TL;DR:
- This 20-check audit takes 60 minutes and requires no technical background
- Most businesses fail at least 3 checks — the goal is to find your gaps, not achieve a perfect score
- The three highest-priority fixes are always: MFA on email, working backups, and a password manager
A small business security audit sounds like it requires consultants and a four-figure invoice. A proper penetration test does — but that’s not what most small businesses need first.
What you actually need is to check the obvious: shared passwords, email accounts without two-factor authentication, untested backups, routers still on factory credentials. These are the vulnerabilities attackers actually exploit. The NCSC’s annual Cyber Breaches Survey consistently shows that phishing and password compromises are behind the vast majority of UK small business incidents.
What you need: 60 minutes, a browser, your business email login, and a notes app to record your findings.
Section 1: Email security (10 minutes)
Your email is the master key to your business — whoever controls it can reset every other password you own.
Check 1: Is MFA enabled on business email? Multi-factor authentication requires your password plus a phone code. This is the highest-priority action on the entire list. Gmail: myaccount.google.com → Security → 2-Step Verification. Microsoft 365: mysignins.microsoft.com → Security Info.
Check 2: Do you have SPF, DKIM, and DMARC configured? These free DNS records prevent criminals from spoofing your domain — sending emails that look like they’re from you. Check at mxtoolbox.com/dmarc — it shows exactly what’s missing. IT support can add any missing records in under 30 minutes.
Check 3: Are there email forwarding rules you don’t recognise? Attackers set up forwarding rules to keep reading your email after you’ve changed your password. Gmail: Settings → Filters → Forwarding tab. Microsoft 365: Settings → Mail → Rules and Forwarding. Delete anything unrecognised and change your password.
Section 2: Accounts inventory (10 minutes)
Check 4: Do you have a list of all business online accounts? List every service your business uses: email, accounting, payroll, social media, cloud storage, CRM, website hosting, domain registrar.
Check 5: Do any former employees still have access? Log into the admin console for email, accounting, and banking. Check the user list. Any former employees still on there? Revoke access today — not tomorrow.
Check 6: Are any business accounts tied to personal email addresses? Accounts tied to a personal Gmail are controlled by that person. If they leave, they keep access. Migrate ownership to a business email address.
Section 3: Password hygiene (5 minutes)
Check 7: Does your team use a password manager? A password manager generates and stores unique passwords for every account. If your answer is no, this and Check 8 have the same fix.
Check 8: How many accounts share the same password? Be honest with yourself here. Any shared passwords need a password manager to fix properly.
Section 4: Software updates (10 minutes)
Around 60% of data breaches exploit vulnerabilities where a patch was already available but hadn’t been applied. Not glamorous, but it matters.
Check 9: Is your operating system up to date? Windows: Start → Settings → Windows Update. macOS: Apple menu → System Settings → General → Software Update.
Check 10: Are your main business applications up to date? Most SaaS tools update automatically. Desktop software usually has Help → Check for Updates.
Check 11: Are your browsers up to date? Chrome and Edge: three-dot menu → Help → About. Firefox: three-bar menu → Help → About Firefox.
Section 5: Backups (10 minutes)
Many businesses discover their backups are broken at exactly the moment they desperately need them.
Check 12: Do you have an automatic backup? At least one backup should be running automatically. Files in Google Workspace or Microsoft 365 being in the cloud isn’t the same as having a backup — if they’re deleted or encrypted, the cloud copy goes with them.
Check 13: When did you last test your backup? Restore a file backed up at least a week ago — from the backup, not the original location. Open it and confirm it works. Pass: successful restore within the last 30 days.
Check 14: Are your backups accessible from outside your main network? Ransomware targets network-connected backups specifically. Your backup must be reachable from a clean device outside your network — a cloud service or a physically disconnected drive.
Section 6: Wi-Fi (5 minutes)
Check 15: Is your router admin password still the factory default? Attackers know all default router credentials. Access your router (usually 192.168.1.1 or 192.168.0.1) and try the defaults from the label. If they work, change them now.
Check 16: Do you have a separate guest network? A guest network gives visitors internet access without them touching your internal devices — usually a single toggle in router settings.
Section 7: Devices and people (10 minutes)
Check 17: Can you list every device accessing business data? Write down all desktops, laptops, tablets, and phones used for work. If you can’t list them, you can’t manage them.
Check 18: Does each device have endpoint protection? Windows Defender is a baseline; Malwarebytes adds better coverage. Mac: built-in XProtect plus a dedicated business product. Phones: screen locks enabled, OS up to date.
Check 19: Has your team received phishing awareness training? Phishing is the entry point for most UK small business breaches — the NCSC’s data is clear on this. Pass: training within the last 12 months. Send your team Google’s free Phishing Quiz at phishingquiz.withgoogle.com right now.
Check 20: Would your team click a convincing phishing email? Be honest. Realistic, urgent emails fool untrained people every single day.
Scoring your audit
17–20 passes: Strong baseline — work through the specific failures you found.
12–16 passes: Meaningful gaps — prioritise email and backup failures first.
8–11 passes: Several gaps — start with email and backups, then tackle one section at a time.
Under 8 passes: Consider getting a one-time assessment from a UK-based Managed Service Provider or Cyber Essentials-certified consultant. A few hours of professional help to build a prioritised plan is money well spent.
Bottom line
Run this audit once to establish your baseline. The three highest-impact fixes — MFA on email, working backups, and a password manager — prevent the majority of small business attacks. Sort those three first, then work through the rest. Run the audit again in six months to see how far you’ve come.