Contact us on Whatsapp

Got a question for us?

Let's talk
hello@oxfordinfosec.com
Find out more

Not sure what you need?

Our discovery process can help you uncover the right way forward for your business. Simply fill in our 3-minute form and we’ll give you free, no-obligation advice unique to you.

Find out more
Back to Insights
Insight

Security Foundations Checklist

24 / 3 / 2026 • 8 min read

The essentials every small business should have in place.

Security doesn’t need to be complicated to be effective. Most small businesses don’t need dozens of controls, specialist tools, or enterprise processes. They need a clear baseline that reduces real risk and stands up to reasonable scrutiny.

This checklist covers the core security foundations we expect most small businesses to have in place.

It’s designed to help you sense-check where you are today, prioritise what matters, and avoid spending time on things that won’t meaningfully improve your security.

How to use this checklist.

This is a practical starting point, not a compliance exercise or audit prep document.

Our top tips:

  • Work through each item honestly
  • Focus on whether the control exists and is actually being used
  • Don’t worry if everything isn’t in place yet
  • Use the gaps to decide what to tackle next, in order of impact

If you’re at an early stage, this helps establish sensible foundations. If you’re further along, it’s a quick way to spot weaknesses before customers, investors, or auditors do.

Small business security foundations checklist

Do you know what you’ve got?

  1. You have an accurate list of company devices (laptops, phones, tablets)
  2. You know what software and cloud services are in use
  3. There’s a single source of truth for assets (not conflicting spreadsheets or dashboards)

Are your devices protected?

  1. Company devices are enrolled in device management
  2. Full disk encryption is enabled
  3. Endpoint protection (antivirus / EDR) is installed and running
  4. You’d know if endpoint protection stopped working

Is access properly controlled?

  1. Multi-factor authentication is enabled on all business-critical systems
  2. MFA is in place for email, file storage, and admin consoles
  3. Staff accounts are removed promptly when people leave
  4. Admin access is limited and uses separate accounts
  5. Shared passwords and generic accounts aren’t used

Are systems configured securely?

  1. Default passwords have been changed
  2. Remote access is disabled unless explicitly needed
  3. Auto-run features are disabled
  4. Cloud services have been reviewed and hardened

Is patching happening?

  1. You know which systems have outstanding security patches
  2. Critical patches are applied within a week
  3. Other security patches are applied within 30 days
  4. Automatic updates are enabled where possible

Would you know if something went wrong?

  1. Key security events are logged
  2. Someone reviews alerts regularly
  3. Alerts are tuned so real issues don’t get lost
  4. Staff know how to report something suspicious

Is your data backed up?

  1. Critical data is backed up regularly
  2. Backups are stored separately from primary systems
  3. Backups have been tested and can be restored
  4. You know how long recovery would take after an incident

Are you protected against email threats?

  1. Email filtering is in place
  2. Staff have basic training on spotting phishing
  3. There’s a clear process for reporting suspicious emails

Do you have a plan if things go wrong?

  1. A basic incident response process is documented
  2. Staff know who to contact during an incident
  3. A business continuity plan exists for major outages
  4. Key contacts and recovery steps are accessible

Can you prove it?

  1. You can evidence your security controls when asked
  2. You meet your cyber insurance security requirements
  3. You could demonstrate due diligence after an incident

How did you do?

Take a look at how many items you were able to tick confidently.

  1. Most items ticked
    You likely have solid security foundations in place. A focused review can help confirm this and identify any smaller gaps before customers or auditors do.
  2. Some items ticked, some gaps
    Very common for growing businesses. The basics are partly there, but prioritising the most important gaps will make the biggest difference.
  3. Very few items ticked
    You’re not alone. Many small businesses start here. The good news is that these fundamentals can usually be put in place relatively quickly and will significantly reduce risk.

Next steps

If you’d like help assessing where you stand and building proportionate security controls, get in touch for a conversation about our Security Foundations service.

We help small businesses:

  • understand which gaps genuinely matter
  • prioritise fixes based on real risk
  • avoid over-engineering security too early

We’ll be happy to help you work out the most sensible next step.

Contact Us