Cybersecurity baseline checklist for SMEs

Cybersecurity Baseline Checklist for SMEs

Cybersecurity Baseline Checklist for SMEs

Cybersecurity does not need to start with a large and expensive project. For many SMEs, the best starting point is a practical baseline that identifies the most important security gaps before tools, licences and managed services are purchased.

This checklist is designed for business owners, operations managers, finance teams, IT administrators and decision makers who need to understand where to begin.

1. Identity and access

  • Confirm every active user account is linked to a current employee, contractor or service account owner.
  • Remove stale accounts for former staff and unused administrators.
  • Enforce multi-factor authentication for all users, especially administrators.
  • Separate standard user accounts from administrator accounts.
  • Review privileged roles on a regular schedule.

2. Email security

  • Review phishing protection, spam filtering and malware filtering.
  • Check whether users are trained to identify suspicious links and attachments.
  • Review SPF, DKIM and DMARC readiness for the business domain.
  • Confirm that mailbox forwarding rules are not being abused.
  • Monitor unusual sign-ins and risky account behaviour.

3. Endpoint and device protection

  • Confirm which laptops, desktops and mobile devices are used for business work.
  • Check that devices are patched and protected by endpoint security tools.
  • Remove local administrator rights where they are not required.
  • Confirm that lost or stolen devices can be locked or wiped.
  • Review whether personal devices are accessing company data.

4. Microsoft 365 security baseline

  • Review user accounts, administrator roles and sign-in risk.
  • Confirm MFA status and conditional access readiness.
  • Assess whether Microsoft Defender licensing is appropriate.
  • Review SharePoint, OneDrive and Teams sharing settings.
  • Check whether sensitive data requires retention, classification or protection controls.

5. Data protection and compliance

  • Identify where finance, HR, client, contract and operational data is stored.
  • Confirm backup and recovery expectations.
  • Review document retention and deletion requirements.
  • Check whether Microsoft Purview or similar governance tools are needed.
  • Define who is responsible for data ownership and approval.

6. Incident readiness

  • Document who must be contacted when a security incident occurs.
  • Define escalation paths for email compromise, ransomware, lost devices and suspicious login activity.
  • Confirm whether logs are retained for investigation.
  • Prepare a simple incident response checklist.
  • Review cyber insurance and compliance reporting requirements where relevant.

When to get help

Get help when you are unsure whether your Microsoft 365 tenant is secure, whether Defender or Purview is configured correctly, whether MFA is properly enforced, or whether your business has hidden endpoint, email or data protection gaps.

How Skunkworks can help

Skunkworks offers a practical Cybersecurity Baseline Assessment that helps SMEs understand identity, endpoint, email, Microsoft 365, Defender, Purview and compliance readiness.

Explore Cybersecurity Assessment South Africa or start with a Free Business Technology Consultation.

Recommended next step

Start with the baseline. Once the risks are clear, it becomes easier to choose the correct licences, controls, implementation roadmap and managed support model.

返回博客