Cyber Security Audit Checklist for SMBs

A cyber security audit is a systematic evaluation of your organization's security posture — its policies, controls, infrastructure, and practices — to identify vulnerabilities before attackers do. For small and mid-size businesses (SMBs), the stakes are real: 43% of cyberattacks target SMBs, and 60% of those that suffer a significant breach close within six months. This checklist covers the essential areas every SMB should assess, whether you run the audit internally or engage a third-party partner.

1. Access Control and Identity

Who can access what — and how — is the foundation of security. Audit these controls:

• Multi-factor authentication (MFA): Is MFA enforced on all user accounts, especially email, VPN, cloud services, and admin accounts? SMS-based MFA is better than nothing, but authenticator apps or hardware keys (FIDO2) are significantly more secure.
• Password policy: Are passwords at least 12 characters? Is a password manager provided and mandated for all staff? Are shared passwords eliminated?
• Principle of least privilege: Do users have only the access they need? Review admin accounts quarterly — most organizations have 3-5x more admin accounts than they need.
• Offboarding process: When an employee leaves, are all accounts disabled within 24 hours? Audit your last 10 departures to verify.
• Service accounts: Are service accounts (API keys, system accounts) inventoried, rotated regularly, and scoped to minimum required permissions?

2. Endpoint Security

Every laptop, phone, and tablet is an attack surface. Verify:

• Endpoint Detection and Response (EDR): Is EDR deployed on all company devices? Free antivirus is not sufficient. Solutions like CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint provide real-time threat detection and response.
• Patch management: Are operating systems and applications patched within 14 days of critical updates? Within 30 days for non-critical? Automate with tools like Intune, WSUS, or Automox.
• Disk encryption: Is full-disk encryption (BitLocker, FileVault) enabled on all devices? This protects data if a device is lost or stolen.
• Mobile device management (MDM): Are company mobile devices managed? Can you remotely wipe a lost phone? Is personal device access to company data controlled?
• USB and removable media: Is USB storage blocked or restricted on company devices?

3. Network Security

Your network is only as strong as its weakest segment. Check:

• Firewall configuration: Is your firewall actively managed and rules reviewed quarterly? Default-allow rules are a common finding. Every rule should have a documented business justification.
• Network segmentation: Are critical systems (finance, HR, customer data) on separate network segments from general-purpose devices? If ransomware hits a workstation, can it reach your database server?
• Wi-Fi security: Is WPA3 or WPA2-Enterprise in use? Is the guest network fully isolated from the corporate network? Are default SSID names and passwords changed?
• VPN or zero-trust access: How do remote workers access internal resources? If via VPN, is split tunneling disabled? Consider zero-trust network access (ZTNA) as a more secure alternative.
• DNS filtering: Is DNS-level filtering in place to block known malicious domains? Tools like Cisco Umbrella or Cloudflare Gateway add a significant layer of protection.

4. Data Protection

Know where your sensitive data lives and how it is protected:

• Data inventory: Do you know where PII, financial data, health records, and intellectual property are stored? You cannot protect what you cannot find.
• Encryption in transit: Is all data encrypted in transit? TLS 1.2+ on all web services, HTTPS everywhere, encrypted email for sensitive communications.
• Encryption at rest: Is sensitive data encrypted at rest in databases, file shares, and cloud storage?
• Backup strategy: Are backups running daily? Are they tested quarterly with actual restore exercises? Are backup copies stored offline or in an immutable storage tier (protection against ransomware)?
• Data retention policy: Are you keeping data longer than required? Excess data is excess risk. Define retention periods and automate deletion.

5. Email Security

Email remains the #1 attack vector for SMBs. Verify:

• SPF, DKIM, and DMARC: Are all three configured for your domain? DMARC should be set to reject (p=reject) to prevent email spoofing. Test with tools like MXToolbox or dmarcian.
• Anti-phishing protection: Is advanced threat protection enabled on your email platform? Microsoft Defender for Office 365 or Google Workspace's advanced protection catch threats that basic filtering misses.
• User training: Have all employees completed phishing awareness training in the last 12 months? Do you run simulated phishing tests? Frequency matters more than content — quarterly simulations are the minimum.
• Attachment and link scanning: Are email attachments sandboxed before delivery? Are URLs rewritten and scanned at click time?

6. Incident Response

When (not if) a security incident occurs, preparedness determines the outcome:

• Incident response plan: Do you have a documented plan? Does it define roles, communication chains, containment procedures, and recovery steps? Is it accessible offline (printed copy) in case systems are compromised?
• Contact list: Do you have 24/7 contact information for your security provider, legal counsel, cyber insurance carrier, and key internal stakeholders?
• Tabletop exercises: Has your team practiced responding to a simulated incident in the last 12 months? Scenarios to test: ransomware attack, email compromise, data exfiltration, and insider threat.
• Cyber insurance: Do you have a cyber insurance policy? Does it cover ransomware, business interruption, legal costs, and notification expenses? Review coverage annually as threats evolve.
• Forensics capability: If breached, can you determine what happened, what data was accessed, and how the attacker got in? This requires logging (see next section).

7. Logging and Monitoring

You cannot detect what you do not monitor:

• Centralized logging: Are logs from firewalls, endpoints, servers, cloud services, and authentication systems collected in a central location (SIEM)?
• Log retention: Are logs retained for at least 90 days (180+ recommended)? Attackers often dwell for weeks before detection.
• Alerting: Are alerts configured for: failed login attempts (brute force), impossible travel (login from two distant locations), privilege escalation, new admin accounts created, and large data transfers?
• 24/7 monitoring: Are logs actively monitored, or just collected? If your team only checks logs during business hours, attacks launched at 2 AM go undetected until morning.

Running Your Audit

This checklist covers the essentials, but a thorough security audit also includes vulnerability scanning, penetration testing, and compliance-specific controls (HIPAA, PCI DSS, SOC 2, CMMC) depending on your industry.

EFS Networks provides comprehensive cyber security audits for SMBs, including vulnerability assessments, remediation planning, and ongoing managed security monitoring. Learn about our cyber security services or schedule a security assessment.