects everything. If it is not properly secured and segmented, a single compromised device can give attackers access to your entire environment.
Consumer routers do not provide adequate protection. A managed firewall with intrusion detection and content filtering is essential.
Keep guest Wi-Fi, smart devices, and production systems on separate VLANs so a breach in one cannot spread to others.
Remote employees need encrypted, authenticated access to internal resources. Modern zero-trust network access (ZTNA) solutions are replacing traditional VPNs.
Block access to known malicious domains at the DNS level before a connection is even established.
Controlling who has access to what — and verifying they are who they claim to be — is fundamental to security. Weak access controls are behind the majority of data breaches.
MFA blocks 99.9% of automated account attacks. Enable it on email, cloud apps, VPN, and any system that supports it. Prioritize authenticator apps over SMS.
Users should only have access to the resources they need for their role. No shared admin passwords. No unnecessary administrator access.
Standardized checklists for provisioning new employees and — just as importantly — disabling all access immediately when someone leaves.
Eliminates password reuse, shared spreadsheets, and sticky notes. Enables secure credential sharing for teams.
Even if you're not in a heavily regulated industry, basic compliance hygiene protects your business legally, helps you win contracts, and demonstrates professionalism to clients.
A documented policy that defines acceptable use, data handling, incident reporting, and security expectations for all employees.
A current list of all hardware, software, licenses, and network configurations. You cannot secure what you do not know you have.
If your industry has specific requirements, work with your IT provider to build compliance into your infrastructure rather than bolting it on later.
Disasters don't just mean natural events. A ransomware attack, a critical hardware failure, or a cloud provider outage can all bring your business to a halt. The question is: how quickly can you recover?
RTO (Recovery Time Objective) is how quickly you need systems back. RPO (Recovery Point Objective) is how much data loss is acceptable. Define both for each critical system.
When a security incident occurs, who do you call? What steps are taken? Who communicates with clients? Document this before you need it.
Run a tabletop exercise or full simulation at least once a year. Identify gaps in your plan while the stakes are low.
Cyber insurance covers breach response costs, legal fees, and business interruption. Many insurers now require MFA and EDR as prerequisites.
If you're feeling overwhelmed, focus on these five items first. They address the most common attack vectors and protect against the most damaging scenarios.
Blocks the vast majority of account-based attacks immediately.
Replaces legacy antivirus with modern threat detection.
Run a test restore today. If it fails, fix it before anything else.
SPF, DKIM, and DMARC prevent domain spoofing and improve deliverability.
Eliminate the window of vulnerability that manual updates leave open.
A managed IT provider can assess your current setup, identify gaps, and systematically work through this checklist with you. We'll help you prioritize based on your industry, size, and risk profile.
Explore Managed IT ServicesOne email per month with our best articles. No spam.