Security
Your business security checklist
Everything you need to secure your business online, on one page — work through it section by section and tick off each item.
securitychecklistbeginner
This checklist covers the security basics every small business should have in place. Work through it at your own pace. Prioritize the top sections first — they have the biggest impact.
Quick summary
Start with passwords, 2FA, and your most important accounts. Then work through your website, domain, and team. You don't have to do everything in one session — a few items per day will get you through the list in a week.
How to use this checklist
- Work top to bottom — the items are roughly ordered by impact
- Each item links to a more detailed guide where you need one
- Revisit this list whenever someone joins or leaves your team, and annually as a regular check
Passwords
- Using a password manager (see Why you need a password manager)
- Unique, strong password for every account — no reused passwords
- Password manager installed on all devices you use for work
- Master password for the password manager is long and memorable (a passphrase)
- Emergency recovery kit for your password manager saved somewhere physically safe
Two-factor authentication (2FA)
- 2FA enabled on your primary email account
- 2FA enabled on your website CMS login (WordPress, Webflow, Squarespace, etc.)
- 2FA enabled on your hosting account
- 2FA enabled on your domain registrar account
- 2FA enabled on financial accounts (banking, Stripe, PayPal)
- 2FA enabled on your password manager
- 2FA enabled on social media accounts (Facebook, Instagram, LinkedIn, etc.)
- Using an authenticator app rather than SMS for 2FA where possible
- Backup codes saved for every account with 2FA
Email security
- Business email hosted on a reputable platform (Google Workspace or Microsoft 365)
- Not using a personal Gmail or Hotmail for business communication
- SPF, DKIM, and DMARC records configured for your domain (ask us)
- Team is trained to recognize phishing (see How to recognize phishing attempts)
- Verified process for financial requests (phone call confirmation, never email alone)
Website
- WordPress (or other CMS) is up to date
- All plugins and themes are up to date
- Unused plugins and themes deactivated and deleted
- Security plugin installed (Wordfence or Solid Security)
- Login attempt limiting enabled
- Default "admin" username not in use
- SSL certificate active — site loads on
https:// - Website backups running automatically — daily or more frequent
- Backups stored off-site (not just on the same server)
- Backup restore tested at least once
Domain
- Know which registrar holds your domain
- Domain lock (Registrar Lock) enabled
- 2FA enabled on registrar account
- WHOIS privacy enabled
- Auto-renew enabled — or expiry date noted on your calendar
- Domain registered to your business — not a past developer
Team and access
- Every team member has their own login — no shared passwords
- People have only the access level they need (no unnecessary admin roles)
- Former employees and contractors have had all access removed
- Offboarding checklist exists and is used (see Security steps when someone leaves)
- Social media accounts have at least two admins
Devices
- All devices have a lock screen with PIN, password, or biometrics
- Operating system auto-updates are enabled on all devices
- Full-disk encryption is enabled (FileVault on Mac, BitLocker on Windows)
- Remote wipe is configured for all devices (Find My for Apple, Find My Device for Android)
- No sensitive work done on unsecured public Wi-Fi without a VPN
- Work devices not shared with others casually
Social media and third-party tools
- 2FA on all social media accounts
- Admin access reviewed — removed anyone who no longer needs it
- Third-party apps connected to social accounts reviewed — revoked anything unused
- Marketing tools (Mailchimp, etc.) reviewed for outdated access
Incident preparedness
- Know how to report a problem to Chykalophia
- Know how to contact your hosting provider's support
- Know where your most important account recovery codes are stored
- Know what to do if the site is hacked (see What to do if your site is hacked)
- Know what to do if an account is compromised (see What to do if an account is compromised)
- Business insurance reviewed to understand cyber/fraud coverage
Data privacy
- Privacy policy on your website — current and linked in the footer
- Cookie consent banner in place (if applicable)
- Marketing email list is opt-in only
- Process in place for handling data deletion requests
- Customer data stored only in systems with appropriate security
Annual tasks
These items are worth revisiting once a year:
- Review all account passwords for any that are weak or reused
- Review who has access to all systems
- Check domain expiry and auto-renew settings
- Review data you are holding — delete what you no longer need
- Test your backup restore
- Review your privacy policy for any needed updates
Well done
Working through this checklist significantly reduces your risk. Not every item needs to be done at once — progress is what matters. If you need help with any item on this list, reach out to us.
Related guides
- Why security matters for your business
- Why you need a password manager
- Two-factor authentication, explained
- Securing your WordPress site
- Security steps when someone leaves
Need a hand?
If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.
Data privacy basics for your business
A plain-English introduction to data privacy — what data your business likely holds, your responsibilities, and how to handle it well.
Security terms, explained simply
Plain-English definitions for every security term you might encounter — from 2FA and brute force to VPN and zero-day.